The FISMA Focus IPD

NEW YORK – While cybersecurity regulations from numerous agencies place “a significant burden on resources,” they nevertheless create the foundation for good cybersecurity practices, said Jerry Archer, chief security officer at Sallie Mae Inc., during a cybersecurity conference at the Hilton Hotel in New York Wednesday. Mr. Archer said his bank undergoes 61 IT-related audits every year. Calling himself a cynic when it comes to government regulation, Mr. Archer nevertheless argued that “regulation builds the muscle for security. It’s not best practice, but it’s necessary practice.”

Federal government agency regulations run the gamut from data privacy and breach prevention to anti-money laundering provisions, and are intended to ensure that banks and other financial institutions can’t be used by criminals to commit identity theft, or for zealots to fund terrorist activities, among other things.

Critics, however, argue that regulations don’t accomplish much beyond ensuring that companies comply with a given set of rules. John Prisco, president and CEO of cybersecurity software vendor Triumfant Inc., said he disagreed with Mr. Archer’s premise that regulations help set a minimum standard. He noted that companies constantly suffer from cyber breaches despite spending more money on software foisted on them by regulations. “Boards of directors aren’t taking it seriously, but they sure are compliant,” he said.

The on-stage argument reflects a fundamental disagreement between proponents of regulation – including supporters of President Obama’s executive order establishing voluntary information-sharing guidelines for industries in critical infrastructure – who argue that regulations create a minimum standard, and those who believe regulations don’t accomplish much beyond getting organizations to comply to the letter of the regulations without getting to the bottom of the underlying problem.

Mr. Prisco said regulations merely skim the surface, whereas, “you have to knit information security into the fabric of a company, and that’s not being done very well yet.”

Mr. Archer responded that companies in the financial sector continue to suffer breaches because they’re trying to defend networks built piecemeal over four decades. “It’s an extraordinarily complex problem to solve,” he said. “There isn’t a board in the U.S. that doesn’t take [cybersecurity] seriously,” he said. He later added that “compliance isn’t the worst threat by far.”

Another panelist, Howard Bruck, chief information officer at Hudson Valley Bank, a subsidiary of Hudson Valley Holding Corp., jumped to Mr. Archer’s defense. He said regulations are working, and that regulations have “forced the board” to acknowledge the importance of the issue and get themselves more involved in cybersecurity.