I had the opportunity yesterday to visit and speak at the ISC2 Security Congress 2012 in Philadelphia, co-located with the ASIS International Conference. Since this was only the 2nd ISC2 Congress, and my first visit to it, I thought that I'd post a few quick notes.
It's an election year, so it only seems right to put forward my own ideas on how to improve our world. ;) Actually, rather than talking about theoretical ideas, I thought it would be nice to put those ideas into specific suggestions. In this case, two of them would be legislative actions, while the third would require card brands to revise their contractual agreements from top to bottom.
Incidentally, the underlying theory is this: rather than mandating specific detailed practices (as the now-dead Cybersecurity Act of 2012 threatened to do, and as Pres. Obama has threatened to enact via executive order), I think instead it makes sense to allow the market to optimize for revised performance and/or behavior requirements. The reason I prefer this approach is because we're still in a rapidly changing and transitional period in time. Until this round of technological growth and evolution slows down and stabilizes, it's short-sighted and irresponsible to codify too many specific actions or behaviors (e.g., imagine trying to codify each of Microsoft's server security guides as law... by the time you get it ratified, it's likely obsoleted by a new OS release, not to mention that it would inevitably stifle innovation). Thus, you change the overall business environment dynamics and let the market sort itself out. Or so the theory goes.
