I’ve posted my thoughts in-depth on whether or not regs are useful. My conclusion is that we need regs, but different ones. No idea the right solution here, but I’d sure love a chance to be involved in coming up with one.
http://www.secureconsulting.net/2009/01/have_regulations_made_ecommerc.html

I do like your point about the lack of alignment driving innovation…but as you said, where’s the innovation, what’s missing in the picture to bring innovation to infosec?

Security is not understood broadly enough for people to expect improvements. Microsoft is the perfect case study for this principle. Consumers are forced into making bad decisions, and then they suffer the consequences. You don’t see MS getting fined every time someone gets compromised, right? As such, there is no alignment, and I have no idea how you fix that problem. Something needs to change with liability laws or something like that.

As for your contention that alignment is contrary to human nature, etc, that’s only partly true. The lack of alignment /should/ drive innovation to achieve alignment. Once alignment is achieved then new problems will arise causing a new disconnect and driving new innovation to achieve new alignment. And so on. Unfortunately, we seem to be failing in the “new innovation” department these days, and are subsequently losing the battle.

There are several good open source platforms for evaluating security weaknesses and scoring them (NVD, CVE, CVSS, CWE, etc)…while they might not work 100% for each industry, as long as the determination of H/M/L for severity, risk, and probability are based on real measurements vs. arbitrary opinion, then findings from disparate calculations can still be compared. I think the problem is that too many companies have yet to implement this sort of tracking and scoring.

To me this issue boils down to motivation, for vendors and service providers to provide more secure solutions. In our world this ‘must’ come from the consumers demanding this and letting competition drive innovation.

What we really need to do is build effective education of the users of these services regarding what to expect from providers in terms of security. Second to create a single platform to evaluate how secure things are, and then thirdly to objectively judge and publish the results independently.

I don’t want to sound too much like I’m generalizing because I’m sure there are a handful of companies out there who’s efforts to offer secure products far exceed the requirements set forth by any regulations, but the vast majority will only entertain security considerations which help meet the bare minimum standard.

The security utopia approach certainly sounds appealing…but would require the leadership of a senior executive to ensure that security be paramount on every employee’s mind. There would have to be significant investments in recruiting the right people, building the right security outreach and training programs, and the right technology. For smaller companies (read as non-public) the utopia approach is a real possibility, but when your company is publicly traded, the shareholders/board of directors might not share the same opinion.

That being said, I’m sure that as time goes on and security breeches of critical applications become more rampant and mainstream, we’ll see a change in the focus…but will it be too late at that point?

Two things come to mind here initially. The first is my instant bristling at the thought of more regulation. Companies need more ‘motivation’ to steward the public’s safety to be sure, however steeped in the stew that is our current regulatory world I fear ever growing complexity, confusion, and morass. Think “Tax Code”. More checkboxes would probably reduce the public’s mean risk but would it be at a reasonable cost?

My second thought is a more Utopian hope. What if one of these monolithic security providers actually decided to make the investment over time to create . . . let’s call it a structure or platform or philosophy that truly, truly held the public, the consumer, and the user’s safety and confidence paramount. Imagine a top-down philosophy with rigorous standards and policies. Imagine a comprehensive set of tools, the finest security minds and a stalwart attitude where the current checkmarks wouldn’t even qualify as a baseline. Imagine an organization with the long vision to forgo the short term difficulties. A security Utopia. Now imagine that company three, five, ten years out, after countless breaches, personal data compromises in the millions, etc. and every one of those news stories had lines like, “Most of the major financial sites seemed to have been impacted except for those guarded by UtopiaXYZ Systems.” There’s your incentive, but it would take a long term vision and fortitude that ain’t likely.

. . .initial thoughts.