Security Regulations and the Public/Private Relationship

By AJ Shipley

AJ Shipley Blog PhotoLast week the U.S. House of Representatives passed a cyber-security bill and sent it on to the Senate.  This got me thinking, what is government’s role in regulating the security requirements of our nation’s critical infrastructure? 

Security's primary goal is to establish a trusted relationship and protect people, products, and services from un-authorized or malicious intent.  When it comes to protecting our nations critical infrastructure that trust is fundamental to society operating in a mutually beneficial manner.  When that trust breaks down our society stops operating in a mutually productive way and we all suffer the consequences.  The air travel restrictions immediately following the September 11th attacks and the financial crisis of the 1920's and 2000's are prime examples of what happens when trust is replaced by fear.

Many believe that the market will self regulate itself in the absence of any incentives one way or the other.  But as a security professional, I believe that we must be proactive when it comes to protecting our nation’s critical infrastructure.  Security is a balancing act between business imperatives and security imperatives and finding the correct balance is very complex, and requires a deep expertise and a thorough understanding of the vulnerability landscape.  Unfortunately, for many companies, security is often viewed as an additional business expense.  When expenses are minimized, security suffers, and our infrastructure is put at risk.

Many would argue that government has a role to play in providing the infrastructure required to enable a free market to flourish.  But government must secure that infrastructure and ensure an adequate level of trust required to fuel the free market.  Because private enterprises, and not the government, actually build the infrastructure, the only way that government can secure the infrastructure is through regulation.

But how is a private enterprise without a security expertise, whose sole objective should be to make profits, supposed to understand the costs associated with securing their products so they can make the correct business decisions?  Fortunately, companies like Wind River, with deep expertise in security, understand the costs associated with securing critical infrastructure and can work with our infrastructure providers to provide the right level of security to protect their products and solutions.

In my opinion, security is not a single feature, product, process, or certification.  I have spent the last several years in the security industry developing network security for public sector and enterprise customers and I joined Wind River because whether it is smart meters, industrial control systems, medical devices, power generators or any embedded device, Wind River is one of the few companies with the security product portfolio, security test practices, professional services organization, partnerships and security expertise required to help the private sector secure their products from cyber-attacks.

Wind River is committed to demystifying the regulatory requirements our customers are dealing with. What regulations are driving your business decisions in the area of security?


For additional information from Wind River, visit us on Facebook.