Quote:
Originally Posted by zx10guy
This crap is going to continue until there are fines and penalties (which may be as extreme as jail time) for critical industries to put money into INFOSEC. No one is talking about this. I've been harping about this for a long time both in various online forums and with my job as a technology advisor for various clients. These rules need to be similar to HIPAA, PCI, and FedRAMP.
Talking about beefing up security is not going to do a damn thing as putting money into security doesn't reflect in the balance sheets or ROI of executives. But what will is if they don't upgrade their systems to established minimum guidelines that those making decisions on implementation and budgeting get fined personally or thrown in jail. I bet you this whole thing will turn around within in a few months. I don't need to go that far back to bring up a classic example of the failure of how things are being done by bringing up Equifax. The idiots in management knew they had vulnerabilities in their systems and chose not to patch their systems.
|
There are critical infrastructure regulations similar to HIPAA and PCI, it's called NERC CIP. But I absolutely agree that executives need to be held personally responsible for violations like this.