7158991_sBack when I testified with the L0pht to the Senate in 1998 we suggested the government use incentives as a way to get businesses to improve their security. The Senate was Republican controlled at the time and even us political newbies knew that regulation was going to be a non-starter at the time. We also proposed that the government use its purchasing power to require the vendors it buys from to have good security.

Today, the Obama administration is proposing lower taxes, liability protection, and insurance discounts to help improve security. Insurance discounts are an interesting addition to the mix. We are all familiar with safe driver and alarm system discounts for cars. The same could be applied to businesses. The safe driver is akin to having properly trained people and following the correct security policies. Alarm systems are much like having the correct security technology installed and functioning properly. Cybersecurity for an organization is much more complex than a driver in a car and car insurance is mandated in most states and cyber insurance is not, but insurance discounts could be a good incentive.

I would like to see the topic of using the government's buying power to incent vendors to build security in the software development process raised to the level of the tax, insurance, and liability incentives. There could even be a tie in with the insurance incentives. Many people don't know that Underwriters Labratories (UL) was founded by insurance companies. The companies wanted to incent their customers with lower fire insurance rates if they installed fire safety equipment such as sprinkler systems, fire extinguishers, and fire doors. But what if customers gamed the system and bought substandard fire doors that didn't really work? So the UL was created to rate fire doors so that the insurance company knew it would help protect the buildings they were insuring. Only UL listed products gave the discount.

Like the car insurance to cyber insurance analogy, a cyber UL would have limitations compared to UL we know today but the basic concept is there. Products that meet certain security standards are acceptable to purchase and would garner the insurance discount.

About Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Comments (1)

ds | July 25, 2013 7:47 am

This won't end well. First, it applies to a very narrow (albeit important) collection of industries and only if they agree to abide by a government standard. As usual, expect that standard to be so watered down once it gets approved that it is meaningless or unenforceable. Second, you already get an insurance "discount" for good security practices as each policy is individually underwritten. Your quality as a risk is taken into consideration. What the government is proposing is probably a subsidy to help you pay the cost. But in reality, cyber insurance is already very inexpensive.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.