U.S. President Barack Obama’s call for a nationwide data breach notification law has won strong support from members of one cybersecurity-focused organization.
More than three quarters of ISACA members surveyed by the cybersecurity training and benchmarking organization said they agreed or strongly agreed with Obama’s proposal to require breached organizations to notify affected customers within 30 days. Only about 8 percent of the 3,400 respondents said they disagreed or strongly disagreed. Most of ISACA’s 115,000 members are IT professionals.
Asked what the biggest challenge companies would face in complying with a breach notification law, 55 percent of those surveyed said it would be a concern over corporate reputation. Other 15 percent said the biggest challenge would be systems not designed for data breach reporting, and 13 percent said increased costs.
More data breach reporting will lead to companies taking new steps to protect their data, said Robert Stroud, international president of ISACA and vice president of strategy and innovation at CA Technologies. A new law will make cybersecurity “an agenda item” among company leaders, he said. “There are some organizations potentially not giving this the level of diligence they should.”
Obama is expected to call for a breach notification law during his State of the Union speech Tuesday evening. More than 45 states have their own breach notification laws, but there’s no national standard. U.S. lawmakers have been trying to pass a national law for about a decade without success.
Obama is also expected to propose new ways to allow organizations to share cyberthreat information with each other and with government agencies, with protection from lawsuits. While some cyberthreat sharing proposals have raised concerns among privacy advocates, the U.S. needs to find ways to allow companies and government agencies to alert each other of attacks, Stroud said.
A threat information-sharing bill would be a “great initiative,” Stroud said. “If Washington acts, we hope they take a clear and straight-forward approach, working in close coordination with industry.”
The ISACA survey, completed last week, also asked respondents whether they expect a cyberattack to strike their organizations in 2015. Only 46 percent said they expect a cyberattack, while 24 percent said they were unsure.
Respondents may have read the question to mean a major cyberattack, not more common probing of their networks for weaknesses, Stroud said. “At many organizations, probably every day, there is an attempt” to gain entry into a company’s system, he said.
Thirty-eight percent of respondents said their organization is prepared for a sophisticated cyberattack, while 34 percent said they were unsure. Eighty-three percent said they believe cyberattacks are among the three biggest threats facing organizations.
Asked if there is a shortage of skilled cybersecurity workers, 86 percent agreed. Thirty-four percent said they plan to hire more cybersecurity workers in 2015 but expect the search to be difficult. Only 3 percent plan to hire and expect it to be easy to find skilled candidates.
And 54 percent said they find it difficult to identify which new college graduates have adequate skills and knowledge.