There is opposition to the bill from both sides. On one side are those who support regulation but want stronger privacy protections. The Electronic Frontier Foundation, for example, recently wrote in a statement that the legislation “uses dangerously vague language to define ‘cybersecurity threat indicators' (information that companies can share with the government), leaving the door open to abuse (intentional or accidental) in which companies share protected user information with the government without a judge ever getting involved.”
On the other side are opponents of any additional regulations. For example, Sen. John McCain (R-AZ), speaking at a recent Homeland Security and Government Affairs Committee hearing on the legislation said, “The regulations that would be created under this new authority would stymie job creation, blur the definition of private property rights, and divert resources from actual cybersecurity to compliance with government mandates.” McCain has sponsored legislation, the Secure IT Act, which would rely more on incentives to get businesses to act, but the bill does not seem to have as much support as the Cybersecurity Act.
The Carnegie Mellon study offers 12 main recommendations for improving security governance. One is to establish a standalone risk committee responsible for enterprise risks including IT. Another is to ensure that privacy and security roles in organizations are separated, with appropriately assigned responsibilities. The report also recommends that privacy, IT, and security executives report independently to senior management.
An additional recommendation is to have cross-organizational teams that meet at least monthly to coordinate and communicate on privacy and security issues. Such teams should include senior managers in areas including human resources, public relations, and law as well as senior managers from IT, privacy, security, and financial divisions.