As just about everyone who reads the news knows, Google announced on Tuesday, January 24, 2012 that it would merge the data it collects from individual users across all of its properties starting March 1, 2012. Basically, Google will be able to better anticipate how to direct individual user activities to best serve their needs, building a grand database of all user activity and behaviors. The question that few are asking, though, is what the impact will be on businesses. That's where things get really complicated.
Last week, I presented an argument for why the new SEC cybersecurity disclosure guidance is really a big deal for the information security community. If my prediction is right, then publicly-traded companies in the U.S. are going to start facing auditor requests for more cybersecurity information by late next year. Companies need to start preparing for those requests now to prevent potential negative shareholder action in the future.
On October 13, 2011, the SEC released new cybersecurity disclosure guidance that has the potential to have a major impact on public companies in 2012. I've been taking a good hard look at the new rules to be able to better describe what the actual impact will be.
Rarely have I seen something so game changing come out in the information security domain. Usually, when the U.S. Government publishes new policy, legislation, or mandate, it gets equated to some compliance checklist that requires organizations to spend more money on auditors that check that they have done everything they're being told to do than on actually protecting business processes (FISMA and SOX come to mind). Rather, this guidance strikes me more like HSPD-12, representing something substantial that aims to revolutionize the perception of what's "good enough" in security controls.