The White House is developing an executive order to set some basic security compliance standards for government contractors. The Administration move comes after legislative security standards were blocked in Congress. 

Unfortunately, say many security experts, the new executive mandate may be so watered down as to provide only the illusion of security. The same pressure from lobbyists that stymied congressional action has led the administration to back off from imposing tougher standards.

For example, the draft rules require "prompt" implementation of software security patches, along with "current and regularly updated" protections against malware. Unfortunately, these firm-sounding terms are left undefined. Which means that for practical purpose they are not mandates, or even specific guidance, but merely an expression of pious hopes.

This vagueness led one security expert, Alan Paller of the SANS Institute, to describe the proposed standard as "worse than useless." He went on to note that they would lead organizations into an illusion of security. Such illusions are particular dangerous in the emerging era of cyberwarfare, added Paller, pointing to remarks by Jonathan Evans, the head of Britain's MI5 security agency. 

We are long past the days when the threat came from teenage hackers. Politicized "hactivists" are highly sophisticated, and so are international organized crime rings. But even beyond these threats, malware is now being developed and deployed by the covert intelligence agencies of major powers, apparently including Western powers. The Stuxnet worm is only the most spectacular example of such new-generation cyberweapons.

The regulatory illusion of security is a particularly insidious because it can feed into the C-suite's temptation to assume that minimal compliance is "good enough."

At GRT Corporation we believe that only real security is "good enough." No security measure is absolute, but real security comes from implementing multiple layers of defense, along with policies that ensure that those defenses are kept up to date and active.

Don't settle for illusions of security. Insist on the real thing.

The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: "Security is not a product, but a process."