How to legislate cybersecurity right

Responding to an article on the Senate's renewed cybersecurity effort, reader Paul Misner wrote: [The] Senate walks a fine line here. If the bill is too weak, it will have no value as all. Too rigid, and it will result in agencies and companies being forced to implement out of date processes, hardware, software, and procedures that will increasingly become less valuable. What is needed is a strong, but balanced framework which is easy to understand, and dynamic to meet a dynamic set of adversaries. I think this type of legislation should be enforced with a carrot, rather than a stick, but providing protection from penalties for entities that follow it's guidelines, rather than punishment for those agencies who fail to make an effort to enforce.

Amber Corrin responds: That seems to be the consensus. A number of sources have warned against FISMA-like, "check-the-box" regulations that do not allow for the agility necessary to keep up with constantly evolving cyber threats. This, as well as the carrot-over-stick argument, was a top concern for Fortune 500 companies who responded to a cybersecurity questionnaire from Sen. Jay Rockefeller, as FCW reported earlier this month.