So the existence of some type of incentive program will hopefully start shifting the focus towards preventative measures, and looking at things before problems happen, instead of trying to remediate after data loss and privacy issues have occurred, Baso noted.
Under the terms of the Executive Order, critical infrastructure is defined as systems and assets, be they physical or virtual, so vital to the U.S. that the "incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."
So, the planned incentives could cover a large swath of the public and private sector, if they're implemented as outlined. The question remains however, will they be enough to coax organizations from changing status quo? Maybe they won't have to be.
According to a study released this week from Experian Data Breach Resolution and the Ponemon Institute; 76 percent of the 18,829 IT professionals interviewed said that guarding against cybersecurity risks ranks higher on the priority scale than natural disasters, and other business disruptions.
Those same professionals also say their respective organizations are hedging their bets, as 31 percent of them claim to have cyber insurance, with another 39 percent confirming that such protection is planned in the future. Still, 30 percent said they don't have cyber insurance, and they don't plan to acquire it anytime soon.
So incentives from the White House that include cybersecurity insurance, including partnerships between insurers and the government that build better "underwriting practices" promoting the adoption of "risk-based pricing and foster a competitive cyber insurance market;" as well as liability limitations, that could include "reduced tort liability, limited indemnity, higher burdens of proof, or the creation of a Federal legal privilege that preempts State disclosure requirements"; may help change some hearts and minds.
"I think that for most companies, it will be a business decision, and it will come down to the financial pros and cons, instead of just from a policy or a principle level [of] 'what's the right thing to do?'" Baso commented, when asked if she felt the incentives would make a difference.
The framework and incentives are far from finalized, but the White House wants to have the discussion, so that's a start.
"While these reports do not yet represent a final Administration policy, they do offer an initial examination of how the critical infrastructure community could be incentivized to adopt the Cybersecurity Framework as envisioned in the Executive Order. We will be making more information on these efforts available as the Framework and Program are completed," Daniel concluded.
Sign up for CIO Asia eNewsletters.