Crafting Responses to the Senate Request to Share Cybersecurity Plans



  Free preview of Gartner research


U.S. Senator Jay Rockefeller asked Fortune 500 CEOs to outline their firms' cybersecurity game plans. While we advocate that firms respond, they should take a balanced and reasoned approach to sharing cybersecurity measures.

News Analysis


On 19 September 2012, Jay Rockefeller, a U.S. senator from West Virginia, sent a letter to Fortune 500 CEOs requesting that they detail how they implement cybersecurity measures at their respective firms. Senator Rockefeller requested a response by 19 October 2012.


While CEOs are not legally obligated to respond, we believe companies should respectfully comply with congressional requests. While the government can establish a better context for security information sharing and regulation, organizations must recognize the risks and benefits. Government can establish guidelines in a reasoned manner; instead of acting rashly after a cyberattack.

Listed below are eight questions posed by Senator Rockefeller and our notes and suggested responses:

  1. Has your company adopted a set of best practices to address its own cybersecurity needs? Response: Yes.

  2. If so, how we re these cybersecurity practices developed? Response: Via a strong risk-oriented governance process in which senior managers identified high-value assets and at-risk business processes, and then determined security policies to provide protection.

  3. Were they developed by the company solely, or were they developed outside the company? If developed outside the company, please list the institution, association, or entity that developed them. Note: Mention Gartner resources, if appropriate.

  4. (a) When were these cybersecurity practices developed? (b) How frequently have they been updated? (c) Does your company's board of directors or audit committee keep abreast of developments regarding the development and implementation of these practices? Response: (a) We have developed practices over time. (b) They are under continuous review by our risk governance structure; technology professionals; and directors. (c) Yes.

  5. Has the federal government played any role, whether advisory or otherwise, in the development of these cybersecurity practices? Note: If you are in a regulated industry, indicate how regulations influence how you formulate cybersecurity foundations of risk management, security governance and architectures.

  6. What are your concerns, if any, with a voluntary program that enables the federal government and the private sector to develop, in coordination, the best cybersecurity practices for companies to adopt as they so choose, as outlined in the Cybersecurity Act of 2012? Note: While the government has a role to play in security information sharing, Gartner believes industries should work with government to ensure a balance between improvements in national security (with minimal harm to privacy and liberty), and minimal impact on the industry and taxpayer.

  7. What are your concerns, if any, with the federal government conducting risk assessments, in coordination with the private sector, to best understand where our nation's cyber vulnerabilities are, as outlined in the Cybersecurity Act of 2012? Note: The same note for Question 6 applies here as well.

  8. What are your concerns, if any, with the federal government determining, in coordination with the private sector, the country's most critical cyber infrastructure, as outlined in the Cybersecurity Act of 2012? Response: Government efforts have not clearly defined critical infrastructure.


Chief information security officers:

  • Proactively request approval from your CEO to provide input on any planned response to Senator Rockefeller's letter.

  • Work actively with government regulators to develop reasonable security guidelines.

Recommended Reading

Some documents may not be available as part of your current Gartner subscription.

© 2012 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartners research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.

Not a Gartner Client?

Want more research like this?
Learn the benefits of becoming a Gartner client.

Contact us online





Why Gartner

Gartner delivers the technology-related insight you need to make the right decisions, every day.

Find out more