Legislate or Educate?

With all the tours, Energize IT and other travel out of the way for a few weeks I had a chance last week to catch up on some reading.  I came across a lot of articles on a new law enacted in parts of the US and being considered here in Canada by some.  It is called Payment Card Industry Data Security Standard (PCI DSS) and it was developed by the major credit card companies as a way to protect financial transactions and data.  Now my thoughts on this are not for or against this becoming law, or even the details of it, but when I read the 12 requirements it got me thinking.  Do we need to legislate this?  Or do we need to educate IT professionals on proper security and data protection methods?

There are 12 requirements to comply with PCI DSS and they are as follows (you can read all about the requirements in detail here)

  1. Install and maintain a firewall to protect cardholder data
  2. Do not use vendor supplied default passwords
  3. Protect cardholder data
  4. Encrypt transmission of data across open, public networks
  5. Use and update anti-virus software
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data
  8. Assign a unique ID to everyone using a PC
  9. Restrict physical access to cardholder data (isn't this the same as #7?)
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and procedures
  12. Maintain a policy that addresses information security

Sounds like common sense doesn't it?  Sounds like oh, say, a defense in depth approach to security doesn't it?  But is this being taught in the IT schools, colleges and university programs?  I went to CDI College back in 2001 and I was not taught this.  I learned a lot of this on the job as well as through continued reading after I graduated.  Speaking to a few students over the past year, when I ask what they are learning I hear a lot about products.  They are learning SQL, Exchange, AD etc.... but not one of them mentioned security!  Products don't secure themselves and I don't care what you are running (Windows, Linux, OSX, SQL, MySQL etc.....) if the admin doesn't know security best practices and how to implement them, law or no law, the systems are not secure.

That scares me!  The products are the easy part to learn but there seems to be a lack of education on the fundamentals.  Is legislation going to change this?  Or should we be educating IT professionals and students so that they have the knowledge to put these practices in place?  What do you think?