For Schmidt, there is another way. He suggests that government facilitate change simply by wielding its own purchasing power. If, for instance, government agencies offered ISPs a 10 percent premium to provide reliable security services across the board, Schmidt believes the agencies could get ISPs to comply in exchange for the extra cash. This change, in turn, could have a trickle-down effect that improves the situation for business customers and CIOs alike.

"With the government being a large purchaser of IT services, they have the ability to say, ‘Here’s what I’m willing to pay for,’ and actually pay for it," Schmidt says. "Having controls built in as part of government projects gives you the side benefit of making it happen for private companies."

In the meantime, the SANS Institute, a private security education organization, is planning to evaluate ISPs on the way they handle security and release an ISP Security Report Card this month. Alan Paller, director of research for SANS, says this card will outline the steps CIOs can take to seek a greater level of security from their ISPs. (For more on this, see "ISP Essentials," this page.) In addition, Jennings, the Ferris Research analyst, says CIOs should combine whatever basic protections their ISPs offer with a customized security infrastructure comprising hardware and software for a multilayered approach that incorporates two or three antivirus engines (at the perimeter and on the desktop machines), a firewall, intrusion prevention software and any other functions that specifically suit an organization’s needs.

One area in which Paller says CIOs can advocate for better security from ISPs is through their service-level agreements, or SLAs. Traditionally, these performance contracts with the ISPs loosely have covered issues such as uptime and maintenance or support. However, Paller suggests that CIOs should consider at least trying to get their ISPs to agree to incorporate security metrics such as virus scanning, DDoS monitoring and incident reporting, as well.

SLA clauses, however, are no panacea. Bob Paarlberg, CIO at Royster-Clark, an agri-business company, says that putting security into an SLA will do nothing but lull CIOs into complacency—not exactly a state that engenders secure networks. "Our SLA is that we don’t sign a long-term agreement," Paarlberg quips. "If you do a good job for us this month, you earn the business from us next month. That’s it."

Ultimately, Paarlberg contends, the best way to get ISPs to tackle security is to force them to bake-in additional security by law. Just look at what happened in the airline industry. Years ago, scanning passengers for security threats was the responsibility of individual airports. The result, of course, changed our nation forever: Terrorists took advantage of the weak points in the system, and successfully orchestrated the attacks of Sept. 11, 2001. In the aftermath, the federal government created the Transportation Security Administration to set policy for securing air travel nationwide. Today, whether you’re traveling from Baltimore, Md., or Billings, Mont., you and everyone else on your flight are screened the same way, and by and large, the system is a lot safer than it was before.