In-Depth

Security Companies to Congress: Listen Up

Vendors form Cyber Security Industry Alliance to coordinate Washington, boardroom approaches to security

• By Mathew Schwartz
• 05/19/2004

Help could be on the way. Twelve security companies, normally competitors, teamed up earlier this year to launch the non-profit Cyber Security Industry Alliance (CSIA). Each organization’s CEO is participating. Currently, vendor members include Bindview, Citadel Security Software, Check Point Software Technologies, Computer Associates, Entrust, Internet Security Systems, Netscreen, Network Associates, PGP, Qualys, RSA Security, Secure Computing, and Symantec.

The CSIA (http://www.csialliance.org/) says it will improve cyber-security by discussing information security issues with Congress. Beyond that, expect public policy initiatives, public-sector partnerships, corporate outreach, academic programs, alignment behind emerging industry technology standards, and public education.

The organization's first target: boardroom-level understanding of The Sarbanes-Oxley Act of 2002, part of senior management’s responsibility to ensure their company’s information security health. Security Strategies spoke with Paul Kurtz, executive director of CSIA, and Steve Solomon, chairman and CEO of Citadel.

What’s the concept behind the cyber security industry alliance?

Paul Kurtz: For years, business leaders have been talking around the concept of a cyber-security alliance, but meanwhile [it didn’t happen] … and it’s costing our global economy billions. Our networks are still in large part wide open, we’re still hemorrhaging money, data, [and] intellectual property. [For example] identity theft is a $53 billion a year problem [for businesses and consumers], according to the FTC. So the Cyber Security Industry Alliance was created by the leaders of the security industry, represented at the CEO level … and is the only [such] organization dedicated to cyber-security [at the executive level].

What benefits does CSIA imbue upon companies such as yours? How will it improve information security?

We bridged a gap between the policy community and the industry. What does that mean? First of all, as the executive director, I’m working hand in hand with 13 CEOs who are personally committed to changing the cyber-security arena. I just left the White House after being there for four years, and I have a person who’s with me who’s [got a similar policy background]… At the end of the day, what we have is an aggressive agenda, which is focused on capitalizing on much of the great work that has already been done today.

Steve Solomon: With all of these new mandates and corporate regulations coming, it’s really hard for people to understand what they’re doing, and how to [prepare their information security strategy]. Congressman [Representative] Tom Davis (R-Va.), who’s chair of the Government Reform Subcommittee on Technology and Procurement Policy, [recently] said we know there will be an attack that can bring down our systems, and if you think it’s [been] bad [before], we know how bad it can be with a cyber-attack.

So the industry needs to present customers with more cohesive ways of securing the enterprise?

It’s not about building a moat, it’s about mandates, and bringing together the best technologies to get the processes done. Look at infrastructure as a base for security today. … By bringing the [CSIA] committee together, it’s more to educate congressional committees and corporate clients.

Today you just don’t know what you don’t know… [and many legislators] don’t understand the processes within the IT community.

Will the CSIA work to improve the legislation affecting information security?

Kurtz: We believe we can qualitatively change the security environment by acting through policy, standards, and awareness. We don’t have any immediate legislative initiatives right in front of us. On April 12, the National Security Cyber Security Summit published a call to action on information security and the corporate governance world—[asking peers] what are we doing at the CEO- and board-level to tackle information security?

[Now] we’re working on two things—a pledge … to pull together from CEOs a pledge they’re going to make cyber-security a corporate governance issue.

[Second] is Sarbanes-Oxley. We’ve had regulations passed but … there’s confusion in some businesses as to what corporations need to do to comply with … Section 404 of Sarbanes-Oxley. CSIA is going to put together guidelines to clarify for organizations what they need to do to comply with Sarbanes-Oxley.

What sorts of Sarbanes-Oxley-related questions should the board be asking?

Solomon: Corporate governance is about disclosure and governance, so if you think of a potential cyber-attack to compromise my network, how [out in the open] is that information? [Yet] the board level [doesn’t] understand this as much. People are really trying to understand [but don’t yet]. If you ask an accounting firm [about] their practice, they’re probably booked up for the next three years just doing Sarbanes-Oxley education.

So … what can we do to prevent attacks, and from getting sued? So how do they better protect themselves?

Will CSIA grow to encompass companies from other countries, given the global threat—and reach—of information security attacks?

One of the things I wanted to state about the CSIA is we’re focused on public policy and events here in Washington, but we want to be a public policy organization. We’re just two months old. In time, we welcome the participation of cyber-security firms based overseas, and, of course, we want to act to [improve worldwide] information security.

Are there any models for that today?

Today, there’s the TransAtlantic Business Dialog, and … I know the European Union is forming a new cyber-security agency whose mandates are being clarified. One of the things we will certainly want to do is work with those in Europe who are focused on the same issues as us, because at the end of the day, while we recognize we take steps here, we have a global information grid, and we have attacks that emanate from and [also threaten people] overseas.

What motivates competitors to join a group such as this?

It’s an industry [of] peers, but at the same time you’re competing against each other, [so] how do you bring peers together? You have to look not only at information security but also national security. The point is, we have to change what’s happening. It’s not just a national crisis, it’s a world crisis. How do you bring it forward? By educating the market as one, united voice. Also … it helps us understand, how do we make our software better?

What are some near-term results we should expect from the CSIA?

Working with government agencies to explain [information security]. When mandates are driven by the congressional side, sometimes the pendulum will swing. For example, in the government, there’s FISMA, the Federal Information Security Management Act, and when … Congressman Davis [who helped pass the act] spoke [to practitioners at a recent government conference], he said, "Understand, we will hold you to the highest level of security. Understand, if you fail, you will have the wrath of God come onto you. You’ll have editors coming after you, you’re on public record."

So you’re helping drive government understanding and better-focused legislation?

If you look at legislation, sometimes people don’t like it—sometimes legislation is good, sometimes it’s bad. But one time it was good was seatbelt laws. What did seatbelt laws do in the U.S.? [They] reduced fatalities, [they] reduced insurance costs. Well, if you look at security measures on your computer and the infrastructure, if you look at how exposed we are today, it’s incredible. We wanted more productivity—well, we opened [things way up].

Today, people need to look at security differently—proactive instead of reactive, establish your baseline first, and understand as we get better with systems, the physical security is not as important as the cyber-security. You’re no longer building a moat around the building, because I could be sitting at a cyber-café in the United States or the Far East or the Middle East, and put an attack on that could be far more devastating than any type of a physical attack. So … we can’t forget we have to be alert at all times.