Four areas we're going to address are policy, education, awareness and standards -- not standards creation, but standards processes, as they relate to cybersecurity. Some areas of interest on the policy side are information sharing, working closely with the Department of Homeland Security as it relates to vulnerability disclosure [and] early warning. On the standards side, for example, [that means] looking at the NIAC process. On the awareness side, it's looking at the National Cybersecurity Alliance. Education-wise, [that means] establishing alliances with those universities that are in the business of cybersecurity. Those are hard and fast initiatives, and we're not quite there yet. I hope within the next 30 days we can come up with a more concrete agenda of what we [want]. Do you find more C-level executives paying attention to information security?
I think there is a greater understanding of the issue, but we have a long way to go on the issue of awareness. I think the industry can do a better job of explaining that and helping people understand the risks associated with not taking adequate measures to protect [data] -- that and, frankly, understanding the return on investment that security brings. So far, the CSIA is made up entirely of vendors. How soon will it include CISOs, CIOs and other enterprise decision makers?
One of the issues we've talked about is governance and
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
getting these issues to the top levels. I think having membership at the CEO level here is very important. It gives us that senior-most input on strategic direction. The chief security officers have a very good sense of where to go, but they don't necessarily always have the strategic vision. I'm betting the member CEOs will turn to their CSOs and other appropriate staff to help us with what we do. The membership is basically at the most senior level, but that doesn't mean the work isn't going to be done by the rest of the organization. That isn't easily quantified. It is difficult to quantify. But some of our firms have done a lot in the ROI area. I think we need to see how we can leverage that work.
FOR MORE INFORMATION:
Click here for SearchSecurity.com's coverage of RSA Conference 2004.
Other groups like yours have struggled while trying to break down barriers that impede information sharing between the public and private sectors. Enterprises, for example, are often unwilling to share information because they fear damage to corporate reputation. How do you ease those concerns?There's been an important development. In the Homeland Security Act of 2002, there is what is called the Critical Infrastructure Information Act. It provides protection for voluntarily supplied information to the federal government. For example, if I have a vulnerability at a power facility or a chemical facility, and I want to tell the government about it, we can work on protection. One of the things we need to look into fairly swiftly is how the CII Act is applied to cybersecurity. So, if your firm is hacked, how do I supply this information to the Department of Homeland Security so that we can understand more about those vulnerabilities with the intention of taking corrective action? The CSIA, as a member of the cybersecurity industry, can help navigate those waters.
One of the problems I see is that we don't have a single entity within the federal government that is responsible for maintaining statistics, incidents and, more importantly, the cost of those incidents (denial of service, identity theft, sites being taken down). We see many estimates, and we know it costs millions of dollars to the industry. We're not there with a quantifier yet, and it would be nice to have someone in the federal government be responsible for those issues.