Can you outline some of the CSIA's early goals? Four areas we're going to address are policy, education, awareness...
and standards -- not standards creation, but standards processes, as they relate to cybersecurity. Some areas of interest on the policy side are information sharing, working closely with the Department of Homeland Security as it relates to vulnerability disclosure [and] early warning. On the standards side, for example, [that means] looking at the NIAC process. On the awareness side, it's looking at the National Cybersecurity Alliance. Education-wise, [that means] establishing alliances with those universities that are in the business of cybersecurity. Those are hard and fast initiatives, and we're not quite there yet. I hope within the next 30 days we can come up with a more concrete agenda of what we [want]. Do you find more C-level executives paying attention to information security? I think there is a greater understanding of the issue, but we have a long way to go on the issue of awareness. I think the industry can do a better job of explaining that and helping people understand the risks associated with not taking adequate measures to protect [data] -- that and, frankly, understanding the return on investment that security brings. So far, the CSIA is made up entirely of vendors. How soon will it include CISOs, CIOs and other enterprise decision makers? One of the issues we've talked about is governance and getting these issues to the top levels. I think having membership at the CEO level here is very important. It gives us that senior-most input on strategic direction. The chief security officers have a very good sense of where to go, but they don't necessarily always have the strategic vision. I'm betting the member CEOs will turn to their CSOs and other appropriate staff to help us with what we do. The membership is basically at the most senior level, but that doesn't mean the work isn't going to be done by the rest of the organization. That isn't easily quantified. It is difficult to quantify. But some of our firms have done a lot in the ROI area. I think we need to see how we can leverage that work.
FOR MORE INFORMATION:
There's been an important development. In the Homeland Security Act of 2002, there is what is called the Critical Infrastructure Information Act. It provides protection for voluntarily supplied information to the federal government. For example, if I have a vulnerability at a power facility or a chemical facility, and I want to tell the government about it, we can work on protection. One of the things we need to look into fairly swiftly is how the CII Act is applied to cybersecurity. So, if your firm is hacked, how do I supply this information to the Department of Homeland Security so that we can understand more about those vulnerabilities with the intention of taking corrective action? The CSIA, as a member of the cybersecurity industry, can help navigate those waters.
One of the problems I see is that we don't have a single entity within the federal government that is responsible for maintaining statistics, incidents and, more importantly, the cost of those incidents (denial of service, identity theft, sites being taken down). We see many estimates, and we know it costs millions of dollars to the industry. We're not there with a quantifier yet, and it would be nice to have someone in the federal government be responsible for those issues.