News Stay informed about the latest enterprise technology news and product updates.

RSA: Heavyweight CEOs align on security

SAN FRANCISCO -- A dozen security hardware, software and services vendors announced their union Wednesday at RSA Conference. The Cyber Security Industry Alliance (CSIA) is a formidable conglomerate of the CEOs of 12 security heavyweights, including Symantec Corp., Check Point Software Technologies Inc., RSA Security Inc., BindView Corp. and Network Associates Inc. It's headed by Paul Kurtz, who previously served as the White House's senior director for national security in the Office of Cyberspace Security. In this interview with, Kurtz, the CSIA's executive director, described the group's lofty and familiar goals. Namely, he intends to foster more public-private information sharing, improve corporate governance of information security, and improve federal procurement practices and guidelines.

Can you outline some of the CSIA's early goals? Four areas we're going to address are policy, education, awareness...

and standards -- not standards creation, but standards processes, as they relate to cybersecurity. Some areas of interest on the policy side are information sharing, working closely with the Department of Homeland Security as it relates to vulnerability disclosure [and] early warning. On the standards side, for example, [that means] looking at the NIAC process. On the awareness side, it's looking at the National Cybersecurity Alliance. Education-wise, [that means] establishing alliances with those universities that are in the business of cybersecurity. Those are hard and fast initiatives, and we're not quite there yet. I hope within the next 30 days we can come up with a more concrete agenda of what we [want]. Do you find more C-level executives paying attention to information security? I think there is a greater understanding of the issue, but we have a long way to go on the issue of awareness. I think the industry can do a better job of explaining that and helping people understand the risks associated with not taking adequate measures to protect [data] -- that and, frankly, understanding the return on investment that security brings. So far, the CSIA is made up entirely of vendors. How soon will it include CISOs, CIOs and other enterprise decision makers? One of the issues we've talked about is governance and getting these issues to the top levels. I think having membership at the CEO level here is very important. It gives us that senior-most input on strategic direction. The chief security officers have a very good sense of where to go, but they don't necessarily always have the strategic vision. I'm betting the member CEOs will turn to their CSOs and other appropriate staff to help us with what we do. The membership is basically at the most senior level, but that doesn't mean the work isn't going to be done by the rest of the organization. That isn't easily quantified. It is difficult to quantify. But some of our firms have done a lot in the ROI area. I think we need to see how we can leverage that work.


Click here for's coverage of RSA Conference 2004.

Other groups like yours have struggled while trying to break down barriers that impede information sharing between the public and private sectors. Enterprises, for example, are often unwilling to share information because they fear damage to corporate reputation. How do you ease those concerns?
There's been an important development. In the Homeland Security Act of 2002, there is what is called the Critical Infrastructure Information Act. It provides protection for voluntarily supplied information to the federal government. For example, if I have a vulnerability at a power facility or a chemical facility, and I want to tell the government about it, we can work on protection. One of the things we need to look into fairly swiftly is how the CII Act is applied to cybersecurity. So, if your firm is hacked, how do I supply this information to the Department of Homeland Security so that we can understand more about those vulnerabilities with the intention of taking corrective action? The CSIA, as a member of the cybersecurity industry, can help navigate those waters.

One of the problems I see is that we don't have a single entity within the federal government that is responsible for maintaining statistics, incidents and, more importantly, the cost of those incidents (denial of service, identity theft, sites being taken down). We see many estimates, and we know it costs millions of dollars to the industry. We're not there with a quantifier yet, and it would be nice to have someone in the federal government be responsible for those issues.

Dig Deeper on Information security certifications, training and jobs

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.