In March of this year at the CISO Executive Summit in Orlando, possibly the most influential speaker was not a Chief Security Officer, but a corporate governance expert named Dr. Thomas Horton. Dr. Horton, who sadly passed away on August 9th, used his lunchtime address to speak to the need for better corporate governance standards to be applied to information security. As part of his address, Dr. Horton expounded on a key problem: the Chief Security Officer position is fairly new, CSOs tend to individually define the position and there is a lack of collaboration between CSOs. What CSOs need to do, opined Dr. Horton, is develop formal associations between themselves, and work together to solve many of the problems facing the industry. Inside of a year, multiple efforts are underway to do just that, including the Global Council of CSOs, announced last week.
The Global Council of CSOs is a collection of ten very well known industry figures: eight CSOs, one former CSO, and Vint Cerf, a much esteemed founding father of the Internet. Howard Schmidt, Chief Information Security Officer of eBay and former Special Adviser for Cyberspace Security for the White House, was the driving force behind the creation of this council. Howard is a man with an evangelical fervor towards information security and is universally respected within the industry. I give Howard a lot of credit for the positive changes at Microsoft, yet he put a lucrative private sector job aside to answer the call of his government immediately after 9/11. His energy and influence alone is one reason why this council should be successful, the question is: successful at what?
This is plainly true, and to me is the only strong point made in the paper. The authors are a little fuzzy about the solutions other than insisting that government intervention is necessary, but make one notable suggestion towards the end: "A requirement that no operating system be more than 50% of the installed base in a critical industry or in a government would moot monoculture risk." I am not sure if this is a serious suggestion, but Houston, we have a problem. I have been in the information technology business even before I was in the security business, and in all that time the drive for standardization in IT has been pursued by the industry with a religious fervor. Our economy, the Internet, the World Wide Web has been built on standards. I am sure that somewhere in the CIO's book of golden rules it says standardization increases ROI and lowers TCO. Standardization often creates business agility, which provides a key competitive advantage. Business schools are filled with case studies of companies that tried to do too much and "diversified" themselves out of existence. It is quite presumptuous to suggest a cap of 50% market share, without understanding the economic impact of that suggestion and juxtaposing this with the economic costs of the monoculture. The paper is fairly light on facts, it does quote a figure from a security consultancy called mi2g Ltd., saying that malicious software is causing up to $107 billion in economic damage this year and the SoBig virus is causing $30 billion alone. It is unfortunate that they quoted numbers from a security consultant with limited credentials (you can read more about mi2g in an article from Rick Forno). It is also unfortunate that they did not attempt to clearly monetize the cost of the monoculture as opposed to generic numbers from an unproven source. If they were able to derive rational monoculture costs, we would then need to compare them with the economic benefits and productivity gains of standardization.
The stated objectives of the Council are to bring CSOs together, further define the role of the CSO, and get the CSO point of view across to government and industry. The Global moniker aside, make no mistake about it that this organization has a national focus, at least for now. It effectively states this with objective number 3:
"Define the role of the CSO in implementing The National Strategy to Secure Cyberspace"
I hope this council in the near term either adds CSOs from outside of the United States or creates an alliance with an appropriate international group. Security initiatives that benefit the United States have strong alignment with our allies and trading partners across the world, but these are not perfectly overlapping circles. Some information security issues will remain national in scope. However, there are several international issues that hit U.S.-based companies hard. From resolving privacy disconnects between the United States and the European Union, to the phenomena of IT outsourcing to India, to rampant piracy, to the apprehension of cybercriminals and global jurisdictional issues, the Council has an opportunity to impact information security policy and practices here and abroad. In any case, the Council's presence will be felt in Washington, some individual members of this group were already influential in getting Congress to rethink the proposed Information Systems Security Accountability Act that was recently withdrawn.
There is a clear need for organizations like this to provide a strong voice aimed at information security technology companies. For too long the industry has lacked guidance from CSOs and has been more focused on trying to solve the symptoms of insecurity rather than the core problems. For example, we spend a lot of money fighting viruses and spam at our front door, and far less resources making changes to email protocols that can make a more lasting difference. It is my hope that more CSO "feature specifications" make their way into security products in the future.
An issue that remains to be addressed is how the small and medium sized businesses, which make up a huge part of our economy, can benefit and leverage a council such as this. Like the global point of view, some interface needs to be defined for the SMB.
Getting CSOs mobilized and collaborating is a critical issue shaping the future of corporate security. For too long, CSOs have been going it alone. While best practices for information protection have been around forever it seems, a roadmap for CSOs to be effective and strategic to their business has been lacking. It is my hope that the biggest impact of an organization like this is in getting CSOs to learn from each other and improving their standing and influence with their own executive management and board of directors. It is one thing for a CEO to shoot down an individual, quite another to shoot down an industry.
CSOinformer is edited by Jim Reavis, founder of SecurityPortal and longtime industry analyst. This monthly newsletter is targeted at people who must take a strategic, multi-year view of the information security industry, and we promise insights you will not find anywhere else.
CSOinformer is a service of Reavis Consulting Group, and is published on the second Tuesday of each month.