IN THE BOARDROOM™ with...
Mr. Tim Bennett
President
Cyber Security Industry Alliance
www.csialliance.org
SecuritySolutionsWatch.com:
Thank you for joining us today, Tim. Please give us an overview of your
background and a brief history of the CSIA.
Tim Bennett: My background is primarily a blend of 28 years experience
in public policy related to international trade and investment issues
and 8 years of association management experience in the tech industry,
including serving three years as Chief Operating Officer (COO) and Executive
Vice President of the American Electronics Association (AeA). In the latter
role, I directed all operations for AeA’s 18 U.S. offices and 2500
members, managed the organization's offices in Beijing, Brussels and Tokyo,
and staffed two board committees. Prior to that, I served as a US trade
negotiator for over 11 years, most of it in the Office of the U.S. Trade
Representative. I was one of the "lead" US negotiators in the
Uruguay Round of GATT Negotiations, which led to the World Trade Organization.
Previously, I was a consultant on international issues for many years,
mainly with the DC-based law firm Steptoe & Johnson.
CSIA was launched at the RSA Conference 2004 by a group of 12 innovative
security software, hardware and services vendors. John Thompson, Chairman
and CEO of Symantec Corp. and CSIA's first board chairman, announced the
formation of this new, non-profit organization whose mission is to improve
cyber security through public policy initiatives, public sector partnerships,
corporate outreach, public education and alignment behind emerging industry
technology standards. Its creation reflected the frustration of the founding
member companies with the inadequate attention paid to these cyber security
issues elsewhere.
Currently, CSIA’s primary objectives are (1) seeking federal legislation
on data security and data breach notification in the U.S; (2) seeking
strengthened security provisions in the EU e-privacy directive concerning
electronic communications by introducing data breach notification obligations
and minimum security requirements for electronic communication providers;
(3) seeking antispyware federal legislation that includes strong criminal
penalties; (4) seeking legislative improvements to the Federal Information
Systems Management Act to ensure stronger and more secure information
systems in federal agencies; and (5) increasing the amount of interchange
among the C-level executives of our member companies.
SecuritySolutionsWatch.com: We understand that you became President of the
CSIA In April 2007. What is your perspective on the achievements of the
CSIA since it began its operations in 2004?
Tim Bennett: The organization has covered a lot of ground in three and
one-half years. It led a diverse industry coalition in obtaining U.S.
Senate ratification of the Council of Europe Convention on Cybercrime,
headed up the lobbying effort to obtain the creation of an Assistant Secretary
of Cyber Security and Telecommunications in the U.S. Department of Homeland
Security, has served on numerous U.S. government advisory committees working
on critical infrastructure protection, testified frequently before congressional
committees, won the national award in 2005 for best online association
newsletter, and opened an office in Brussels in September 2006 to better
address numerous cyber policy issues in the EU. Many associations can't
match such a list of accomplishments even after a decade.
SecuritySolutionsWatch.com: Who are the CSIA members and what is their niche
in the network security space?
Tim Bennett:
Our members are leaders in the industry, representing a diverse, international
cross section of the information security market. They include: Application
Security, Inc.; CA, Inc. (NYSE: CA); Bharosa Inc.; BSI Management Systems;
Crossroads Systems, Inc. (OTCBB Pink Sheets: CRDS.PK); Entrust, Inc. (NASDAQ:
ENTU); F-Secure Corporation (HEX: FSC1V); IBM Internet Security Systems
Inc. (NYSE: IBM); iPass Inc. (NASDAQ: IPAS); Lavasoft; MXI Security; PGP
Corporation; Qualys, Inc.; RSA, The Security Division of EMC (NYSE: EMC);
Secure Computing Corporation (NASDAQ: SCUR); Surety, Inc.; SurfControl
Plc (LSE: SRF); Symantec Corporation (NASDAQ: SYMC); TechGuard Security,
LLC; and Vontu, Inc.
Here is some more information about a few of our members in their own
words:
“BSI Management Systems is a global accredited certified body that
audits and certifies organizations to the international information security
standard ISO/IEC 27001. Many companies around the world use ISO 27001
to build proactive processes that allow for detection and mitigation of
network security (and other related system) vulnerabilities and threats
through Information security management by identifying information security
risks and implementing appropriate controls to manage those risks. The
effectiveness of this system is then monitored on an on-going basis, along
with a continual review to the risks. Certification to ISO/IEC 27001:2005
reinforces to customers through an independent third-party, that they
operates an effective system, in accordance with the requirements of the
standard.” – John DiMaria; Certified Six Sigma BB, HISP Product
Manager; Business Continuity, ISMS, ITSM; BSI Management Systems
“Lavasoft is the original anti-spyware company, laying the groundwork
for what has become an industry of extreme economic proportions. We hold
firm to our corporate vision that every computer user, regardless of economic
status or geographic location, has the power (and the right) to control
their individual privacy and security, and thus Ad-Aware freeware will
always be a solution available for low-risk computer users. At the same
time we provide advanced security solutions to protect sophisticated and
higher-risk computer users. Lavasoft is simply not satisfied to provide
a ‘band-aid fix’ for privacy intrusion, but in creating real
social change in the industry, and we embrace the extra effort required
to work hand-in-hand with adware distributors to develop solutions that
do not compromise individual and business computer users.”-- Jason
King, CEO, Lavasoft
"In today's wide open world of broadband Internet access, mobile
devices and virtual organizations, network-centric security is not enough.
That is why data-centric solutions for protecting sensitive personal and
corporate information are now a top priority for IT Security. At Vontu,
we help Chief Security Officers answer three basic questions: Where is
my confidential data stored? Where is it being sent or copied? And how
can I automatically enforce our data security policies to prevent data
loss, demonstrate compliance, and maintain trust in our brand." –Joseph
Ansanelli, Co-founder and CEO, Vontu, Inc.
SecuritySolutionsWatch.com: May we have a brief legislative update –
what legislation has already been passed to improve cyber security and
what is on the legislative agenda going forward. Are these legislative
initiatives working?
Tim Bennett: Your question goes right to our current sweet spot
and top priorities. There has been some federal legislation, but not nearly
enough to address some key information security concerns. Lots of talking
the talk, but not enough walking the walk. The Federal Information Security
Management Act (FISMA) is a United States federal law enacted in 2002
as Title III of the E-Government Act of 2002. Its purpose is to bolster
computer and network security within the federal government and affiliated
parties (such as government contractors) by mandating yearly audits. Then
in September 2005, the Council of Europe's Convention on Cybercrime was
ratified by the U.S. Senate. It is the first and only international, multilateral
treaty specifically addressing the need for cooperation in the investigation
and prosecution of computer network crimes. It promotes global law enforcement
cooperation with respect to searches and seizures and provides timely
extradition for computer network-based crimes covered under the treaty.
I suppose we could even reach back to 1999 with the Gramm-Leach-Bliley
Act (GLB Act), also known as the Financial Modernization Act of 1999.
It's a federal law that repealed depression-era restrictions separating
the businesses of banking, securities and insurance. GLBA established
privacy provisions for financial institutions that included, among other
things, a data security and safeguards requirement, which instructs the
financial regulators to institute data security requirements establishing
"administrative, technical, and physical safeguards" for the
companies they regulate.
Are they working? GLBA has worked well; FISMA has resulted in improvements
in the protection of federal agency information systems, but as several
congressional hearings have exposed, there is still a ways to go in this
effort; and the COE Convention is a step forward in facilitating international
cooperation.
As for the present, I listed our top priorities in response to your first
question. With respect to our top priority, CSIA has very aggressively
stepped up its effort recently to obtain federal legislation that will
set a national standard for consumer data protection and breach notice
requirements. We are seeking a federal law requiring business and government
to (1) establish and maintain a data privacy and security program to ensure
the confidentiality and integrity of personal information, and (2) establish
uniform notification requirements when a security breach presents a risk
of harm to consumers. Without a national law, there will continue to be
confusion arising from at least 40 state laws with varying requirements
that cover data security and breach notification. We are also pursuing
anti-spyware legislation that will make it a federal crime to intentionally
access a protected computer without authorization or to exceed authorized
access by causing a computer program or code to be copied onto the protected
computer. As part of such legislation, we support establishing criminal
penalties for those who propagate the severest forms of spyware.
We are quite encouraged at the prospects for passage of both data security
and spyware legislation in the 110th Congress. The Congress does have
a very crowded agenda, and it is already impacted by positioning for the
November 2008 elections. However, these issues enjoy widespread bipartisan
support, and the level of awareness and knowledge of these issues among
Members of Congress has increased enormously. However, it would be very
helpful if more companies with a stake in information security joined
us in our effort to obtain these new laws.
SecuritySolutionsWatch.com: Identity Theft continues to be a major
concern. “Phishing” is just one way the bad guys get their
hands on personal information. Hackers from the outside, and, all to often,
“insiders” compromise private information. What can companies
do to protect their brands from “phishing” scams? What can
individuals do to prevent themselves from becoming identity theft victims?
Is there a “checklist” or “best practices” list
you can share with our audience?
Tim Bennett: The best proactive approach to address such malicious
attacks on our computers and information systems is for both companies
and individuals to deploy appropriate security products, stay abreast
of new scams by reading articles in the press or on the Net, and use common
sense by avoiding web links and attachments that are suspicious in any
way whatsoever. Be smart when traveling with a laptop or PDA, and be wary
of using wireless hotspots in public areas. In addition, companies must
regularly train employees on security best practices. Two excellent resources
for consumers are the Federal Trade Commission's dedicated site on identity
theft (www.ftc.gov/bcp/edu/microsites/idtheft/)
and the National Cyber Security Alliance’s www.staysafeonline.info,
which offers practical tips and best practices for consumers, small businesses
and educators.
SecuritySolutionsWatch.com: What resources are available for end-users
on https://www.csialliance.org.
Tim Bennett: Our website is a national award winner, and we are
constantly looking to improve it to ensure it provides the greatest value
to our members and the broader public. It provides thoughtful but short
synopses of key cyber security issues, CSIA position papers on U.S. and
EU issues, member company white papers, and many links to data sources,
related research, and government agencies in the U.S. and the European
Union. It also provides information on our members, our board, our staff,
and on how to join. That brings me to my final comment: I urge all companies
in the cyber security products and services space to join CSIA and be
part of our policy work and C-level networking. We are open to both U.S.
and non-U.S. based companies. Also, our board just agreed this summer
to create associate membership categories for companies whose business
is impacted by our issues, such as financial institutions and retailers,
and universities in order to bring in the broader community to help our
membership discuss these issues and determine the best solutions for strengthened
information security.
Thank you for the opportunity to share insights on CSIA with your readership.
|