Execs aim to teach better security

SAN FRANCISCO--Ten security executives have formed a group to help companies and the government create a secure information infrastructure.

As previously reported by CNET News.com, the newly formed Global Council of CSOs (chief security officers) consists of nine security executives from technology, financial and Internet companies and one security chief from a government agency. The group on Wednesday said at a press conference here that it aims to clarify the role of the chief security officer in companies, help such executives understand their role in implementing the National Strategy to Secure Cyberspace and aid communications among security professionals, the technology industry and the government.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

"We are all going to do what we can to secure our part of cyberspace," said Howard Schmidt, chief security officer for eBay, who led the initiative to create the group. The former Microsoft chief security officer and U.S. cybersecurity czar had a significant hand in helping draft the National Strategy to Secure Cyberspace, a U.S. policy statement aimed at protecting the Internet infrastructure, computers and data from attack.

The council is the latest organization to be established specifically to address digital security concerns. In September, the U.S. Department of Homeland Security teamed up with Carnegie Mellon University's Computer Emergency Response Team (CERT) Coordination Center to form the US-CERT group to fight cyberbugs. A year before, several software and security companies set up the Organization for Internet Safety to publish guidelines for disclosing vulnerabilities in software. In addition, numerous information sharing and analysis centers have been created to teach various industries how to maintain secure information systems, and the FBI has partnered with companies in many U.S. regions to create InfraGard groups, the security world's equivalent of Rotary International.

While duties of the Global Council of CSOs may overlap with those of other organizations, its main goals are complementary, said Mary Ann Davidson, chief security officer for software maker Oracle.

"I think it is a particular good balance between those who are in the technology sector of IT and those who are a consumer of technology but have incredible responsibilities for securing their infrastructure," she said.

The group doesn't have any formal connections with the Department of Homeland Security but, as many of the executives in the council have said, it will likely have close contacts with the government.

 Cybersecurity
leaders join
forces to meet
new online
challenges

Members of the group include top security executives from the Bank of America, Citigroup, MCI, Microsoft, Motorola, Sun Microsystems and Washington Mutual. The sole initial government representative will be Will Pelgrin, the director of cybersecurity and critical infrastructure for New York state. Carnegie Mellon's CyberLab has volunteered to take on administration duties for the group.

Pelgrin said the brainpower of company executives will help government agencies lock down their systems.

"Generally, the private sector has been much more in the fore than the government has been on this, and while the government is catching up, I think that we can bring and highlight for government the importance of a CSO...and the awareness of cyberissues," he said.

Nearly 85 percent of information infrastructure is owned by the private sector. But some lawmakers have criticized the industry for the pace at which new security initiatives have been launched and, to address those concerns, have introduced legislation: the Graham-Leach-Bliley Act in the financial industry, the Health Insurance Portability and Accountability Act in the health care industry, and the Security Breach Information Act passed in California, for example.

The Global Council of CSOs believes that promoting better security practices among companies in the industry will help minimize future legislation.

The council will likely release comments on adopting new technologies and standards--such as the next-generation Internet, known as Internet Protocol version 6; Secure Border Gateway Protocol; and secure Domain Name System--to aid in future network security, the group said.

"I think that international standardization has been one of the bright spots in security," said Whitfield Diffie, chief security officer at Sun. "The problems deal more with deployment of the things that have been agreed on."

Diffie pointed to the adoption of the Rijndael encryption algorithm created in Belgium as the United States' next-generation encryption standard, known as the Advanced Encryption Standard.

eBay's Schmidt believes that the first step is to give security executives more power within corporate ranks.

"There is this perception, in many cases, that some of them are too far down in the organization; others don't have the visibility that they think they need to be effective," Schmidt said. Improving the nation's and the Internet's security depends on changing that, he added.