Top execs urged to zero in on security

A trade group for corporate brass says companies should make security a focus at the top levels of management, rather than leaving the issue solely to tech departments.

John Borland Staff Writer, CNET News.com
John Borland
covers the intersection of digital entertainment and broadband.
John Borland
2 min read
The Business Roundtable, a national trade association for corporate executives, said Wednesday that company board members and chief executives need to pay more attention to computer security.

Companies should make information security a focus at the top levels of management and corporate strategy, rather than leaving the issue solely to technology departments, the group said as part of a policy statement on digital security .

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

Making the issue a top-level focus would alert more companies to the dangers and costs of viruses and computer break-ins, as well as improve overall national security, the group said.

"Because this country's critical information infrastructures are largely owned and operated by the private sector, business leaders are responsible for addressing the risks of these growing security threats," C. Michael Armstrong, the chairman of Comcast and of the Roundtable's Security Task Force, said in a statement. "Attacks on a company in one sector can affect suppliers, partners and customers in a variety of sectors, disrupting the flow of goods and services on a regional, national or even international scale."

The call is just the latest in a long series of appeals from government, technology and corporate groups for large companies to take computer security issues more seriously.

Microsoft has made security a larger issue in the development of its software and has devoted considerable resources--including the creation of a bounty program for information leading to the arrest of virus writers--to finding and fixing flaws in its Windows operating system and other software.

Some developers have said Microsoft should nevertheless be held financially responsible for damages to companies that result from security holes in its software. They've pressed--as yet without result--for changes in product liability law that would allow lawsuits against Microsoft or other developers of buggy software.

In its series of policy statements released Wednesday, the Business RoundTable recommended the following:

• Boards and CEOs pay direct attention to information security as part of corporate strategy.

• End users, software companies and the federal government share responsibility for improving security and sharing information about threats.

• Solutions be market-based instead of government mandates.

• Public disclosure of corporate security practices be voluntary.

"The policy principles outlined by the Business Roundtable align with (our) goal to elevate information security issues to the (top executive level) and the boardroom within the business community," Paul Kurtz, executive director of the Computer Security Industry Alliance, which represents security software companies, said in a statement. "We believe the Roundtable has taken a critical step forward to ensure the health of information systems that support both global economy and individual businesses."