Software Industry Unveils Security Framework

Instead of pushing for new laws, CEOs of major software companies look for ways for top executives to become better aware of the risks they face.

WASHINGTON—The CEOs of Entrust Inc., RSA Security Inc., Microsoft Corp. and nine other major software companies Wednesday unveiled a task force to elevate the importance of cyber-security among top executives in the private sector and at government agencies.

Other than tax breaks and class-action reform to protect them from frivolous lawsuits, the software executives are not pushing for new laws to improve cyber-security. Regulations targeting specific industries, such as the Sarbanes-Oxley Act, Gramm-Leach-Bliley Act, and Health Insurance Privacy and Accountability Act, already provide a sufficient regime for information security, the CEOs argued.

"Theres plenty of legislation today. The critical ingredient missing is a framework and a way to apply it," said William Conner, chairman and CEO of Entrust. "There needs to be context to the legislation thats out there."

Some lawmakers have floated the idea of new legislation requiring publicly traded companies to report the results of security audits in filings with the Securities and Exchange Commission, much like they had to report the results of Y2K protection measures. Business Software Alliance members said they do not support the proposal.


"Theres already an audit standard out there for reporting internal weaknesses," said Art Coviello, president and CEO of RSA. "What were talking about here is a change in environment."

Unlike the Y2K risk, routine IT security risks are not well-understood or fully appreciated, said Dale Fuller, president and CEO of Bentley Systems. Top executives need to become better aware that the risks they face have changed substantially, he said.

"When everything was written in stone tablets, not a lot of people cared about fires in their buildings," Fuller said.

Instead of more action from Congress, the software industry aims to encourage the private sector and government agencies to take the needed steps on their own. Gathered on Capitol Hill for a BSA forum, they presented a framework for enterprises to implement to better security practices.

Echoing a theme of the Bush administrations National Strategy to Secure Cyber Space, the software executives complained that too many corporate chiefs and boards leave IT security to their technology experts when it should be a matter of governance. The framework launched Wednesday provides a management template for IT security, composed of business drivers, roles and responsibilities, and results metrics.

Under the framework, corporate executives would oversee policies and enforce accountability; senior managers would conduct periodic risk assessments and security tests; and CIOs would designate a security officer and develop required policies to support the security program.

While in Washington, the software CEOs also addressed their concerns about intellectual property rights. Few countries treat intellectual property the way they should, said Bruce Chizen, president and CEO of Adobe Systems Inc.

The group urged lawmakers to continue supporting the Digital Millennium Copyright Act, which the recording industry has applied aggressively to combat illegal music downloads. The DMCA is one of the few tools IT companies have to deal with software piracy, Chizen said.

The BSA members also spoke out against governments choosing sides in the open standards/proprietary software debate.

"As an industry, if were not always innovating, if were not introducing great new products, we dont have a reason to be," said Microsoft CEO Steve Ballmer, adding that governments should choose software based on value. "Our companies will be fine as long as we get a fair chance to compete."

Discuss this in the eWEEK forum.