Security threats Toolkit

John Thompson: Customers need security know-how

Robert Lemos and Dawn Kawamoto CNET News.com

Published: 22 Jul 2004 15:20 BST

Many people have criticised the Can-Spam Act as ineffectual, but isn't it true that it takes a while for such legislation to work its way into the toolbox of law enforcement officials and prosecutors?
What's the value of Can-Spam as a legislative initiative? Its value, simply put, is twofold. It makes more sense to have one law than 50, so you don't have the world chasing the uniqueness of the implementation of 50 states. You have one national law that is the superset, if you will, that everyone has to conform to. When it's all said and done, it puts a public spotlight on the issue for individuals who would engage in illegal activity.

But when you think about spam as a global phenomenon, I don't know how you stop spam in the United States alone. I think it needs to be an initiative that, at a minimum, the G8 (countries) take seriously and come up with some uniform set of laws and rules and conventions by which we are going to manage the problem on a global basis, not just inside the states.

What do you think about the sender verification technologies that Microsoft and America Online have proposed? Do you think that they will help reduce spam?
Well, clearly the notion of a trusted sender is a good idea. That makes an awful lot of sense. The question is: how long will it take for something like that to evolve? Historically, Microsoft and AOL haven't been able to agree on much. So maybe they will bury their differences and agree on a set of standards that do make some sense.

Many companies have railed against the Sarbanes-Oxley Act (which requires top corporate officers to sign off on their financial information) as legislation that's increasing expenses. However, it seems like the accounting firms, which are hired to audit their systems, are saying, "Hey, we are not going to sign off on your systems unless you have certain security in place." So for a lot of boards, Sarbanes-Oxley becomes a major reason for the firms to adopt better security. Are you hearing that from your customers?

Customers who have for a long time invested in intrusion sensors, firewalls and antivirus agents, among other security technologies, have finally stepped back from that implementation and realised, "You know something? I don't have a set of policies that work."

There is more discussion between us and them today on policy compliance and security infrastructure management -- "How do I manage what I have created?" -- which gets back to the rigor that is being driven by things like Sarbanes-Oxley.

The reality is that that's what's driving policy management, policy compliance and infrastructure management activity around our business. It is the realisation that "I have deployed all of this security stuff, and I don't have a way to determine just how secure I really am. Every one of these point products that I have deployed over the last five years does its own job in its own little sliver of the domain, but they don't communicate very well."