Security threats Toolkit

CSOs stress the need for business sense

Tags:
CSO

Dawn Kawamoto CNET News

Published: 18 Feb 2005 09:45 GMT

A panel of chief security officers stressed on Thursday the need for their peers to become as business savvy as they are tech savvy, as security issues have worked their way up to the board rooms and CEO offices.

The security chiefs, who spoke at the RSA Conference in San Francisco, offered a range of advice, from reconciling the conflicting needs of their role and those of their company's employees to finding ways to prompt software vendors to quickly disclose vulnerabilities to customers.

Security chiefs are under increasing pressure as a plethora of worms, viruses and spyware have invaded their networks and employees' computers. Those invasions have been shown to cost companies hundreds of thousands of pounds in damage and downtime, as well as to affect the relationship companies have with customers.

Lisa Johnson, global information security manager for Nike, said: "I decided to get an MBA, and it has allowed me to talk with business leaders in their own language and get support from them."

She highlighted the importance of understanding worldwide business events and industry shifts beyond technology, which she said helps her talk to executives about security as it will specifically affect Nike's business and industry.

Mary Ann Davidson, Oracle's chief security officer, said for software vendors, the need to understand the role security plays in wooing customers from competition is also something to consider.

Although figures are difficult to come by, Davidson noted that companies that can show their software has lower security costs associated with it than their competitors will be in a better position to win business. Software vendors, driven by demands from their customers, may find an advantage in battle-testing their products to ensure they have as few vulnerabilities as possible.

"Customers may demand in their contract that you lock the product down," said Davidson, noting that the marketplace is a better method to prompt vendors to secure their software than imposing regulations.

Dennis Devlin, corporate security officer for The Thomson Corp, said customers are also interested in getting information from software vendors when a vulnerability arises or an exploit has occurred, rather than hearing nothing from their vendor.

In addressing improvements he wished Microsoft would make, Devlin said: "They need to share that information with customers."

David Mortman, chief information security officer of Siebel, said software makers also need to take steps to improve the ease of use in securing their systems.

"We need to make it very easy for customers to make their systems secure, otherwise they won't use the tools," Mortman said.

Security chiefs not only face these issues but also must deal with the internal conflicts that arise from their role and the desires of their company's employees. Conflicts can arise when employees may want to download files, which would go against corporate policy, for example.

Karen Worstell, chief information security officer for Microsoft, said: "As security officers... we think of all the things that can go wrong, and employees may see it as something that will help them do their job. Sometimes, it's hard to cross that bridge."