CEOs and boards of directors must take direct responsibility for the security of their companies' computer networks if protection of the U.S. critical infrastructure is to improve, according to a new report issued Monday by an industry task force.
In a 49-page report titled "Information Security Governance: A Call to Action" a volunteer group of corporate executives said information security has too often been treated as "solely a technical issue" and should be elevated from a CIO-level issue to one managed by the CEO and the board of directors.
"If businesses, educational institutions and nonprofit organizations are to make significant progress securing their information assets, executives must make information security an integral part of core business operations," the report states. "There is no better way to accomplish this goal than to highlight it as part of the existing internal controls and policies that constitute corporate governance."
The report is the latest in a series of five industry task force reports called for during last December's inaugural National Cyber Security Summit, sponsored by several IT industry consortiums and the U.S. Department of Homeland Security. It outlines recommendations for protecting the nation's critical infrastructure by identifying cybersecurity roles and responsibilities within corporate executive management structures. It also establishes risk management and quality assurance benchmarks and outlines best practices and industry metrics for use by companies and auditing firms.
However, because the task force was managed by the private sector, the report avoids all mention of enforcement or how compliance with the guidelines and standards will be measured. Instead, the task force recommended that companies post notices on their Web sites indicating that they have adopted the task force recommendations. The task force also called on the Department of Homeland Security to establish an awards program for companies that meet or exceed the corporate governance guidelines. When asked by reporters how such a nonregulatory approach could be made to work and measured, the two co-chairmen of the task force could only answer with generalities.
"There's a significant amount of compliance already," said task force co-chairman Arthur Coviello, CEO and president of RSA Security Inc. However, when pressed for examples, Coviello acknowledged that most of the evidence is anecdotal.
"It's hard to imagine that any CEO could not take this as a significant responsibility," said Coviello, adding that all chief executives already have a fiduciary responsibility to make sure that their computer networks are secure. "And that goes for the board of directors as well," he said.
F. William Conner, chairman and CEO of Entrust Inc. and the other task force co-chairman, agreed. "This is not a technology, a CIO or a chief security officer issue," he said. "The issue is a CEO and board-level issue."
Amit Yoran, director of the National Cyber Security Division at the Homeland Security Department, attended the press conference announcing the release of the task force report. However, Yoran said he hadn't yet read the report and was unable to comment on whether his agency would establish a corporate-governance awards program or how it plans to support the task force's recommendation that the department use its bully pulpit to encourage companies to follow the proposed guidelines.
"Without corporate leadership, we won't get this done," said Orson Swindle, a member of the Federal Trade Commission. He added that the intent behind all of the task force recommendations is to infuse information security into the U.S. corporate culture.
And although he urged companies to make a public commitment to following the guidelines, Swindle said he doesn't see it "as an option." If the task force report fails to get the attention of CEOs and boards of directors, "I have no doubt that some sort of regulation will be passed," he said.
Task force recommendations
1. Organizations should adopt the information security governance framework described in the report and embed cybersecurity into their corporate governance process.
2. Organizations should signal their commitment to information security governance by stating on their Web site that they intend to use the tools developed by the Corporate Governance Task Force to assess their performance and report the results to their board of directors.
3. All organizations represented on the Corporate Governance Task Force should signal their commitment to information security governance by voluntarily posting a statement on their Web site. Furthermore, all (National Cyber Security) Summit participants should embrace information security governance and post statements on their Web sites, and if applicable, encourage their members to do so as well.
4. The U.S. Department of Homeland Security should endorse the information security governance framework and core set of principles outlined in this report, and encourage the private sector to make cyber security part of its corporate governance efforts.
5. The Committee of Sponsoring Organizations of the Treadway Commission should revise the Internal Controls-Integrated Framework so that it explicitly addresses information security governance.