Like cancer used to be among friends in the 1960s, security is taboo as a discussion topic among many CIOs today. Superstitious IT executives keep quiet about the subject and hope it will go away. They rarely seek out colleagues to compare notes about managing technology vulnerabilities and the mitigation of risk.
This squeamishness spills over into the structures designed to help companies talk about incidents. The Information Sharing and Analysis Centers (ISAC), which act as sector focal points for threat and vulnerability information, go to great lengths to ensure that participants' submissions are anonymous, and only the nonattributable details of security events are circulated within the ISAC. And sector ISAC members report incidents only if they are of sufficient magnitude that a wider threat is perceived.
This reluctance is predictable. Who wants to risk tanking the company's stock price? Who wants to admit that the money invested in security might not have been wisely spent?
Candor helps companies with nearly every IT issue -- except information security, that is. People just don't stand around at industry cocktail parties saying, "We got our voice mail hacked again last week." The fact that so many incidents are inside jobs also dilutes companies' desire to open the kimono.
Another problem for CIOs is that there are few service-level agreements for security and no credible ways to measure ROI or total cost of ownership for security investments. How can a CIO even report effectively to upper management about security posture when typical metrics and rules don't apply?
Companies wishing to determine how serious a given incident is find themselves without a common language of vulnerability. OASIS has 36 different technical committees working to organize XML, but only one related to security, and it covers authentication techniques.
We don't have a common language to communicate vulnerabilities or their severity. If there were a "vulnerability management markup language," it would assist companies in evaluating incidents in heterogeneous environments in real time and choosing new products and services. It could also assist the U.S. government in determining the true state of readiness in private industry.
So let's talk. Let's get the various ISACs to hold joint summits to talk about where the threats really lie and how to manage vulnerabilities effectively. Let's arrive at some metrics whereby user companies can easily figure out how secure they are.
And let's get the government to help us. The "National Strategy to Secure Cyberspace" proposes the concept of sector coordination and collaboration, but it's only a very basic beginning to a solution. The government is putting more money and effort into information assurance than ever before. Let's let it help us. In exchange for voluntary participation in confidential forums for information exchange, let's work to get tax breaks designed to reward proactive homeland security work.
And let's go further than Freedom of Information Act exemptions. Let's take the next step and get the SEC and other regulatory agencies to take special note of companies that are upfront about the actions they take to protect their digital assets.
We have to share security information; if we don't figure out a way as users of security products to talk about information security in a constructive way, we shrink our opportunities to improve the whole information management landscape. It's good business. And it's good government.
Cathy Hotka is principal of Cathy Hotka & Associates, a consultancy for retail IT operations in Washington. Edward Schwartz is executive vice president and general manager of Predictive Systems Inc. in New York.