Staff Writer, CNET News.com
SAN FRANCISCO—A panel of chief security officers stressed on Thursday the need for their peers to become as business savvy as they are tech savvy, as security issues have worked their way up to the board rooms and CEO offices.
The security chiefs, who spoke at the RSA Conference 2005 here, offered a range of advice in these rapidly changing times, from reconciling the conflicting needs of their role and those of their company's employees to finding ways to prompt software vendors to quickly disclose vulnerabilities to customers.
Security chiefs are under increasing pressure as a plethora of worms, viruses and spyware have invaded their networks and employees' computers. Those invasions have been shown to cost companies hundreds of thousands of dollars in damage and downtime, as well as to affect the relationship companies have with customers.
"I decided to get an MBA (degree), and it has allowed me to talk with business leaders in their own language and get support from them," said Lisa Johnson, global information security manager for Nike.
She highlighted the importance of understanding worldwide business events and industry shifts beyond technology, which she said helps her talk to executives about security as it will specifically affect Nike's business and industry.
And for software vendors, the need to understand the role security plays in wooing customers from competition is also something to consider, said Mary Ann Davidson, Oracle's chief security officer.
Although figures are difficult to come by, Davidson noted that companies that can show their software has lower security costs associated with it than their competitors will be in a better position to win business. Software vendors, driven by demands from their customers, may find an advantage in battle-testing their products to ensure they have as few vulnerabilities as possible.
"Customers may demand in their contract that you lock the product down," said Davidson, noting that the marketplace is a better method to prompt vendors to secure their software than imposing regulations.
Customers are also interested in getting information from software vendors when a vulnerability arises or an exploit has occurred, rather than hearing nothing from their vendor, said Dennis Devlin, corporate security officer for The Thomson Corp.
In addressing improvements he wished Microsoft would make, Devlin said: "They need to share that information with customers."
David Mortman, chief information security officer of enterprise software vendor Siebel Systems, said software makers also need to take steps to improve the ease of use in securing their systems.
"We need to make it very easy for customers to make their systems secure, otherwise they won't use the tools," Mortman said.
Security chiefs not only face these issues but also must deal with the internal conflicts that arise from their role and the desires of their company's employees. Conflicts can arise when employees may want to download files, which would go against corporate policy, for example.
"As security officers...we think of all the things that can go wrong, and employees may see it as something that will help them do their job," said Karen Worstell, chief information security officer for Microsoft. "Sometimes, it's hard to cross that bridge."