Corporate America's reluctance to be more forthcoming about internal data security measures has come under scrutiny on Capitol Hill.
Buoyed by the effectiveness of the Securities and Exchange Commission's requirements for companies to detail their Y2k preparedness in their earnings reports two years ago, legislators are considering a similar model for cybersecurity.
As with Y2k, the government can help ensure public trust and confidence in the Internet by requiring firms to disclose the security measures they have in place, said Sen. Robert Bennett (R-Utah), chairman of the Senate's Republican-led High-Tech Task Force and the Special Committee on Y2k.
"It made a whole lot of companies far more interested in solving the Y2k problem than they were before," he said, speaking at a recent security policy forum.
A spokesman for Bennett said the senator doesn't plan to introduce legislation that would require new regulations but hopes to get the SEC to take action on its own. However, an SEC spokesman said that the commission isn't in a position to comment on Bennett's remarks.
Scott Wright, director of information security services at Reston, Va.-based The Netplex Group Inc., said such a move would substantially "raise the bar" on security. According to Wright, the only question is, "What size stick does the SEC hold if companies don't meet the requirements?"
Bennett's comments come as more companies begin to look at Internet security as a risk management challenge. Whereas companies once thought of security as keeping unauthorized people out of their networks and securing the privacy of their customer's information, today it's about reducing liability, say experts.
"The issue is not privacy. We don't want privacy on the Internet. We want security," said Bennett. "It comes down to 'I'll show you my security protections if you'll show me yours.' "
Craig Goldberg, CEO of Internet Trading Technologies Inc., a New York-based technology subsidiary of stock trade regulator LaBranche & Co., said his company learned about risk management the hard way. Last March, two former employees launched a subtle but damaging series of denial-of-service attacks in an attempt to blackmail the company into providing them with stock options and other benefits. The FBI eventually arrested the employees, but the attack caused costly interruptions that prevented Goldberg's customers from making online stock trades.
"We took what we thought were reasonable precautions," said Goldberg. However, "it is difficult to stop a determined, highly skilled insider. I learned that security is both about risk management and hiring honest people," he added, advising companies to "do whatever is reasonable" to protect their systems.
Jim McNulty, president and CEO of Chicago Mercantile Exchange Inc., said he looks at the issue of security from the perspective of shareholder value and confidence.
"If you look at it from the point of view of what happens to a corporation that is attacked, what happens to their market capitalization because there's a change in perception about the company's growth prospects . . . what you can actually see are much larger effects," said McNulty.
Michael Cangemi, president and chief operating offiicer at leather goods retailer Etienne Aigner Inc. in Edison N.J. , said he approaches risk from the standpoint of the company's sales and profitability.
"I'm not sure the general population realizes just how interconnected all of the ordering processing systems are. My concerns are right in the core of our business," said Cangemi.
However, there's a big knowledge gap in corporate America when it comes to risk, which stems from the fact that corporate boards are primarily staffed by CEOs and not CIOs, he said.
"We're just getting to the point where there are [chief financial officers] on the board," said Cangemi. "There are no CIOs yet."
This story, "Legislators eye cybersecurity " was originally published by Computerworld.