What Keeps Managers Awake at Night? Security

SAN FRANCISCO—Nervous executives took the stage at the RSA Security Conference here on Tuesday to fret about poor Internet security and its effect on their businesses.

In a 40-minute discussion punctuated with warnings to the audience not to rush the stage to try to sell them security products, the executives ticked off their concerns: developers who keep repeating the same mistakes when trying to develop secure software, the ever-changing ways their companies are vulnerable to security breaches, the careless practices of employees who discard paper as casually as they do bits, and the possible loss of customer trust.

Organizations represented included Fidelity Investments Systems Company; Accenture Technology Infrastructure Services; Wolters Kluwer Publishing; and the CIA, whose representative called the World Wide Web “a nightmare.”

“The Web is a disruptive technology,” said Bob Flores, deputy director of operational technology for the CIA’s Office of the CIO. “We’re very worried about malicious code getting into our system. We’re very confident of our own network, but we have no clue what’s on the other side. Can’t we figure out how to encrypt data until it gets into someone’s brain?”

The executives agreed on which technologies are important—strong encryption and identity management—and they steer away from cutting-edge technologies like Web services because of lack of standards. Wolfers Kluwer uses Web services in-house on a closed network, but CTO Mike Antico said he can’t risk opening his network and having to explain failures to customers, especially when the failures might not be his.

All said standards were very important and felt pressure to participate in industry-standards bodies. “If we sit on the sidelines, we’re going to get something complicated that doesn’t fit our environment,” said Bill Stangel, senior vice president and enterprise architect for Fidelity. “The vendors get too caught up in the technology.”

Spending was also a troublesome issue. Antico said he had a hard time finding the point of diminishing returns on spending, and Accenture COO Charles Porter said ROI was never a justification for spending on security because the potential damage of losing customer trust was “infinitely big.”

After the panel, the executives hustled backstage to avoid contact with the audience.

Meanwhile, TechNet, the Silicon Valley based lobbying network, announced Monday that it will “challenge American business to meet a minimum level of cybersecurity.” However, the group is still defining best practices and has not set a date for the challenge.

At a press conference, TechNet President Rick White said the group “wants to shame industry into doing better” to prevent the possibility of government sanctions. However, White House Cybersecurity Adviser Howard Schmidt said sanctions impede the free market and that consumers could simply refuse to buy bad products.