In The Boardroom Press Room About Us Research Reports Contact Us
Cyber Security Industry Alliance

In The Boardroom With...

Mr. Tim Bennett
Cyber Security Industry Alliance Thank you for joining us today, Tim. Please give us an overview of your background and a brief history of the CSIA.

Tim Bennett: My background is primarily a blend of 28 years experience in public policy related to international trade and investment issues and 8 years of association management experience in the tech industry, including serving three years as Chief Operating Officer (COO) and Executive Vice President of the American Electronics Association (AeA). In the latter role, I directed all operations for AeA’s 18 U.S. offices and 2500 members, managed the organization's offices in Beijing, Brussels and Tokyo, and staffed two board committees. Prior to that, I served as a US trade negotiator for over 11 years, most of it in the Office of the U.S. Trade Representative. I was one of the "lead" US negotiators in the Uruguay Round of GATT Negotiations, which led to the World Trade Organization. Previously, I was a consultant on international issues for many years, mainly with the DC-based law firm Steptoe & Johnson.

CSIA was launched at the RSA Conference 2004 by a group of 12 innovative security software, hardware and services vendors. John Thompson, Chairman and CEO of Symantec Corp. and CSIA's first board chairman, announced the formation of this new, non-profit organization whose mission is to improve cyber security through public policy initiatives, public sector partnerships, corporate outreach, public education and alignment behind emerging industry technology standards. Its creation reflected the frustration of the founding member companies with the inadequate attention paid to these cyber security issues elsewhere.

Currently, CSIA’s primary objectives are (1) seeking federal legislation on data security and data breach notification in the U.S; (2) seeking strengthened security provisions in the EU e-privacy directive concerning electronic communications by introducing data breach notification obligations and minimum security requirements for electronic communication providers; (3) seeking antispyware federal legislation that includes strong criminal penalties; (4) seeking legislative improvements to the Federal Information Systems Management Act to ensure stronger and more secure information systems in federal agencies; and (5) increasing the amount of interchange among the C-level executives of our member companies. We understand that you became President of the CSIA In April 2007. What is your perspective on the achievements of the CSIA since it began its operations in 2004?

Tim Bennett: The organization has covered a lot of ground in three and one-half years. It led a diverse industry coalition in obtaining U.S. Senate ratification of the Council of Europe Convention on Cybercrime, headed up the lobbying effort to obtain the creation of an Assistant Secretary of Cyber Security and Telecommunications in the U.S. Department of Homeland Security, has served on numerous U.S. government advisory committees working on critical infrastructure protection, testified frequently before congressional committees, won the national award in 2005 for best online association newsletter, and opened an office in Brussels in September 2006 to better address numerous cyber policy issues in the EU. Many associations can't match such a list of accomplishments even after a decade. Who are the CSIA members and what is their niche in the network security space?

Tim Bennett:
Our members are leaders in the industry, representing a diverse, international cross section of the information security market. They include: Application Security, Inc.; CA, Inc. (NYSE: CA); Bharosa Inc.; BSI Management Systems; Crossroads Systems, Inc. (OTCBB Pink Sheets: CRDS.PK); Entrust, Inc. (NASDAQ: ENTU); F-Secure Corporation (HEX: FSC1V); IBM Internet Security Systems Inc. (NYSE: IBM); iPass Inc. (NASDAQ: IPAS); Lavasoft; MXI Security; PGP Corporation; Qualys, Inc.; RSA, The Security Division of EMC (NYSE: EMC); Secure Computing Corporation (NASDAQ: SCUR); Surety, Inc.; SurfControl Plc (LSE: SRF); Symantec Corporation (NASDAQ: SYMC); TechGuard Security, LLC; and Vontu, Inc.

Here is some more information about a few of our members in their own words:

“BSI Management Systems is a global accredited certified body that audits and certifies organizations to the international information security standard ISO/IEC 27001. Many companies around the world use ISO 27001 to build proactive processes that allow for detection and mitigation of network security (and other related system) vulnerabilities and threats through Information security management by identifying information security risks and implementing appropriate controls to manage those risks. The effectiveness of this system is then monitored on an on-going basis, along with a continual review to the risks. Certification to ISO/IEC 27001:2005 reinforces to customers through an independent third-party, that they operates an effective system, in accordance with the requirements of the standard.” – John DiMaria; Certified Six Sigma BB, HISP Product Manager; Business Continuity, ISMS, ITSM; BSI Management Systems

“Lavasoft is the original anti-spyware company, laying the groundwork for what has become an industry of extreme economic proportions. We hold firm to our corporate vision that every computer user, regardless of economic status or geographic location, has the power (and the right) to control their individual privacy and security, and thus Ad-Aware freeware will always be a solution available for low-risk computer users. At the same time we provide advanced security solutions to protect sophisticated and higher-risk computer users. Lavasoft is simply not satisfied to provide a ‘band-aid fix’ for privacy intrusion, but in creating real social change in the industry, and we embrace the extra effort required to work hand-in-hand with adware distributors to develop solutions that do not compromise individual and business computer users.”-- Jason King, CEO, Lavasoft

"In today's wide open world of broadband Internet access, mobile devices and virtual organizations, network-centric security is not enough. That is why data-centric solutions for protecting sensitive personal and corporate information are now a top priority for IT Security. At Vontu, we help Chief Security Officers answer three basic questions: Where is my confidential data stored? Where is it being sent or copied? And how can I automatically enforce our data security policies to prevent data loss, demonstrate compliance, and maintain trust in our brand." –Joseph Ansanelli, Co-founder and CEO, Vontu, Inc. May we have a brief legislative update – what legislation has already been passed to improve cyber security and what is on the legislative agenda going forward. Are these legislative initiatives working?

Tim Bennett: Your question goes right to our current sweet spot and top priorities. There has been some federal legislation, but not nearly enough to address some key information security concerns. Lots of talking the talk, but not enough walking the walk. The Federal Information Security Management Act (FISMA) is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. Its purpose is to bolster computer and network security within the federal government and affiliated parties (such as government contractors) by mandating yearly audits. Then in September 2005, the Council of Europe's Convention on Cybercrime was ratified by the U.S. Senate. It is the first and only international, multilateral treaty specifically addressing the need for cooperation in the investigation and prosecution of computer network crimes. It promotes global law enforcement cooperation with respect to searches and seizures and provides timely extradition for computer network-based crimes covered under the treaty.

I suppose we could even reach back to 1999 with the Gramm-Leach-Bliley Act (GLB Act), also known as the Financial Modernization Act of 1999. It's a federal law that repealed depression-era restrictions separating the businesses of banking, securities and insurance. GLBA established privacy provisions for financial institutions that included, among other things, a data security and safeguards requirement, which instructs the financial regulators to institute data security requirements establishing "administrative, technical, and physical safeguards" for the companies they regulate.

Are they working? GLBA has worked well; FISMA has resulted in improvements in the protection of federal agency information systems, but as several congressional hearings have exposed, there is still a ways to go in this effort; and the COE Convention is a step forward in facilitating international cooperation.

As for the present, I listed our top priorities in response to your first question. With respect to our top priority, CSIA has very aggressively stepped up its effort recently to obtain federal legislation that will set a national standard for consumer data protection and breach notice requirements. We are seeking a federal law requiring business and government to (1) establish and maintain a data privacy and security program to ensure the confidentiality and integrity of personal information, and (2) establish uniform notification requirements when a security breach presents a risk of harm to consumers. Without a national law, there will continue to be confusion arising from at least 40 state laws with varying requirements that cover data security and breach notification. We are also pursuing anti-spyware legislation that will make it a federal crime to intentionally access a protected computer without authorization or to exceed authorized access by causing a computer program or code to be copied onto the protected computer. As part of such legislation, we support establishing criminal penalties for those who propagate the severest forms of spyware.

We are quite encouraged at the prospects for passage of both data security and spyware legislation in the 110th Congress. The Congress does have a very crowded agenda, and it is already impacted by positioning for the November 2008 elections. However, these issues enjoy widespread bipartisan support, and the level of awareness and knowledge of these issues among Members of Congress has increased enormously. However, it would be very helpful if more companies with a stake in information security joined us in our effort to obtain these new laws. Identity Theft continues to be a major concern. “Phishing” is just one way the bad guys get their hands on personal information. Hackers from the outside, and, all to often, “insiders” compromise private information. What can companies do to protect their brands from “phishing” scams? What can individuals do to prevent themselves from becoming identity theft victims? Is there a “checklist” or “best practices” list you can share with our audience?

Tim Bennett: The best proactive approach to address such malicious attacks on our computers and information systems is for both companies and individuals to deploy appropriate security products, stay abreast of new scams by reading articles in the press or on the Net, and use common sense by avoiding web links and attachments that are suspicious in any way whatsoever. Be smart when traveling with a laptop or PDA, and be wary of using wireless hotspots in public areas. In addition, companies must regularly train employees on security best practices. Two excellent resources for consumers are the Federal Trade Commission's dedicated site on identity theft ( and the National Cyber Security Alliance’s, which offers practical tips and best practices for consumers, small businesses and educators. What resources are available for end-users on

Tim Bennett: Our website is a national award winner, and we are constantly looking to improve it to ensure it provides the greatest value to our members and the broader public. It provides thoughtful but short synopses of key cyber security issues, CSIA position papers on U.S. and EU issues, member company white papers, and many links to data sources, related research, and government agencies in the U.S. and the European Union. It also provides information on our members, our board, our staff, and on how to join. That brings me to my final comment: I urge all companies in the cyber security products and services space to join CSIA and be part of our policy work and C-level networking. We are open to both U.S. and non-U.S. based companies. Also, our board just agreed this summer to create associate membership categories for companies whose business is impacted by our issues, such as financial institutions and retailers, and universities in order to bring in the broader community to help our membership discuss these issues and determine the best solutions for strengthened information security.

Thank you for the opportunity to share insights on CSIA with your readership.