Collaboration is a necessity for a secure infrastructure

In recent years companies have become increasingly accustomed to the notion that IT is the business.

IT is now largely accepted as an integral part of the organisation, and as something that can deliver real business value - almost gone are the days when IT was seen as the place where the pony-tailed geeks hung out playing computer games, and fixing your PC when it crashed.

This shift is having a profound impact on other areas of our everyday lives. 'IT is infrastructure now,' says Oracle chief security officer (CSO) Mary Ann Davidson. 'And it has to be as secure as the physical infrastructure.'

As well as being in charge of security at Oracle, Davidson is one of the 10 charter members of the Global CSO Council, a think tank intended to breed security best practice across the industry.

Other charter members include former eBay CSO Howard Schmidt; William Pelgrin, director of the New York State Office of Cyber Security and Critical Infrastructure Coordination; and Rhonda MacLean, director of corporate information security at Bank of America and the US Department of Treasury-appointed private sector co-ordinator for banking and finance for the US National Strategy to Secure Cyberspace.

Davidson believes that industry collaboration is key to driving home the message that good security practices are now integral to modern life. The more businesses and technology vendors collaborate on security the less boundaries exist and the quicker best practice can be achieved.

'Collaboration is extremely important,' she says. 'The one thing about the hacker community is they're very good at sharing things. It's important that the industry drops its barricades and starts working together because these people are trying to attack us.' Davidson says there are some basic steps that could be taken to improve security for everyone.

One of these involves the inclusion of auditing standards in commercial software. 'One of the things I'm trying to foster is not sexy, but it is necessary,' she says.

'Commercial software on which physical support networks are built does not have adequate auditing. There's no alarm system that says, "oops this is happening" and triggers an alarm.'

Davidson is working with the US National Institute of Standards and Technology (Nist) to encourage the development of an international standard that could be applied across the industry.

'Having better auditing is a very useful problem to force. This is one of these building blocks I want to foster because it's good for the industry. I have approached Nist and they are very interested, but they are precluded from lobbying by law and the next step is make sure they get funding.

'This is not a competitive thing for Oracle, it's just something I think would make sense. We need to go to Capitol Hill and push this, but from an industry perspective. If you went in and said this would be good for my company, you're doing the legislators a disservice.'

Davidson says she is unsure on the timing of the introduction of a standard, but says it could be sooner rather than later.

Standards such as the one Davidson and her colleagues are proposing can play a significant role in establishing commonality and best practice, but drumming security into students while they are still learning would breed a security- conscious next generation of developers, she says.

Davidson believes this is an area that needs addressing. Computer science graduates can leave university with degrees, but have no knowledge of how to securely code software, she says.

Businesses employing graduates then have to spend time and money training their programmers to code securely.

With IT so firmly entrenched in physical and critical infrastructures, this is no longer acceptable.

'I would like to see university programmes certified so you couldn't get out until you could prove at least basic secure coding. You couldn't do that in civil engineering. Look at architects, for example. They can design the most amazing buildings, but they're also secure. I didn't walk into this building today and wonder if it was going to fall down,' she says.

While there is still much to be done to improve security practices, Davidson says progress is being made. Awareness is higher than a few years ago and issues such as regulatory compliance are highlighting security more than ever before.

There has also been a shift in the security products coming to market, with more emphasis on preventative technology.

'I used to complain that venture capitalists made more money from band aids than vaccines,' says Davidson. 'I think we've turned the corner and that has changed.'

1162519