Cyber Security Industry Alliance Newsletter • Volume 2, Number 5 • January 2006

CSIA Member Spotlight

Citadel Security Software

Name: Citadel Security Software

CSIA Membership Level:  Charter Member

Chief Executive Officer and CEO:  Steven B. Solomon

Founded: 1996

Headquarters: Dallas, Texas

About Citadel Security Software:  Vulnerabilities are the fastest growing threat to enterprise network security, and since its inception in 1996, Citadel Security Software has been developing software products and services to mitigate the risk of security vulnerabilities. Today, Citadel is a leader in enterprise vulnerability management solutions, helping enterprises effectively neutralize security vulnerabilities through automated vulnerability remediation (AVR) technology.

Citadel provides a complete solution for enterprise vulnerability management, from identification and prioritization of network devices to assessing, reviewing, remediating and proactively managing vulnerabilities. This proactive approach allows security and IT operations personnel to keep their workflow and processes separate, while taking advantage of a single solution for managing vulnerabilities across the enterprise.

Citadel recognizes the importance of providing a purpose built platform for enterprise vulnerability management. By focusing on the needs of both security and IT operations professionals, our solutions provide unparalleled capabilities for securing the enterprise. Our team of security professionals provides cutting edge vulnerability intelligence and has created the world's largest library of vulnerability remedies. Considered one of the industry thought leaders on vulnerability management, Citadel provides advanced solutions to address the growing security concerns of enterprises.

Together with Citadel's advanced AVR technology, enterprises now have a powerful, secure and automated patch management and vulnerability remediation solution. Citadel's integrated suite of vulnerability management solutions enable organizations to proactively protect against vulnerabilities, saving valuable time and money, while mitigating risk and complying with corporate and government mandates.

Cyber Security:
No Longer Just a Nuisance
Now a Matter of National and Economic Security!

Would a business owner ever even conceive of leaving a supply warehouse or a manufacturing plant unlocked or unprotected? Would we be concerned if folks stopped going to shopping malls because they were afraid of being robbed or hijacked?

So why, in a world where so much of the economy is driven by electronic capabilities enabled by technology, would business owners allow their intellectual and information assets to exist in an unprotected or inadequately protected state? Why is it that in many business organizations, government entities and academic institutions, information security and privacy are not executive management agenda items for discussion about business process and risk management?

With the current threat climate in the world, critical infrastructure protection can no longer be a discussion about just physical assets. The growing interdependencies between physical and cyber assets demand a dramatic and immediate change in thinking and action around protecting critical infrastructures. Computer networks, systems, and desktops, along with remote and wireless devices must be included in risk mitigation strategies.

The issues around cyber security are no longer simply about the nuisance factor: evidence shows that this issue has evolved to be about significant potential risk to national and economic security. It is about thieves, extortionists, organized crime and, yes, even terrorist organizations. Information has become the latest and most lucrative currency for the criminal element.

Recent well-publicized examples of identity and data theft have put the security and privacy of personal information on the radar screen for many consumers, businesses, and policy makers. In recent years, the government has sought to stress the importance of critical infrastructure protection and information security by passing various legislative initiatives including HIPAA, Gramm-Leach-Bliley, FCRA, and Sarbanes-Oxley.

Additionally, the Federal Trade Commission has pursued action against privacy violators as demonstrated in the cases against BJ’s Warehouse and DSW. With this legislative and regulatory attention, the position is clear that strong information security is no longer negotiable and failure to implement and maintain effective security policies could potentially lead to liability for negligence.

While these initiatives have provided the impetus for addressing respective sector-specific issues, the question then becomes this: beyond government-issued requirements what will it take to motivate corporate America and all users groups to more proactively invest in protecting their information and intellectual assets? What incentives, "carrots," can be included that will produce meaningful results and contribute to ensuring economic vitality and national security?

In 2004, the Corporate Information Security Working Group (CISWG) on Incentives/Liability and Safe Harbors recommended specific incentives that "would result in broad, effective, and sustainable improvements in cyber security." Among proposed market-based incentives, the group identified the need for a common, generally accepted measurement tool, or a "stamp of approval" that evaluates security measures based on widely recognized best practices or standards. Also, business organizations should be encouraged to take advantage of cyber-insurance in order to provide for business continuity and financial risk management. And finally, corporations should establish programs that utilize market forces to motivate partner and user organizations to enhance cyber security practices.

The group also identified government-based incentive programs, including limited liability or safe harbor protection incentives. Likewise, economic incentives, such as tax credits for example, could prove to be highly effective by rewarding corporations that make capital investments by purchasing "certified or qualified" information security products and services.

The National Cyber Security Partnership and the associated Wye River Conference have added procurement practices and research and development investments as incentives worthy of further attention and examination. The Cyber Security Industry Alliance has been an active participant in these activities and discussions.

History tells us that private-sector driven, market-based solutions typically provide the most successful and lasting results. While many of the current ("sticks"), there are very few incentives ("carrots ") as companion elements that would recognize the efforts of those trying to do the right thing…or motivate others to aggressively pursue widely-accepted "best practices" and solutions.

Congress and the appropriate legislative committees should immediately join with the private sector to review and consider potential incentives that could catalytically facilitate and compliment current efforts to respond to this national and global challenge.

All of us are stakeholders and have a responsibility to be part of the solution. We stand willing and prepared to participate.