Cyber Security Industry Alliance Newsletter • Volume 2, Number 7 • March 2006

CSIA Member Spotlight

About Secure Computing Corporation

Name:  Secure Computing Corporation

President & CEO: John McNulty, president, chairman and CEO

Headquarters: San Jose, CA

Number of Employees: 650

Total Revenue: Full year 2005 revenues were $109.2 million

About Secure Computing:  Secure Computing (NASDAQ:SCUR) has been securing the connections between people and information for over 20 years. Specializing in delivering the world's strongest security appliances/firewalls, strong authentication, and content management and filtering solutions, Secure Computing is uniquely qualified to be the global security solutions provider to organizations of all sizes. Our more than 17,000 global customers in over 100 countries, supported by a worldwide network of partners, include the majority of the Dow Jones Global 50 Titans and the most prominent organizations in banking, financial services, healthcare, telecommunications, manufacturing, public utilities, education, and national and local governments. The company is headquartered in San Jose, Calif., and has offices worldwide. For more information, see


Will the Tide Finally Turn for Network Security?

Historically, competitive pressures have kept a tight rein on security spending; often driving IT security buyers to select popular solutions in lieu of more secure alternatives. Furthermore, there has also been a trend to only purchase "just enough" security because spending more on security than a competitor could reduce margins and give a competitor a possible advantage.

Much of the legislation that will have a significant impact on security buyers is driven and adopted at the state level. After California adopted SB 1386 in 2003, several other states began considering similar legislation. Since 2003, the high profile database exposures of personal information have perhaps accelerated the legislative actions of many states. Several new state laws mandate that companies provide notification of a security breech to help combat identity theft. Some state laws that were enacted in 2005 go as far as addressing how personal data can be collected and used.

Arkansas SB 1167 6/1/2005
California SB 1386 7/1/2003
Connecticut SB 650 1/1/2006
Delaware HB 116 6/28/2005
Florida HB 481 7/1/2005
Georgia SB 230 5/5/2005
Illinois HB 1633 1/1/2006
Indiana SB 503 7/1/2006
Louisiana SB 205 1/1/2006
Maine LD 1671 1/31/2006
Minnesota HF 2121 1/1/2006
Montana HB 732 3/1/2006
Nevada SB 347 10/1/2005
New Jersey A4001 1/1/2006
New York SB 5827 12/7/2005
North Carolina SB 1048 2/17/2006
North Dakota SB 2251 6/1/2005
Ohio HB 104 2/17/2006
Pennsylvania SB 712 7/1/2006
Rhode Island HB 6191 7/10/2005
Tennessee HB 2220 7/1/2005
Texas SB 122 9/1/2005
Washington SB 6403 7/24/2005

Will the adoption of new laws and regulations bring about instant change in network security? Simply put, no. While some of the more responsible organizations will quickly adapt their security policy to meet the requirements of new laws and regulations, many will unfortunately continue with business as usual. That is of course until the penalties for breeches of the regulations begin to be felt throughout the industry. Regulations by-and-of-themselves cannot change the mindset of an entire industry, but the pain of the costs for the penalties associated with those regulations will in fact change the way organizations view network security.

Reviewing a chronology of data breaches from the Privacy Rights Clearing House since the ChoicePoint breach in April of 2005, has yielded an additional 52 million people with their personal information compromised. More often then not, the breach was the result of a failure for the organization to adequately secure the information. Clearly, 2005 was a horrible year for security breaches involving personal information. Unfortunately, 2006 is not fairing much better with over 10 significant data breeches already occurring in January.

The organizations that failed to secure their networks and the data they were entrusted with are beginning to see their day in court: On January 26, 2005 the FTC announced they had reached a settlement with ChoicePoint for their data security breach in April of 2005. The total civil penalties and customer redress was stated as $15 million dollars. The financial penalties are only part of the settlement; ChoicePoint has also been ordered to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to establish and maintain a comprehensive information security program and to obtain audits by an independent third-party security professional every other year until 2026.

ChoicePoint is only the beginning of a long list of 50 or more organizations that may soon be the subject of litigation and civil penalty for their respective data security breaches. As word of repeated multi-million dollar penalties for improperly securing data spreads, it will ultimately be the fear of financial penalties felt in the boardroom that will finally cause the tide to turn in network security.