by Gary Beach

Certifying Your Organization’s Security

Apr 01, 20032 mins

A few months ago, I sat around a breakfast table with the CEOs of several security organizations. Joining us was Richard Clarke, then the cybersecurity czar for the White House.

After Clarke’s comments, the business executives peppered him with questions. One caught my attention: How could the industry create an event similar to Y2K that would encourage CIOs to invest in security products?

I proposed an idea. Let’s create the IT security equivalent of the well-known Underwriters Laboratories. We can call it Security Underwriters Laboratories. With eyebrows raised, several at the table thought the idea had merit.

During the following weeks, I talked about the idea with CIOs, CSOs and the management team at Underwriters Laboratories. Here’s what we propose to create:

The Security Underwriters Laboratories (SUL) would be set up as a nonprofit organization funded by end user companies?not vendors. The goal would be to certify that a business has governance policies and technical infrastructure procedures in place to make that business a more secure company. Upon getting certification, a business would earn an SUL medallion that would last for three years.

Yes, there are standards such as ISO 17799 already in place. But many people I spoke with claimed the process to apply for and earn that standard is too complicated and takes too much time. Something simpler is needed.

One CIO who works for an insurance company posed an interesting possibility. Might the insurance industry write lower premiums for companies with SUL accreditation? The jury is still out on that. Another IT executive employed by a large financial services company suggested SUL accreditation levels should be allocated like Standard & Poor’s ratings. A “triple A” SUL medallion would be higher than a “double A” and so on.

If SUL is to become a reality, ongoing operational budgets must be supported by fees from businesses seeking accreditation. Most people I spoke with felt security vendors could play an important role early on by getting SUL off the ground. But after that, vendors should recede to the sidelines.

What’s your take? Could SUL become a reality? Do you see value in such an approach? Send me your comments, and I will use them in an upcoming column.