Board members warned over security shortfalls

A US national trade association for corporate executives has warned that company board members and CEOs need to pay more attention to computer security.

Companies should make information security a focus at the top levels of management and corporate strategy, rather than leaving the issue solely to technology departments, the Business Roundtable group said as part of a policy statement on digital security.

Making the issue a top-level focus would alert more companies to the dangers and costs of viruses and computer break-ins, as well as improve overall national security, the group said.

C Michael Armstrong, the chairman of Comcast and of the Roundtable's Security Task Force, said in a statement: "Because this country's critical information infrastructures are largely owned and operated by the private sector, business leaders are responsible for addressing the risks of these growing security threats. Attacks on a company in one sector can affect suppliers, partners and customers in a variety of sectors, disrupting the flow of goods and services on a regional, national or even international scale."

The call is just the latest in a long series of appeals from government, technology and corporate groups for large companies to take computer security issues more seriously.

Microsoft has made security a larger issue in the development of its software and has devoted considerable resources - including the creation of a bounty program for information leading to the arrest of virus writers - to finding and fixing flaws in its Windows operating system and other software.

Some developers have said Microsoft should nevertheless be held financially responsible for damages to companies that result from security holes in its software. They've pressed - as yet without result - for changes in product liability law that would allow lawsuits against Microsoft or other developers of buggy software.

In its series of policy statements released this week, the Business RoundTable recommended the following that boards and CEOs pay direct attention to information security as part of corporate strategy; end users, software companies and the federal government share responsibility for improving security and sharing information about threats; solutions be market-based instead of government mandates; and public disclosure of corporate security practices be voluntary.

Paul Kurtz, executive director of the Computer Security Industry Alliance, which represents security software companies, said in a statement: "The policy principles outlined by the Business Roundtable align with [our] goal to elevate information security issues to the [top executive level] and the boardroom within the business community. We believe the Roundtable has taken a critical step forward to ensure the health of information systems that support both global economy and individual businesses."