[ISN] Industry group draws scrutiny

InfoSec News isn at c4i.org
Mon Apr 11 05:25:37 EDT 2005


By David Perera
April. 8, 2005 

Government officials last week scaled back their involvement in a
newly formed public/private council of security officers amid
controversy about the appearance that a select group of vendors could
have undue influence on public policy.

O'Keeffe and Co., an Alexandria, Va.-based public relations and
marketing agency, spearheaded development of the Chief Information
Security Officers (CISO) Exchange as a forum for discussions between
government officials and industry executives. Full industry membership
costs $75,000.

Backers have used the participation of Rep. Tom Davis (R-Va.),
chairman of the House Government Reform Committee, and the CIO
Council's sponsorship as selling points in materials aimed at
soliciting industry members.

"It seems as if all you're doing is selling access to Congress," said
Mark Amtower, a partner at Amtower and Co.

Davis' association with the organization changed late last week when
his spokesman, David Marin, announced that the congressman would
withdraw from the exchange in any official capacity. A photograph of
Davis, which had been in the advisory board section of the CISO
Exchange Web site, was taken down April 7.

CIO Council officials are also "reviewing the proposed structure of
that forum to ensure that it is accessible and is consistent with open
access to federal resources," said Dan Matthews, the council's vice

While observers praise the concept of a CISO Exchange in the hopes of
raising the visibility of cyber-security issues, the controversy
swirling around the change has instead raised questions about similar
organizations and the appropriateness of holding events for government
officials that industry representatives pay to attend. Scores of
companies organize a wide variety of events, including
101Communications' FCW Media Group, which owns Federal Computer Week.

Like its competitors, FCW Media Group hosts a series of events, such
as the Government CIO Summit. Much of the controversy around the CISO
Exchange, however, stems from the perception of an inappropriate link
between the group's paying members and government policy-makers.

Steve O'Keeffe, executive director of the CISO Exchange and the
principal of O'Keeffe and Co., said the group's members would publish
an annual report on federal information security priorities and
operational issues and would host an annual awards dinner on the
evening that Davis announces the latest federal computer security
report card grades.

Industry observers say the issue is the annual report on federal
priorities. Given the involvement of senior members of Davis' staff
and the CIO Council, the group's report could be perceived as
representing government policy.

CISO Exchange publicity had listed Melissa Wojciak, staff director for
the House Government Reform Committee, and Vance Hitch, the Justice
Department's CIO and the CIO Council's privacy and security liaison,
as co-chairing the group's advisory board. The board will select the
annual report's topics. To "contribute in the development" of that
report, industry participants were invited to pay $25,000 or $75,000,
according to CISO Exchange materials. Some industry sources have
worried that with Wojciak, Hitch and federal CISOs' names attached,
the report would carry official weight.

Marin said Wojciak will continue to informally participate in the
exchange, but Davis "wants to make absolutely sure that no one infers
that the committee's name or resources are being used to support a
commercial endeavor or that the committee's role will imply that any
work product produced will somehow have the committee's imprimatur on
it. Nor does he want any would-be sponsor to believe that sponsoring
the exchange means they will have an inside track to him or committee

"If in fact you cannot contribute [to the report] or participate
without being a sponsor, then that would be a cause for concern," said
Amit Yoran, formerly director of the Homeland Security Department's
Cyber Security Division. "It sounds like it's unclear whether or not
that's the case."

The exchange "represents a new model in public/private interaction and
collaboration, and we are very proud of the construct," O'Keeffe said.  
When asked about the necessity of paying to be able to contribute to
the report, he said, "I have not made it an exclusive situation."

The Exchange's structure consists of a two advisory board co-chairs,
six federal executives - mostly CISOs - and six system integrator
company representatives, who must each pay $75,000 apiece. The board
selectes the topics of annual report on federal information security

Industry officials can pay $25,000 to join at a lesser level and
"contribute in [the] development" of the annual report, but not sit on
the board. In the third and least expensive level of industry
participation is at $5,000, for which industry officials can
participate in a lottery to attend quarterly CISO Exchange events and
but cannot play a role in the report's development.

The money will be used to pay for expenses of the exchange's quarterly
events and preparation of the annual report, O’Keeffe said. His
company will charge by the hour for CISO Exchange support.

Industry participants at the $5,000 level will also be able to
contribute to the report, he said.

The group's publicity has also included a quote from Hitch stating
that "agency CIOs will require their CISOs to attend the CISO Exchange
full program meetings." That quote was wrongly phrased, O'Keeffe said.  
"This quote should have read 'ask' their CISOs to attend," he said.  
Hitch could not be reached for comment.

Controversy surrounding the program has been around since Davis
announced its creation in February.

"I would have been happier if this had come about through a nonprofit
that was open to everyone," said Thomas Hewitt, a member of the board
of directors at Sigaba, an information security management company. "I
absolutely applaud the founders for creating the CISO Exchange."  
However, "access to government employees should be available to all
people, not just those with a large budget."

"If this was a group driven by industry and run by industry," there
would be no problem with the arrangement, one industry source said.  
"But when the chairman is the staff director of the full Government
Reform Committee, it gives it a different level of credibility and

Paul Kurtz, executive director of the Cyber Security Industry
Alliance, said he's in a wait-and-see mode. "I'd like to learn more
from Congressman Davis' staff as to what their roles are going to be,"  
he said. Efforts to raise the profile of information security should
be welcomed, "but the devil's in the details," he added.

Don Upson, formerly Virginia's secretary of technology, who helped
conceptualize the CISO Exchange, said industry officials who feel shut
out by the steep prices of the CISO Exchange are always free to
contact participating government officials directly.

Money collected through the exchange is unlikely to yield a profit, he
added. Upson said he's involved in the exchange "because it's the
right thing to do, because I'm passionate about what this technology
and management can do, and because I have been for 27 years."

O'Keefe defended the CISO Exchange as being no different than other
private sector events featuring government speakers.

More information about the ISN mailing list