The ISA History of Thought Leadership, Advocacy, Programs and Success

Since our founding in 2001 by Carnegie Mellon University and others, ISA has stayed in the forefront of thought leadership, creating and operating programs designed to enhance our nation’s cybersecurity. How can we do it? We have the best people as out members. ISA members represent the wisdom and the experience of the best cybersecurity professionals. Together, we have written the books, the papers and initiated the programs that are the ground-breaking edge of cyber security.


Historic Highlights Through The Years

2020 – ISA and the National Association of Corporate Directors publish an updated version of the cyber risk handbook for boards of directors, The Cyber-Risk Oversight 2020 Handbook.

2019 – ISA publishes cyber-risk handbooks for boards of directors in Latin America, Japan and Europe.

2018 – ISA publishes international cyber-risk handbooks for boards of directors in the United Kingdom and Germany. The handbooks were developed in conjunction with AIG and the German governments’ Federal Office of Information Security (BSI).

2017 – ISA and the National Association for Corporate Directors publish an updated version of the “Cyber-Risk Oversight Handbook,” which receives unprecedented endorsement from the Department of Justice and the Department of Homeland Security.

2016 – ISA publishes “The Cybersecurity Social Contract: Implementing a Market-Based Model for Cybersecurity” as a policy guide for the incoming administration and Congress. Written by our members, the book is circulated at the Republican National Convention in Cleveland, where ISA is the only trade association to participate in cybersecurity briefings.

ISA holds a well-attended conference timed to our 15th anniversary featuring speakers from the administration and Capitol Hill to launch the book and the policy suggestions contained in it.

The President’s Commission on Enhancing National Cybersecurity adopts all 12 of ISA’s major recommendations from the book.

PricewaterhouseCoopers’s annual Global Information Security Survey (pdf) cites the ISA-NACD “Cyber-Risk Oversight Handbook” by name for having a substantial impact on how corporate boards address cybersecurity.

2015—Congress passes and the president signs the Cybersecurity Act of 2015, which adopts the ISA recommendation of extending liability protection to companies seeking to share cyber threat information.

2014—The NIST Cybersecurity Framework version 1.0 is published, with the ISA at the forefront of shaping its final form. This year we also collaborate with the National Association of Corporate Directors to produce the first “Cyber-Risk Oversight Handbook,” which receives endorsement from the Department of Homeland Security.

2013—As directed by Executive Order 13636, the National Institute of Standards and Technology published a draft outline of the Cybersecurity Framework. The very first source cited in the draft report is the ISA’s 2008 publication “Financial Management of Cyber Risk.” Fidelity Investments announces it will use the same publication as core material for their fall conference for chief information security officers and CEOs. This year, the ISA board also authors “The Advanced Persistent Threat: Practical Controls that Small and Medium-Sized Business Leaders Should Consider Implementing,” a real-world guide for improving cybersecurity.

2012—The Senate rejects the Collins-Lieberman cybersecurity bill, which would have modeled cybersecurity on Sarbanes-Oxley. ISA worked diligently in the halls of Congress to educate members on the dangers posed by this approach.

2011—The House Republican Cybersecurity Task Force (pdf) adopts the core ISA policy position that Congress should create a “menu of market incentives tied to the voluntary adoption of cyber security measures,” language taken verbatim from ISA’s “Social Contract” and “Social Contract 2.0” as well as from ISA congressional testimonies.

A coalition of five industry and civil liberties groups led by the ISA, including the U.S. Chamber of Commerce, TechAmerica, the Business Software Alliance (BSA), and Center for Democracy and Technology (CDT), all adopt a set of recommendations similar to the Cybersecurity Social Contract.

ISA holds a 10th Anniversary conference and Homeland Security Secretary Janet Napolitano keynotes.

2010—ISA publishes the “Social Contract 2.0,” which follows up on the 2008 document by providing an outline to implementing the president’s market incentive recommendations.

2009—ISA’s “Cyber Security Social Contract” is the first and most frequently cited source in the administration’s 60-day Cyberspace Policy Review. The executive summary of this National Security Council staff-authored official report begins and ends by citing the “Social Contract.” And, like the “Social Contract,” it urges the government to look into the development of market incentives as a means to advance cybersecurity.

2008—ISA publishes its watershed “Cyber Security Social Contract,” a set of policy recommendations for the incoming Obama administration and the new Congress. The document formulates the ISA’s belief that market incentives, not centralized government regulations, is the key to spur on private sector investment into cybersecurity.

In conjunction with the American National Standards Institute, ISA publishes “The Financial Impact of Cyber Risk: 50 Questions
every CFO Should Ask,” one of the earliest documents to frame cybersecurity with a risk-management lens for a business audience.
The document guides chief financial officers through targeted questions to ask key corporate departments, such as legal, compliance,
external communications and business operations.

Former Rep. David McCurdy, the first director of the Internet Security Alliancre
Former Rep. David McCurdy, the first director of the Internet Security Alliance

2005—ISA chairs the congressionally appointed Cross Sector Cyber Security Working Group Committee, which focuses on the use of market incentives, rather than regulation, the way to improve private sector cybersecurity.

2003—ISA creates its first set of best practices guides to combat insider threats, long before insiders were a well-appreciated risk.

2001—The Internet Security Alliance is founded in collaboration with Carnegie Mellon University as a unique, multi-sector international trade association that combines the thought leadership of a think tank with advocacy and the programs of a professional association.