"Partnership is absolutely essential" between the public and private sectors, he said.
CSIA was created in April 2003 to ensure that risks to the national information infrastructure are appropropriately managed. That means making sure that security measures are not just in place, but are working properly and doing what they're supposed to do, Marsh said.
"Information risk management is not about using the latest antivirus or firewall products," he said. They will help but they're not the only solution, he explained.
Risk assurance has to start with the governance and culture of an organization, Marsh said. It requires counter measrues, incident response plans, understanding threats, and risk analysis.
CSIA works with a variety of government agencies including the National High Tech Crime Unit, he said. In its work with the private sector, its encouraging organizations in particular sectors to work together to address threats. He added, "Information risks must be addressed at the board level."
Marsh described several government cybersecurity efforts, including GIPSI, a national assurance products and services expert panel. He said it provides a way to get more assured products out to both the public and private sectors. The new Government Secure Intranet, introduced in March, has more than 140 connected organizations and approximately 300,000 users, he said.