This is the second in a series of interviews with C-level executives responsible for cyber security and privacy in business and government, who also happen to be thought leaders. (In case you havent noticed, "C-level executive" and "thought leader" are not synonyms.)
In this issue, I discuss a range of issues, from the intellectual property (IP) theft and economic espionage to the rise of social media and the challenges of governance, with Christopher Burgess, Chief Operating Officer and Chief Security Officer at Atigeo, LLC.
Prior to Atigeo, Burgess was Senior Security Advisor to the Chief Security Officer (CSO) at Cisco. Before his run at Cisco, Burgess served for thirty years as a senior national security executive for the government of United States, living and working in strategic regions throughout the world.
Oh yes, and in 2008, Burgess and I co-authored Secrets Stolen, Fortunes Lost: Preventing Intellectual Property Theft and Economic Espionage in the 21st Century (ISBN: 978-1-59749-255-3).
Richard Power: It has been four years since the publication of Secrets Stolen, Fortunes Lost: Preventing Intellectual Property Theft and Economic Espionage in the 21st Century (ISBN: 978-1-59749-255-3). Give us your perspective on where we are in terms of corporations and security professionals coming to grips with the threat of economic espionage and IP theft? Mine are mostly unprintable at this point. Any progress in general?
Christopher Burgess: Thank you Richard, it's a pleasure to talk with you again. I have been blessed with being amidst those who are at the vanguard of evolving new security processes and solutions and not having been placed in a position where I was facing "but it's not the way we do it" scenarios.
My 30,000-foot perspective has not changed since we co-authored Secrets Stolen, Fortune Lost — every company (emphasis intended) regardless of locale has the potential to fall into the sights of an entity or individual who has designs on their assets. The company can choose to educate or not educate their workforce to this reality.
Sadly, I continue to see far too many companies operating as if they are immune from falling into the cross-hairs of someone's targeting scheme because they aren't engaged in national security work — they equate economic espionage and IP theft to only those in the national security vertical. While I dont disagree the nation state vector is one about which we, collectively, must pay attention; the individual, the competitor and the criminal vectors also warrant every company's attention.
Likewise, far too many companies are not making their whole workforce security and threat aware. Companies are in essence, whether they intend to or not, selecting whom they believe will be targeted by an adversary based on the assumption that certain employees work wouldn't be of interest.
Power: Any increase in the level of awareness? Burgess: I'd like to say yes, but as I just said, attempting to select-out for training only those who you believe are in positions of interest to an adversary is fallacy. That is not to say that those in highly sensitive positions, i.e., with daily access to a company's financials or critical IP (think Coca Cola recipe) should not be afforded additional training and undergo more stringent security reviews on an aperiodic schedule. They absolutely should.
Sadly, we are repeatedly shown that safety, security and cyber-security training are not being provided in a robust and uniformed manner. Let's take for example the findings of the Price Waterhouse Coopers survey of the financial industry conducted a few months back (Cybercrime: protecting against the growing threat — Global Economic Crime Survey, November 2011). This global survey showed two in five — about 40 percent had not received any cyber security training; that those companies with the best security posture were those who had the CEO invested and leading and top-down training (i.e. CEO is included). There is still much work to do in this arena.
Power: Any shift in emphasis that would imply potential targets is taking this particular threat more seriously?Burgess: Clearly those in the security industry have seen members of their industry family take a few body blows as their source code or other crown jewels go missing. The security industry always knew (or should have) they were the prime targets; now they have validation that the size of the bulls-eye they are wearing is substantial.
Those companies engaged in the national infrastructure have also received a wake-up call, and now you see and read more about how SCADA (supervisory control and data acquisition) systems are being targeted and exploited. Regardless of industry, Ill stand by my prior statement: "Potential targets are your employees. Your company is a potential target. Size does not matter."
Power: Or any wider acceptance of our premise that to mitigate this threat the overall approach to security from cyber to physical (and back again) has to be holistic? Burgess: I was discussing this point with some attendees at the New Digital Economics conference (San Francisco, March 2011) as to how the adversary has all the time they require to scope their problem set, do their analysis, put together their attack plan and then execute. You as the target have to be ready all the time, even when it's inconvenient. The adversary is waiting for you to allow convenience to trump security, and then they take advantage of the window of opportunity you're availing to them.
I also note that companies are buried in their data. They have structured data, unstructured data and are trying to make sense of it all and frankly are often simply overwhelmed. Their inability to maximize the "big data" sitting under their roof, I believe, is to a potential adversary's advantage.
Power: Social media has evolved at a mind-boggling pace, and it has already had a profound impact on politics, geopolitics, culture, media, etc. and this profound impact is on a global scale. For me, Facebook and Twitter are proven to be fascinating laboratories. With social media, the personal and the professional are increasingly entwined, and this entwining has presented us all with unprecedented challenges and opportunities personally and professionally. I know you have taken a deep long look at this subject. What are the essential elements of a practical, effective social media policy for major corporations?
Burgess: I'll stick to three key ingredients:
- All inclusive — 100 percent of the work force needs to be aware
- Purpose of the guidelines — why these guidelines exist — to protect the employee, employer, partners and customers.
- Dynamic — guidelines are not once and done, they are living documents that need to be updated on a regular cadence.
Power: What do you look for in such programs? Burgess: I want to know whether or not the program has expunged NO, and replaced it with HOW accompanied by a WHY. Rarely do we see employees willingly auger-in their company. But employees do auger-in their company because they didnt know why certain information should not have been availed during a period of embargo, or they are told that they cant use any of the social networks, but aren't told the why behind the request and in their attempt to get their tasks completed find a work-around. Power: Anything else you would like to say about the security, privacy and risk issues involved in the rise of social media? Burgess: Social Media has provided lift to the competitive intelligence industry, like sliced-bread did to bakeries. I continue to be amazed at the willingness of individuals to over-share about their personal lives, their professional lives and their companies.
Power: You had a long and distinguished career in national security, working for the U.S. Central Intelligence Agency for thirty years, and after that you spent several years working on global security issues at the highest levels of an industry-shaping corporation, a giant of the IT sector, working both internally and with that corporation's partners.
So I would like to hear your perspective on where governance is in regard to cyber security, privacy and risk the private sector. As with the first question, at this point, my views are unprintable, except that I will say the concept of ROI for cyber security is wrong-headed and mind-killing, and that I doubt any true evolution toward holistic cyber security is possible in a business environment in which the ONLY criteria for executive decisions is the next quarterly profit and loss statement. Perhaps you can offer something more positive? Burgess: You have me chuckling. Top down implementation of security protocol in every company has become table-stakes. If a company's leadership isn't interested in baking security, privacy and risk factors into all of their efforts, then frankly I believe they are limiting their ability to compete in today's society, are going to find that their competitors who do will use this differentiation to their advantage. Let's look at privacy. The aforementioned is truly applicable if they are in an industry where they are dealing with individuals personal data, they need to move off the mind-set that the data is theirs, it's about the individuals data — the individual needs the explicit ability in easily understandable terms to make a decision on how and when their personal data may be used. With respect to security, there are two facets I consider low hanging fruit in tightening up one's regime:
1) educate your workforce and
2) update your appliances/software when the manufacture provides you patches. The former raises the level of awareness throughout the company, the latter closes known avenues of exploitation.
Though we have been at this a long time, I continue to believe we are at the beginning of a very long journey, that 2011 had the warning bell being tolled many times, such as RSA and Symantec, and these have served to wake-up the security industry.
Power: Before we run out of time, tell us about Atigeo. What is your role? Burgess: I wear two hats at Atigeo, that of the Chief Operating Officer and also the Chief Security Officer, as you can imagine, in addition to day to day operations, I am also responsible for our security, privacy and compliance initiatives. I'm blessed with a CEO who has put security and privacy front and center throughout the company. Power: What is the nature of the research that has been conducted? Burgess: Atigeo has been focused on creating a semantic platform to allow understanding of very large data sets — that platform is called xPatterns. xPatterns is a contextual semantic search platform which learns, operates with all data sets as it is data agnostic (unstructured or structured or both) and has global applicability as it is linguistically agnostic. Power: What has been developed from it? Burgess: Perhaps one of the most important points is the architecture has been designed to deal with the truly large data sets. We believe our architecture will allow us to deal with data sets in the exabyte size.
Allow me to highlight two: The first is our Computer Assisted Coding work within the healthcare arena. Our solution addresses the transition, successfully, from ICD-9 (44,000 codes) to ICD-10 (155,000 codes), which is on the horizon for the US healthcare industry. A solution that reduces time required per electronic medical record, and does so with a high level of precision. We also see our solution providing the needed lift to healthcare providers as the gen-X bubble puts continual increasing demand on industry to provide medical services.
Following the CAC solution, we expect to bring xPatterns solutions to other areas of the healthcare sector, to include, medical research and clinical aide — where access and understanding of available data is so instrumental to success. The second is our Lifepass personal data platform, which is designed to serve relevant, personalized information to the consumer while protecting their privacy in an explicit and implicit manner. Life pass enables enterprises and users to control, protect and gain value from their data.
Power: What is "compassionate technology"? Burgess: Our xPatterns platform provides us the opportunity to focus our technology on those areas in which we, at Atigeo, believe we can provide positive impact. Our initial efforts are within the healthcare and consumer sectors and are indicative of our approach.
xPatterns use within health care will shave man-years off processes, research, and ultimately, we believe, evolve to better patient outcomes. Our approach to the consumer market is by putting the individual in control of their personal data and thus adjusting the existing paradigm. As I noted just a moment ago, the protection of the consumers privacy is baked into the solution.