Bill Boni and Ira Winkler on Insider Threats and the Death by 1,000 Cuts

Security veterans Boni and Winkler talk about protecting intellectual property from insiders and snoops.

Winkler: Defense in Depth is actually a Department of Defense concept. The DoD has been using it for a long time. Most people start thinking of defense at the perimeter, but Defense in Depth [advocates] treat each piece of the network as its own. It's not a new term, but it's getting more publicity as more defense people end up in private industry. It's a darn good term.

If you adopt Defense in Depth, you eliminate the debate about which constitutes the bigger threat—internal or external breaches—which seems like a pointless question anyway.

Winkler: At one level, it's pointless, because I've always said threat is irrelevant. It's irrelevant whether they're a teenager, an insider or an outsider—someone is going to try to get you. But different threats do have different levels of resources they can throw at you. Teen hackers may scan your website for a while, and then maybe they make a phone call to try some social engineering. But then they go away. However, if you are a [financial sector] company, you are also potentially threatened by outsiders who want to steal money. And if you're talking about, potentially, more organized criminals or competitors, they will get a job inside your company or, more likely, recruit someone who's already inside to steal information for them. So you have to do Defense in Depth.

Back to the money question. We have written several articles saying that CSOs need to do a better job quantifying the cost of a breach, return on security investments (ROSI) and so on. Donn Parker, of SRI International fame, wrote in to say that that's the wrong approach; it's really about due diligence. A lot of people say you can't calculate ROSI. Is it a red herring?

Winkler: There's a big difference between due diligence and security. Due diligence says I might suffer a loss, but nobody can sue me for it. Security, instead, needs to be approached from the standpoint of balancing my risk. If there was some great standard out there, some good laws that said here's what you must do specifically in terms of information security, then taking a due diligence approach might be acceptable.

But if I'm a good security person, I have more to worry about than just preventing a lawsuit; I'm supposed to supply a good cost-benefit to my company. I need to keep it not only out of court, but profitable. I would argue that, theoretically, Enron might have done due diligence, but we all know where it ended up. Due diligence basically says that as long as your CEO can't be sued if the company goes bankrupt, you're fine.