Bill Boni and Ira Winkler on Insider Threats and the Death by 1,000 Cuts

Security veterans Boni and Winkler talk about protecting intellectual property from insiders and snoops.

Unfortunately, better patching alone won't make information security work. Looking over the PricewaterhouseCoopers global survey results (see "The State of IT Security 2003"), the only clear conclusion is that corporate infosec is a mess. There's a bizarre lack of correlation between spending and efficacy, for example.

Boni: You don't have metrics in most cases to measure the nature of a loss; and even if you do, how do you use them to determine controls that will be effective to prevent that loss in the future? You would almost need a prestate array: "Before we got hit, we were experiencing this many problems; and after we implemented this fix, that number was reduced by this much...." But there are a lot of variables in play at the same time. It's very complex.

I spend a lot of my time understanding what people are doing anecdotally, looking at documents, reports from vendors, articles in periodicals such as CSO. I'm also on a number of mailing lists. What I'm looking for is what's actually happening, what's the experience of my trusted colleagues. Information security is still too much of an arcane art right now and not enough science. We're trying to develop the Six Sigma methodology for IS. I think, over time, that kind of process will give us a better basis for having discussions with corporate management. Now you're starting to see that, for example, if you're rolling up your enterprise antivirus stats. Same with vulnerability tools, if you're rolling those up across your company. Then you can say to management, "Here's our starting position, and our goal is to reduce those incidents by an order of magnitude," and being able to report back later: "Here's our result, here's our goal, here's the variance, and here's how we explain the variance."

The CEO's team will always say "give me the data." Because when you're talking to the CFO, for example, the whole nature of managing business is measuring risk versus potential reward. But my more technical-minded brethren tend to see things as binary.

You've been involved in security for many years. From where you sit, what's the state of infosec today? Better? Worse?

Boni: I think it's getting better, but at the same time more complicated and challenging. Once upon a time, a good security program was an array of technology safeguards. Increasingly, the value add is how to enable the business by strategic application of technologies or functionality—facilitating alliances and partnerships, for example. The technical foundation is not eliminated; it's table stakes. But now the infosec pro has to move into the realm of understanding that what [business executives] want is, of course, to be able to do the new business or the product or the approach. And the security pro can't respond, "That's never going to fly, never ever." Instead, you have to start with, "OK, there are risks, and here are some approaches to managing the risks. Here's the decision matrix, and here's my recommendation." It's more like, "Here's your menu of options, and would you like fries with that?"