Bill Boni and Ira Winkler on Insider Threats and the Death by 1,000 Cuts

Security veterans Boni and Winkler talk about protecting intellectual property from insiders and snoops.

By Derek Slater

Page 8

Do you think the government is going to achieve that model of network-enabled defense, powered by information sharing?

Boni: The challenge is for us to give the government folks a chance to prove that they can really do it that way. They're all saying this—the FBI, the Secret Service, everybody. If it takes root, it will become a virtuous reinforcing circle. Once it shows payoff for people who participate and share information, a community of interest is formed. Instead of the "Gee, I'm really glad they didn't hit me" model. It has to show a meaningful benefit for active participation.

Whereas if you just write regulations that mandate the use of specific defensive technologies, it'll be the Maginot Line in cyberspace, massively obsolete by the time you get it in place. Protecting against the last threat, not the next one.

Some Fortune 500 corporate security honchos have expressed a strong sense that security, generally, is at a historic inflection point—being driven toward its fulfillment by a confluence of factors: terrorism, yes, the creation or elevation of executive positions, a sort of slow corporate awakening to the importance of risk management and security. Do you agree?

Winkler: I don't think we're at the inflection point yet, and I'll tell you why. There's a difference between should and must. Everybody says we should be secure, and managers today are saying we should be secure. The question is when are the managers going to say we must be secure?

You can go back a decade and hear people saying, "We want to be secure, we want to provide the best service to our customers, we want to secure their data and so on." But when do people actually make security a must? Citibank did after the Vladimir Levin incident. A lot of banks made security a must because they learned a little from Citibank's pain and their own. Because, let's face it, every bank loses money to computer theft; they just don't all admit it.

I don't see it until regulations or third-party liability lawsuits or something else forces people to start addressing it in the proper way. What will get companies all the way there is when government says you have to do it, or else when insurance companies say that, if you want director's and officer's insurance, you have to have an appropriate program. HIPAA, Gramm-Leach-Bliley and so forth are a start, but until I see some large-scale efforts to go beyond specific industries, I don't think we're at that inflection point yet.