Bill Boni and Ira Winkler on Insider Threats and the Death by 1,000 Cuts

Security veterans Boni and Winkler talk about protecting intellectual property from insiders and snoops.

October 01, 2003 — CSO — From configuring the hardware to connecting all the stovepipes, security executives need to tune up both for light jabs and roundhouse rights. Executive Editor Derek Slater talked defensive strategy with Bill Boni and Ira Winkler.

Bill Boni is vice president and CISO of Motorola. Ira Winkler is chief security strategist for Hewlett-Packard. In separate interviews, CSO Executive Editor Derek Slater discussed with them their respective visions of what's needed to get the security practice in shape. Both advocated paying attention to the little things.

CSO: You've both mentioned "the death of a thousand cuts" as a description of what security faces today. What does that mean?

Ira Winkler: Let me give you a recent example. I was talking to somebody at a large Canadian railroad company. She said, "I'm trying to convince my boss of the need for computer security. And he has this attitude that, first of all, we're a railroad company, we're not that high-tech. And, on top of that, we're not an American company, so we're not a target that anybody really cares about."

In other words, the boss doesn't believe [his company is] going to be the target of a devastating attack. OK, let's accept that, because, quite frankly, I think all these claims of terrorism and all the FUD work against us anyway. Still, I asked if she was hit by Code Red? She said, Yes. Nimda? Yes. Slammer? Yes. Other viruses? Yes. I asked, "Do you have insiders doing things that cost you a lot of money?" She said, "Yes, we have a lot of incidents we have to investigate. We're a large company."

So I said, "Did you ever add up the costs from all of that?" She said, "No, but it would easily be in the tens of millions of dollars."

Bill [Boni] used the term "the death of a thousand cuts" a long time ago. There's a lot of little things that, when added up, would be devastating if it happened all at once. And if you would do the basic, simple things on an ongoing basis—to protect yourself against the small things that add up to a major loss in total—you'd also be preventing the mythical terrorist attacks and other large-scale events.

Bill Boni: The way I look at it is that most organizations don't have a framework for keeping track of loss, particularly intellectual property-related loss. As IP has become digital, you now face the possibility of it being misappropriated without having the loss detected. It doesn't become manifest until an engineer in your company realizes that your biggest competitors have what you were expecting to have, at the same timeand you thought you were a year ahead of them. Plus, they have lower price points because they didn't have to spend the money to develop it.