Bill Boni and Ira Winkler on Insider Threats and the Death by 1,000 Cuts

Security veterans Boni and Winkler talk about protecting intellectual property from insiders and snoops.

1 2 Page 2
Page 2 of 2

Boni: You don't have metrics in most cases to measure the nature of a loss; and even if you do, how do you use them to determine controls that will be effective to prevent that loss in the future? You would almost need a prestate array: "Before we got hit, we were experiencing this many problems; and after we implemented this fix, that number was reduced by this much...." But there are a lot of variables in play at the same time. It's very complex.

I spend a lot of my time understanding what people are doing anecdotally, looking at documents, reports from vendors, articles in periodicals such as CSO. I'm also on a number of mailing lists. What I'm looking for is what's actually happening, what's the experience of my trusted colleagues. Information security is still too much of an arcane art right now and not enough science. We're trying to develop the Six Sigma methodology for IS. I think, over time, that kind of process will give us a better basis for having discussions with corporate management. Now you're starting to see that, for example, if you're rolling up your enterprise antivirus stats. Same with vulnerability tools, if you're rolling those up across your company. Then you can say to management, "Here's our starting position, and our goal is to reduce those incidents by an order of magnitude," and being able to report back later: "Here's our result, here's our goal, here's the variance, and here's how we explain the variance."

The CEO's team will always say "give me the data." Because when you're talking to the CFO, for example, the whole nature of managing business is measuring risk versus potential reward. But my more technical-minded brethren tend to see things as binary.

You've been involved in security for many years. From where you sit, what's the state of infosec today? Better? Worse?

Boni: I think it's getting better, but at the same time more complicated and challenging. Once upon a time, a good security program was an array of technology safeguards. Increasingly, the value add is how to enable the business by strategic application of technologies or functionality—facilitating alliances and partnerships, for example. The technical foundation is not eliminated; it's table stakes. But now the infosec pro has to move into the realm of understanding that what [business executives] want is, of course, to be able to do the new business or the product or the approach. And the security pro can't respond, "That's never going to fly, never ever." Instead, you have to start with, "OK, there are risks, and here are some approaches to managing the risks. Here's the decision matrix, and here's my recommendation." It's more like, "Here's your menu of options, and would you like fries with that?"

Care to hazard a guess as to how many information security people understand that concept?

Boni: Well, a manager-level employee may not be personally equipped to have that dialogue or may not be organizationally well placed [for it]. You can pretty much track the maturity of the security program, typically, by its placement within the company. As we see more CISOs put in place, that's becoming part and parcel of how they interact with upper management.

It seems like a race to see whether a critical mass of companies can reach that level of maturity before regulation becomes a necessity. The Department of Homeland Security has expressed a preference against regulation and is in favor of public-private partnerships. The DHS is counting on the private sector getting its cybersecurity in order out of something like enlightened self-interest.

Boni: I attended a meeting where Tom Ridge and key DHS staff came to speak, and there was some very pointed questioning by attendees and a certain amount of private-sector skepticism. But my sense is that Ridge understands that. And [partnership] is the right way to approach it. They're talking about maybe assigning Secret Service agents to banks and big brokerages to help interpret laws and regulations, so there's nobody who accidentally handles things the wrong way due to a lack of understanding. They'd take the posture that, "We're here from the government to help you, be a copilot, help interpret our mind-numbing array of existing regulations." But also to help disseminate information and analysis and provide reports to the security officers; for example, "Here's a scam we've seen, and here's how it works." Bingo. That's the kind of information I want as a private-sector employee. I'm happier if we can use our understanding of criminal mechanisms to prevent cybercrime, not just penalize wrongdoers after the fact. Let's turn government into a learning organization.

That is the analog to the cyberunderground mechanism that shares information: "Hey, this is how this exploit works, let's add something and go hack someone!" The Rand Corp. [an independent think tank] has a study called "The Advent of Netwar" [available at www.rand.org/publications/MR/MR789] that's an excellent study of that kind of network-model, loose organization. The more traditional model in government is to send all the information to the center point and then sit back and expect them to be the ones who act. Hierarchies like that are at a tremendous disadvantage versus a network-model group of attackers. So let's build a network-enabled group of defenders. Information-sharing from point to point as well as point to center has great potential and is going to be required to have an effective societal response to cybercrime or terrorism. Community policing in cyberspace.

Do you think the government is going to achieve that model of network-enabled defense, powered by information sharing?

Boni: The challenge is for us to give the government folks a chance to prove that they can really do it that way. They're all saying this—the FBI, the Secret Service, everybody. If it takes root, it will become a virtuous reinforcing circle. Once it shows payoff for people who participate and share information, a community of interest is formed. Instead of the "Gee, I'm really glad they didn't hit me" model. It has to show a meaningful benefit for active participation.

Whereas if you just write regulations that mandate the use of specific defensive technologies, it'll be the Maginot Line in cyberspace, massively obsolete by the time you get it in place. Protecting against the last threat, not the next one.

Some Fortune 500 corporate security honchos have expressed a strong sense that security, generally, is at a historic inflection point—being driven toward its fulfillment by a confluence of factors: terrorism, yes, the creation or elevation of executive positions, a sort of slow corporate awakening to the importance of risk management and security. Do you agree?

Winkler: I don't think we're at the inflection point yet, and I'll tell you why. There's a difference between should and must. Everybody says we should be secure, and managers today are saying we should be secure. The question is when are the managers going to say we must be secure?

You can go back a decade and hear people saying, "We want to be secure, we want to provide the best service to our customers, we want to secure their data and so on." But when do people actually make security a must? Citibank did after the Vladimir Levin incident. A lot of banks made security a must because they learned a little from Citibank's pain and their own. Because, let's face it, every bank loses money to computer theft; they just don't all admit it.

I don't see it until regulations or third-party liability lawsuits or something else forces people to start addressing it in the proper way. What will get companies all the way there is when government says you have to do it, or else when insurance companies say that, if you want director's and officer's insurance, you have to have an appropriate program. HIPAA, Gramm-Leach-Bliley and so forth are a start, but until I see some large-scale efforts to go beyond specific industries, I don't think we're at that inflection point yet.

Related:

Copyright © 2003 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful cybersecurity companies