Geer: Risk Management Should Change the Future

Information security pioneer Dan Geer reflects on the past, and looks toward the future of risk management

"The dean of the security deep thinkers," "security luminary, " and "risk-management pioneer" are all phrases that have been used to describe Dan Geer. Considered one of the foremost leaders in information security, his resume includes time as president and chief scientist at Verdasys Inc, a critical role in Project Athena at MIT, and a now famous firing from @Stake for co-writing a paper warning that a Microsoft monoculture threatened national security.

These days Geer, a 2009 CSO Compass Award winner, is CISO with In-Q-Tel, a non-profit venture capital firm that invests in security technology in support of the intelligence community. Geer recently spoke with CSO and explained why, despite all he has accomplished in his past, his sights are still set toward the future of security.

Let's start be discussing some of the work you are doing now with In-Q-Tel. What is In-Q-Tel's mission?

The idea is we invest as a strategic investor as opposed to a financial investor in small firms whose products look like they would be of some real use to the intelligence community. For a financial investor, strategic would be: If I put money in, will I get more money out? For us, it is: If I put money in, will I get more product out? It is a different kettle of fish.

The entrepreneurs of the world remain the place where innovation tends to come from and quite often where there is innovation you might not otherwise ever hear of. Sure, there are big firms that do innovations. But on the other hand, in the technology sphere, lots of little companies don't make it for whatever reason, yet what they have thought of is well worth investment.

We do not keep companies alive for no other purpose than having them sell to the intelligence community. But we do say there are lots of little firms whose ability, for example, to cope with what it takes to sell to the government, is either limited or deferred to a later date when they might be bigger. And we do something about that.

If there is a return on the money we make, it just goes back in the pool. There are no stockholders in the traditional sense.

Is it easier to operate in this economy with that model? As a strategic investor as opposed to a financial investor?

I think it is. In as much as what we are looking for is not all that related to how the banks are doing. We don't throw money away. So if a company is just not going to make it because, for whatever reason, their market is going to be delayed three years and they won't be there by then, then of course we pay attention. It has to be a going concern and something that has a commercial future irrespective of the intelligence community. But what we try and do is make it possible for them to add to their product mix in a way they might not otherwise be able to do. So, I think this is actually a fabulous time to be doing this.

You've had a storied career in information security. What prompted you to go in this direction now?

Well, I'm not a spring chicken anymore. I'm not yet old, but one begins to think of what do you want to have done by the time you are done, so to speak. Government service was always something I wanted to do. It was something I thought I should do.

Also, this is the second time I've had a chance to do it, and this time it is working out, whereas the first time it did not. 20 years ago I was running Project Athena at MIT. That's ancient history now and not altogether relevant because nothing we did then looks remarkable now at all. In some sense that is the greatest compliment of all because everybody absorbed it. But at that time I was in a university environment and we were grant supported by the commercial sector, in this case largely by IBM and Digital Equipment, but also by some others.

It became clear it was time to stop doing research and instead commercialize some of it, or allow the advances that had been made to be absorbed by the university and see where they lead. At that point I went to work for Digital in what was called external research, the grant giving arm. I wanted to work for the grant side because it occurred to me that moving from the grantee to the grantor would be good for me and good for it because it is beneficial to know what both sides of the table look like.

But my timing, it turned out, was poor. That was about the time that Digital collapsed. I went on to other things.

Does your interest in government service and the work you are doing now have an altruistic motive behind it?

I'd rather voluntarily give the government something like my time than involuntarily something like my taxes. But I did want to do something for the common good. I think a lot of the teams I've worked on in the past have been able to do a common good. But, yes, I did want to do something altruistic here.

For structural reason there are some things that government does well and some things it cannot do well. For similar sorts of reasons, the private sector has a set of things it can and can't do well. I'm getting to stand in the boundary between the two and, in effect, pass back and forth the things that each of them do well to the other side of that fence where that thing can be done well. Such as choosing good investments on the one hand and being innovative on the other.

As such a well-known figure in the information security field, does your reputation precede you now?

I never stop to ask. Folks who rest on their laurels end up staying in the past somehow. I once read a book by Dan Borge called "The Book of Risk." In it, he said something that I absorbed completely. That is that the purpose of risk management is to change the future, not to explain the past.

How good of a job would you say risk professionals are doing now at changing the future?

I think there has been a lot of progress. But the difference is that information security is on a different clock than, say, quality assurance in a car factory.

One of my great grandfathers was a cabinet maker. He spent his whole life getting better at what he did. And by the end, his stuff was really quite remarkable. But the world we live in now is one where the rate of change is so great it is hard to develop a skilled craft because by the time you do, the problem set has moved on.

I think information security is quite possibly the most intellectually challenging profession on the planet. For that reason that what was true yesterday may not be tomorrow. In information security in particular, the rising fraction of R & D that is done by the opposition, and is funded by the opposition by its own revenue, is quite fascinating and makes things very difficult. At the same time, have we made progress? Sure. But the challenging aspect to this continues to be this rate of change and the degree to which you need to be on your toes all the time.

Copyright © 2009 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline