CSO Compass Awards 2010: Leslie Lambert

Former CISO, Sun Microsystems

Leslie K. Lambert With almost 30 years' experience in information technology, Leslie K. Lambert has made her mark by adhering to an ethos of using technology in a responsible manner. Well steeped in the culture of Sun Microsystems, she has long been a champion of transparency and individuality. A respected member of the Security Executive Council, Lambert continues to provide a clear-eyed view of how organizational security and individual respect can coexist in the face of emerging threats.

See the full list of this year's Compass Award winners

CSO: What was one of the most challenging aspects of information security at a company like Sun Microsystems? Leslie Lambert: Sun's approach to internal business execution had evolved over the last seven or eight years; we dramatically increased the outsourcing of business and operational components. In the early days, when we first outsourced manufacturing, it very often only involved installing a direct secure line with a specific manufacturer. As we expanded into this new model, we grew to 350 business process outsourcing partners, including not only external manufacturing and logistics, but business processes like payroll, handling customer calls for external and internal help desk, human resources, and staff employees using many self-service applications. We had moved to a gigantic partner security model. How do you manage something like that?

We created a multi-level technical architecture to manage business partner relationships over the Internet. What level of access you had with Sun's network and data was determined by whether you were a Sun employee, someone from the outside using our applications, whether the people and systems were remote. On top of this, we layered a risk matrix that took into account the nature of the data that was going back and forth, and how critical or sensitive it was to the business. This would range from intellectual property or engineering plans being sent to a semiconductor manufacturer to employees using a self-service application to buy office supplies over the Web. It ranged from very risky data exchanges to just buying pencils.

Then, on top of that, on a quarterly basis, we applied an ISO 27002-based audit methodology with each partner. It was very complex and thorough.

You have an education in experimental psychology and experience in control-systems design. How does that factor into security leadership?

The areas of experimental psychology that I focused on covered measurement, evaluation, techniques of experimental research, statistics and data analysis. I also spent several prior years doing control-system design. The combination of that with my analytical background bred a process-oriented, structured approach to things. I am, by nature, a cool head, and these additional experiences and skills provided me with a steady hand.

What are two things about security or security leadership you wish you'd known 10 years ago? (Editor's note: See Gary McGraw and Jim Routh's Lifestyle Hackers.)

One is the impact of this new generation of kids growing up online. I didn't see the profound impact this would have on who we would be working with or hiring, and who we would be protecting ourselves against around the world. We are dealing with an evolved type of behavior. Ten years ago, we worried about script kiddie attacks. Those kids have now gone to college, and their skills have increased to a new level of sophistication, and now they want to make money doing what they do, too!

Another thing I wish I had anticipated was how concepts of organized crime would influence computer crime. There are sophisticated, syndicated, well-funded villains, which have been highlighted by Google's recent exposure of botnet attacks. What is behind this is not one person, but organizations that may even be state-sponsored in some countries. They've deployed well-constructed command-and-control structures on the Internet, which are bringing large numbers of systems and victims within their reach.

What will be the next big topic in the security field?

Data protection. What data is most critical? How do you determine where the data sits? Maybe you don't put your data in the cloud. How do you lock down systems, servers and networks, and how do you deal with an extremely mobile workforce, and cloud computing? Do we have different components of transactions, including data, broken up across multiple notions of "cloudness"? With botnets leeching away data, how do you protect it from leaking? How do you structure both an internal and external defense, neither of which is set up as, "Lock down every piece of data and protect every system on the network"?

When it comes to business stakeholders, what is their most dangerous misunderstanding about security?

Our partners are in business to generate revenue. When selecting certain strategies, they may introduce higher levels of risk without realizing it. They may make decisions to do things without fully taking into consideration the risk of shifting a piece of the business to an emerging market locale. The question of whether we can provide adequate security in that emerging market location could be overlooked. It is our role as security professionals to partner with and best advise them on how to manage or mitigate security risks in their business dealings.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.