Sniffing Out a Skunk Works

Putting a highly structured, centralized security organization on the front lines of the information security battle is akin to putting a battleship to task against a million speedboats with blowtorches. Holes will appear. Sinking will ensue.

The best way to deal with the versatility and creativity of the attackers, say some experts, is to create your own flexible, innovative groupor skunk works, if you will. Such groups will become increasingly crucial as companies begin using technologies such as Web services, which involves the combination of new tools with the potential for disaster if secured improperly, says Richard Baskerville, chairman of the CIS Department at Georgia State University.

Baskerville explains that such teams need not be expensive. “You don’t needand it’s unlikely a CSO will be able to justifya full-time team immediately, maybe even ever,” he says. “But a virtual skunk works is an intermediate strategy. If you have the right folks on staff, they can be assembled into a team as a temporary skunk works and then return to normal duties when finished.”

James Christiansen, CISO at business and credit service provider Experian, agrees. It’s important, however, to both hire the right people and to create a work environment that supports innovation. “Motivated people who are imaginative are usually knocking on my door with solutions before I’m thinking about them,” Christiansen says. “It’s all about the magic of motivation. You can’t be seen as a deterrent.”

“Its similar to a CERT or a [disaster recovery] team, only the purpose is to anticipate newly opened vulnerabilities rather than recover from them,” Baskerville says. The key, he notes, is keeping properly creative and intelligent people happy whenever things are running smoothly. “The tricky part of managing this potential is finding the kind of challenging tasks that will keep such people interested from day to day,” he says.