Twenty-five years is a long time by any standard. But in the Internet Age, it's literally an eternity.
That's why, as SC Magazine looks back on the quarter century since its own inception, it is almost impossible to comprehend the pace and scope of change that has taken place in corporate information security as executives have turned their focus from access management and firewalls to identity management and anti-virus to intrusion detection and behavioral analytics. Also, the position of chief security officer, or chief information security officer, has rocketed in recent years from virtual non-existence to tremendously important, as headlines trumpet cybersecurity breaches on a daily basis and board members seek answers to these growing issues.
OUR EXPERTS: Through the years
Gaurav Banga, co-founder and CEO, Bromium
Michael Daly, CTO, Raytheon Cybersecurity and Special Missions
Dave Frymier, VP/CISO, Unisys
Ron Gula, CEO, Tenable
Robert Henry, CISO, Santa Clara University
Vikram Phatak, CEO and chairman, NSS Labs
Hitesh Sheth, president and CEO, Vectra Networks
Amit Yoran, president, RSA
“Back in the 1990s, nobody knew anything. Everything about information security was still so new,” says Vikram Phatak, CEO and chairman of the board for NSS Labs, a research and advisory firm that advises companies on cybersecurity based on its analysts' research as well as lab test data. Since entering this industry in the mid-90s, Phatak has seen the CSO role go from one of simply “educating employees that they need to use firewalls” to advising top executives on the holistic problems of information security, which, he says, have become more widespread and profound with the advent of networking, virtual private networks, social media and mobile.
“The paradigm we originally had for information security is based on a world that doesn't exist any more,” Phatak says. “The perimeter has long since dissolved and…the entire paradigm of protecting things is based on outdated ideas. We all really need to have another look at what makes sense.”
Since 1994's release of Firewalls and Internet Security: Repelling the Wily Hacker [by William Cheswick, Steven Bellovin and Aviel Rubin] introduced a new paradigm of enabling internal collaboration, but securing information from the outside, the industry has largely been focused on creating controls, such as internet gateways, to improve collaboration with the outside world, says Gaurav Banga, co-founder and CEO of Bromium. “But, 20 years later,” he adds, “we still struggle to maintain security while enabling productivity.”
Robert Henry, chief information security officer for Santa Clara University, also points out that in the past information security generally focused on trying to prevent threats that could lead to breaches by trying to stop everything at the organization's internet. “With the primacy of mobile devices, there is no longer a border,” Henry says. “That doesn't mean ignoring the perimeter. It means acknowledging that threats are going to arrive inside the networks and then we need to identify them and respond to them quickly.”
Hitesh Sheth, president and CEO for Vectra Networks, also believes the changing definition of the workplace has led to a sea change in our view of corporate security. “We've gone from an environment where people were essentially stationary with fixed computing assets to one where everything is porous and people are mobile and applications and data and information are all in the cloud,” says Sheth. “The sense that you can fence something is gone. It's just gone.”
According to RSA President Amit Yoran the “explosion of awareness” around the issue of information security has, in and of itself, changed the threat landscape and the way that it is viewed and managed, as well as the rapid onslaught on new technologies that have made it easier to do work but (arguably) harder to secure systems. “That's been a fundamental challenge for the industry,” Yoran says. “The world rushes forward and embraces technology for performance enhancements and delivering new capabilities to customers and being more effective, without really understanding what is involved.”
Simply put: “The threat is ubiquitous,” says Ron Gula (left), CEO of Tenable. “In the past, risks and vulnerabilities were there, there were forces at play interested in exploiting the information. But it didn't affect people as much [as today] or their lives, it was a novelty story. Now it's every day, and everyone.”
As chief technology officer for Raytheon Cybersecurity and Special Missions, Michael Daly has been overseeing information security issues for more than 16 years. His IT security group has gone from a “small department of six employees unknown to senior leadership” to a much larger team that routinely briefs the company's board of directors and C-suite. “It requires a different kind of employee, a different kind of engineer.”
Indeed, as Ian Amit, vice president for ZeroFOX, a company that specializes in social media risk management, points up, the chief security officer was typically often part of the IT operation and under the CTO. But now, with lines blurring, the chief security officer is more often likely to be part of the top executive team, working hand in glove with legal, regulatory and marketing teams as well as lines of business.