How do you describe your job to average people?
I try to bring industry and government together to figure out how to secure all the digital devices we love to use.
Why did you get into IT security?
My degrees are in communications and I worked on Capitol Hill in the 90s on the Telecommunications Act of 1996, which began to address internet policy issues. It was clear to me that security was going to be a major issue.
What was one of your biggest challenges?
Making policy-makers understand that cybersecurity is not just an IT issue. It is also a strategic and economic issue. We need to address this on an risk management basis across the enterprise.
What keeps you up at night?
The bad guys are getting better and the good guys are not properly organized or motivated to meet the challenge. It is not that we don't know how to secure our systems, it is that we are not doing it.
Of what are you most proud?
In 2008, the ISA published the “Cyber Security Social Contract” demonstrating that government mandates would be ineffective and counterproductive. We outlined market-driven partnership that could create a sustainable system of cybersecurity. When President Obama published his “Cyberspace Policy Review,” the first and last source cited in the Executive Summary was the ISA.
For what would you use a magic IT security wand?
All the economic incentives favor the attackers. Attacks are cheap, easy to acquire and yield enormous profits. We have to defend a system designed for openness. It is hard to show ROI for prevention, and chances for successful prosecution are small. Plus, competitive pressures drive enterprises to adopt technologies that have unresolved security challenges. I would change the economic incentives to create clear economic motives for good cybersecurity.