What do you think needs more attention from the industry?
The average home computer has more power than the super computers available in the 1990s – they are unmanaged and, for the most part, unprotected, and the bad guys know it. With broadband connections, they can be assembled into huge bot networks that can wreak havoc on the target of choice. This is something that the industry needs to be looking at.

Of what are you most proud?
Finding ways to provide a secure environment without interfering with the business of the university. The university environment is complicated, and the typical security profile does not really work, at least without changing the nature of the academy. I like to say that you can still do research at Columbia without bumping into a ‘security gotcha' at every turn.

What security threats are overblown?

Fear of network sniffing is overblown. While it is technically possible for a highly trained and motivated bad guy to sniff, it is not easy and there are so many better ways of getting the data. The threat is real, i.e., the Heartland data breach, but there is not a bad guy out there sniffing every wire.

What annoys you?
The use of technical solutions for non-technical problems. Before computers, there were policies that governed behavior. If you read Playboy magazine at your desk, and someone complains, you could be fired. Now, all bad behavior becomes a computer security problem. I think that HR problems should remain HR problems and not become network security problems.

How do you describe your job to average people?
To protect the rest of the world from Columbia and to make sure that Columbia University does not appear on the front page of the NY Times for the wrong reasons.

For what would you use a magic IT security wand?

I would use it to make people smarter about basic security practices. My favorite saying is “You can't stop stupid, but you can slow it down.” I would use that wand to stop stupid.