1. What has been the biggest change in security that you’ve seen in the last decade?
From a threat perspective, it’s the hacker’s goal. It used to be for fame, bragging rights or to satisfy a curiosity: “Can I do it?” Today’s hackers are organized as crime syndicates hijacking computers to be used or sold for nefarious, criminal purposes.
From an operational perspective, it is in the business drivers for security. We’ve evolved from FUD of some mysterious hacker threat to FUD of government regulations and industry compliance standards (e.g., PCI).
2. What advice would you give to a new CSO?
View and sell yourself as a risk manager, applying a risk-based approach and providing visibility into enterprise risks. Don’t focus on the technology, but on what you’re trying to protect and why. To do this effectively, you must understand the business and align your strategy to the business and IT strategic goals. Finally, you must not only speak the language of business, but also implement a governance model that is complimentary to your organization’s culture.
3. What is the biggest computer security threat that faces our new president and our nation?
Foreign governments have developed a cyberwarfare capability and they’ve fearlessly unleashed their ethereal armies to great effectiveness, e.g., Russia vs. Georgia, Estonia, and Lithuania, China vs. USA, etc.
The U.S. must not only develop effective defensive capabilities, but also offensive ones. Just as the U.S. airspace was shutdown during the 9/11 attacks, U.S. cyberspace may need to be shutdown also; and businesses need to be prepared for the impact that such a blockade will have.
4. With limited budgets, what is the one security imperative that you think is most important?
Assuming the basics are covered, i.e., perimeter security and access controls, CSOs must focus on protecting information from those charged with maintaining it. The insider threat – the threat from those that are supposed to have access to information – remains the most significant vulnerability. Many security practitioners throw technology at this problem; it’s easy to demonstrate activity when you’re deploying products. They’re reluctant to deal with the people and process issues, which require a different approach.
5. What makes a great security team?
A team with well-balanced skills and experience is essential. You need team members who understand the technology (networks and systems), computer forensics, risk assessments, auditing and project management. But most importantly, you need a team that has the soft skills necessary to influence others and get policies or projects effectively implemented. They need to understand the business and their customers’ needs and concerns. A positive, “can do” attitude and spirit of collaboration are important ingredients.