You could say that Gene Fredriksen learned his first lesson about security from a squirrel. That's right. A squirrel. As a boy growing up in the Midwest and an enterprising Boy Scout, Fredriksen built the requisite bird feeder as a Scout project and proudly hung it from a pole in his yard. Daily checks to the feeder revealed that all the food indeed had been consumed, just not, to his chagrin, by birds, but rather by a pesky squirrel.
The innovative Scout tried everything – including greasing the pole that supported the feeder – to keep the squirrel at bay. But nothing worked. Certain that Bullwinkle's buddy was mocking him from a nearby tree, Fredriksen ramped up his efforts to thwart the furry interloper…until the day a neighbor ambled over.
“A retired farmer said, ‘I see what you're doing and you're never going to win,'” Fredriksen says. “‘You come out here and spend an hour a day trying to stop him. The squirrel is working 24 hours a day trying to steal your food.'”
As the neighbor predicted, he didn't get the squirrel, but the homespun lesson stuck with him. “You can't just do security a little bit, an hour a day, because someone out there is working 24 hours a day trying to steal your data,” he says.
That's an important mantra that Fredriksen has adopted, taught to the countless up-and-coming security pros he has trained and mentored, and applied in every security job he's had – from the Burton Group to Tyco International to PSCU, a financial services firm based in Saint Petersburg, Fla., where he is CISO.
"The technology has changed, but the basic motivation, the social engineering part, hasn't."
– Gene Fredriksen, CISO at PSCU
There's another constant, too, that Fredriksen has discovered in his long and varied info security career. “The technology has changed, but the basic motivation, the social engineering part, hasn't,” he says, pointing out that the efforts of security pros still are aimed at access control, but their focus has shifted from the mainframe to servers and other devices on complex networks. “Con man skills are still critical to getting what you want,” he says. “Technology just helps penetration, and once [an attacker] gains entry, helps speed compromise.”
As demonstrated by high-profile breaches at Target and eBay, vulnerabilities like Heartbleed, crippling distributed denial-of-service attacks or more recent news that Russian hackers stole more than a billion credentials, organizations are assailed with compromises at nearly the speed of light, putting pressure on security professionals to move equally as fast.
During the early stages of Fredriksen's career, security was a slow-moving target. “It was like getting out of the way of a hurricane, you had five days to get packed up before the storm hit,” he says. “We don't have that any more. We have to be more nimble.”
Today security professionals – and the organizations they protect – must really understanding the new modes of attack, which, Fredriksen points out, are more sophisticated, more professional and better funded. “In my youth, you put up a firewall in the outside, made some rules, used anti-virus protection and focused on keeping some bad guys out,” he says.
That approach alone does not fly today, although, unfortunately, some organizations are still stuck in that mode. As new attacks come along, ever faster and more furious, security experts must protect their organizations' data. “They protect the perimeter and the focus is still on keeping people out,” says Fredriksen. But, he says, that's more like putting big locks on your house, and no locks inside to keep would-be robbers from moving from room to room.
Simply throwing more resources at the problem doesn't work, nor is it feasible in the face of tight IT security budgets. “Threats have risen 30 percent over last year,” he explains. “Companies can't hire 30 percent more people and if they could, they'd be too slow. The days of watching monitors turn red are gone.”