In nearly every great movement in history, there is a moment in which the proverbial tide turns. For CISOs trying to convince their higher-ups to invest in encryption and cybersecurity programs, that moment came when the FBI tried to force Apple to crack open an iPhone 5c used by one of the San Bernardino shooters. And Apple refused.
That case, and others like it, sparked pushback from tech companies, privacy advocates and consumers, but also caught the attention of executives and vaulted IT security front and center, prompting CEOs and other top management to take crash courses to better understand the issues surrounding encryption and IT security technology.
Before Apple and the FBI squared off, frustrated IT staffs bent over backwards to explain to executives the importance of security and scrambled to find creative ways to lobby for its inclusion into the budget. But the high-profile clash, which currently finds the two sides momentarily in uneasy détente, has educated many execs who didn't know what encryption was, says Todd Bell, global CISO at Forticode, a software provider for authentication services. “A lot of novices are knowledgeable now about encryption and that's a good thing,” Bell adds.
Todd Bell, global CISO, Forticode
Stephen Holmes, director, corporate communications, Home Depot
Janet Bishop-Levesque, CISO, RSA, the security division of EMC
Kurt Opsahl, deputy executive director and general counsel, Electronic Frontier Foundation
Bob West, CISO, York Risk Services, CareWorks Tech
Janet Bishop-Levesque, CISO at RSA, the security division of EMC, says there was a lot of buzz about the Apple-FBI case at the RSA Conference this past spring. “What's interesting is that it hasn't just been people in the encryption business having the dialogue on stronger encryption,” she says. “Plus, I think high-profile actions like Amit Yoran, the president of RSA, recently testifying before the House Energy and Commerce Committee, helps bring a lot of attention to the need for strong encryption.”
Bob West, CISO at York Risk Services at CareWorks Tech, says that the Apple-FBI case has validated what he has been telling top management about encryption and IT security for the past several years. “The case underscored that we have to be vigilant in terms of protecting information and it demonstrated that our encryption policies have to be strong if not stronger,” he explains.
West adds that his firm along with many others will need to re-evaluate its polices around the issue of cooperating with law enforcement authorities. While some companies have clear policies on how they respond to authorities, many don't.
Other experts already have policies in place. Stephen Holmes, the director of corporate communications at Home Depot, says there's really no question about his company's policy. “If the FBI asks us if a person bought XX to conduct XX crime, we cooperate,” he says. “We even pull CCTV footage for authorities.”
However, he adds, the tough part with the mobile device angle for a lot of companies is that the overall environment continues to ratchet up security and security training for devices. “It would be hard to say that the most recent privacy events with Apple have made it any more important or aggressive because we're already extremely aggressive.”