This is the second of two parts of an interview of Stephen Northcutt by technologist David Greer. How do you see the evolution of the problem space of information security? Everything that follows is by Messrs Greer and Northcutt with minor edits. (See part 1.) * * * DG: It seems like many of the current security issues are problems that we have been dealing with for decades.
SN: Twelve years ago, we were standing up for a cyber capability for the United States. We do make progress; for instance we now have the Cyber Guardian program and have already graduated the first class. All the things we are saying today and the stuff we are doing to our cyber capability I heard 12 years ago. The attack surface just continues to get larger and larger and larger. We are more connected, so there's a lot more vulnerability points because we are increasingly connected and more code is exposed to potential attacks. So we're dealing with more lines and more kinds of codes.
We are not dealing with that many fundamental problems. There is an ever-greater need for security people who can integrate with the business. The specifics are changing, but the classes of the problems haven't changed very much. I was just trying to explain to someone that the No. 1 thing a manager wants out of a security person is communication skills. Our challenge is to develop people's communications skills. We've done survey after survey after survey.
You can't do business without communication. If we don't put a tremendous amount of attention and simplify, simplify, simplify, we end up with things we cannot manage. I would also say that my personal observation is that people often think complexity is its own reward. This is true on the security level, technology level and organization-process level. SN: A couple of years back I spent some time with the trade organization that represents the 100 largest banks in the U.S. We were trying to do some work around information security risk. DG: How do you see evaluating and managing risk in the security environment today?
More than once I heard the finance guys say "You information security folks have no idea what you're doing in terms of risk management. In finance we know for any set of financial transactions within a few dollars of what our risk is." One of those quants was in the risk management department at Bear Stearns which is gone now. You are using qualitative methods when you need quantitative. The finance folks have an advanced terminology and methodology. We need to make sure in information security we are never arrogant and that we make every effort to present risk to senior management in such a way that they can govern wisely.
I am sure senior management were briefed on the risks, but because house prices and stock prices kept going up they thought this incredible risk of bubble deflation was an acceptable risk and they found out they were wrong. I think there are three parts to that. 1. Start using metrics to measure and quantify risk. Instead of just saying "We might get hacked," we should explain the financial cost of a data breach or the destruction or manipulation of our data.3. Finally, we need to present the information well and at the management level. There are several books such as Andrew Jaquith's "Security Metrics: Replacing Fear, Uncertainty, and Doubt" and W. Krag Brotby's "Information Security Management Metrics: A Definitive Guide to Effective Security Monitoring and Measurement"; tools such as security information and event management (SIEM) and vulnerability management products that are internally consistent provide a quantitative score.2. We need to describe risk in terms of the business objectives. I know that is a strength of the MSIA program at Norwich.
DG: As we move toward cloud computing do you see these risks increasing? I think every security person needs to read "The Exceptional Presenter: A Proven Formula to Open Up and Own the Room" by Timothy J. Koegel and "The Cognitive Style of PowerPoint: Pitching Out Corrupts Within" by Edward R. Tufte once every 18 months or so and struggle to apply that information to our lives.
0 comments:
Post a Comment