It's the question on everyone's mind: With computer privacy so highly valued, how do we secure the unsecurable?
Robert Bigman, president of 2BSecure LLC and former chief information security officer at the Central Intelligence Agency, suggests that the biggest technology challenge for CISOs isn't a new one. During the past few decades, IT professionals have struggled to find tools that can secure computers completely, instead of implementing the "next big thing" from security vendors and layering one product on top of another.
In this video interview, filmed at the 2013 ISSA International Conference in Nashville, Tenn., Bigman spoke to SearchCompliance about computer privacy and security as one of today's most challenging technology trends, and about other pressing concerns for CISOs.
What technology trend is presenting itself as the biggest challenge in corporations?
Robert Bigman: It's not new; it's the same one they've been having for 25 years now. The technology trend is [this]: How do we secure unsecurable computers? And the technology trend is [this]: What new tool is out on the market to help address the problem? For 25 years, they haven't found one. That's why every time you come to a show, there's a new vendor selling a new thing.
If you look at today's ISSA [conference], when you walk across the floor and look at the different stalls, it's all about cloud and big data. None of these products are really bad, and I'm sure they provide some performances that do some things, but frankly they're not solving the problem. The problem is that computers are inherently unsecure. Unless you do it from an architectural perspective and get it right, there's really no amount of products you can buy.
More on the CISO role:
Security governance: CISOs get the team on board
Leveraging internal audit processes
The technology trend is how to secure unsecure computers. Putting them in a cloud doesn't make them any more secure than they were before the cloud. Spreading them out between mobile endpoints doesn't make them any more secure than they were before they were all sticking in the computer data center.
These are not solutions to the problem -- they're fixing the symptoms. It's what we call the Nyquil effect: You haven't cured the cold, but you certainly feel a lot better about it. You didn't solve the computer security problem, but you feel like you've done something. Trust me: The hackers in Russia and China care very little about what products you put on your network. It really doesn't provide a roadblock for them.
What is, or seems to be, a top-of-mind concern for CISOs?
Bigman: No. 1, every year, they run to the seventh floor or go to the CIO and tell them, 'We need to [implement] this bell-and-whistle, shiny toy that just came out from RSA.' I'm not necessarily picking on RSA; [they're] just an example since they're here today, but same for McAfee or any one of the vendors. These are expensive toys. Enterprise licenses in a large corporation cost big, big dollars. It's hard to buy that toy, install it, get it working, then come back a year later and say, 'Well, I need another one to do data loss protection.' Then next year, 'I need another one to do digital rights management.' Then, 'I need another one to do cloud security.' Eventually, the CEOs are going to wise up to this, and say, 'Wait a second: Why are we not fixing this problem?'
A lot of the CISOs are coming to the realization that, unlike things like storage where you just buy more, unlike compute where you just buy more compute, unlike network where you buy bigger, thicker pipes, you can't buy your way out of the computer security problem. I think a lot of the CISOs are now coming to realize that.
Let us know what you think of this story; email email@example.com.