Too often, what firms and vendors consider intelligence-driven security amounts only to threat predictions and is not very worthwhile from a strategy standpoint, according to Kim Jones, Senior Vice President and CSO of payment processing provider Vantiv. Instead, companies need to use security data to drive decision making in order for it truly to be considered "intelligence-driven," he added.
At the RSA 2014 Conference in San Francisco in February, Jones sat down with SearchCompliance editor Ben Cole to further discuss the limits of intelligence-driven security and the state of the information protection profession.
How can we be sure the next generation of workers are ready for security threats, and what can the industry do to fill the security skills gap?
Kim Jones: Well, the first thing is that old guys like me need to give back. There are too many of us who are so busy doing the blocking and tackling work that we forget that we can't make it better unless we invest our time, energy and hopefully talent in the next generation. Step one is join organizations that allow networking exposure for that next generation so that they can gain some of our insight and knowledge.
Step two is spend time with the colleges and the universities. Instead of just complaining about the skills gap problem, help the universities and the people teaching the next generation how to do what you do. Help them understand what's important.
Third, take a chance. There are so many security needs that exist within an organization that we tend to be reluctant to take a chance on someone who's just coming in. How are they going to get the skill if I don't give them the opportunity to actually practice the trade and learn?
And four, absolutely insist on preservation of your training and education budgets. I have been at companies where I've had to make a hard tradeoff between skill training or starting a new project. When your training goes, you're not going to be able to do what you need to do. You've got to invest, and that's time and dollars.
What do you think are some of the biggest emerging cyber threats, and what security measures and techniques are emerging to address those?
Jones: I don't tend to focus on threats. That sounds counterintuitive. The fact of the matter is, as long as you attempt to protect something, there will be a bad guy who tries to get in and around that. So we can talk advanced persistent threats. We can talk mobile security. I tend to be more focused on trends.
For me, the most valued thing that we can focus on is identity. Actually, it's IAAA: identity, access, authentication and authorization. In this age of -- and we'll use the buzzword -- "Internet of Things" and mobility and moving to cloud services, our identity and the authorizations and access that come with it are the border. If we don't get identity and access management down, you can't do all the things we want to do regarding digital rights management and controls.
Threats are important. I don't want to discount the need for threat management. But anything that I answer today regarding that would be wrong tomorrow. The issue is what is the next challenge. That challenge is IAAA.
What do you think is the biggest challenge to PCI DSS compliance? Is it difficult from a financial perspective?
Jones: There are two sets of challenges with PCI DSS. One is that when PCI came on board back in the mid-2000s, we as a profession jumped on the bandwagon saying, 'Hooray, we now have an arrow in our quiver, a hammer beyond us just saying this is important.' We jumped too hard on the compliance bandwagon, not realizing that compliance isn't decided by the security guy. Compliance is decided by the corporate attorney. This led to the second problem of organizations deeming that being compliant means being secure.
More from RSA 2014
Advanced threats force new look at data security strategy
Collective intelligence provides data security advantages
Know your data assets to ensure information security
PCI DSS is an excellent standard as a baseline to start with, but it only applies to credit card data. It doesn't apply to Social Security numbers, other PII, intellectual property or anything else you need to protect. PCI does not apply from a holistic security perspective. It means I have a small piece of my organization that is at least compliant to the detriment of everything else's security. If I'm peaking just to meet that PCI DSS compliance audit, I'm hosed.
For me, PCI DSS compliance isn't a huge challenge in and of itself. The challenge is the realization that compliance does not equal security. We shot ourselves in the foot by jumping too hard on the compliance bandwagon about a decade ago, and we're still trying to dig ourselves out from that.
How effective do you think intelligence- and analytics-driven security is? Are there any challenges to intelligence-driven security?
Jones: I think a lot of what you see regarding intelligence-driven security isn't based on real intelligence. A lot of people are using the term 'intelligence' to describe 'what is the bad guy doing?' A lot of vendors and a lot of companies are focused on, 'We poke around in the dark places where others fear to tread. We can tell what the bad guy is doing.'
That's not truly intelligence. All that does is give me yet one more fire hose worth of data that I have to consume, digest and make actionable. Understanding what the priority requirements are, how that threat information drives my total risk picture so that I can truly decide what I need to do first -- that's where we need to go.
True intelligence-based risk management gets down to, 'This is what the threat is capable of. This is the threat's intention. And this is how it stacks up against the vulnerable points within my value chain.' That's what we've been talking about in security for a while. The only issue is we've had people who have been saying, 'I'm doing risk management looking at just vulnerability.' Now, as fast as the bad guy is advancing, we now have people looking at the threat picture more, which is great. But understanding the threat picture doesn't mean you have intelligence.
If you know what the bad guy is capable of and are applying that to your vulnerabilities to affect your risk quotient, to truly drive decision making, that's intelligence. There are a lot of people who talk about that, there are not a lot of people doing that. There are not a lot of vendors who are offering me data that allows me to do that. But if you find the one that is, and they really start providing me with that focused holistic intelligence, that's worth my time. It's where we've needed to go for a long time.