During his 2006-2012 tenure as eBay CISO, David Cullinane was a big proponent of companies sharing threat-related data to improve security. After leaving eBay in 2012, he decided to be more hands-on about it and founded SecurityStarfish, which collects and analyzes cyberthreat intelligence from its clients to produce threat analysis, remediation and risk-reduction strategy reports.
Cullinane, who is also the SecurityStarfish CEO, said as online attacks become increasingly sophisticated, companies large and small benefit from learning from each other about the latest risk mediation tactics. At the RSA 2014 Conference in San Francisco in February, he sat down with SearchCompliance Editorial Director Christina Torode to further discuss how CISO information sharing plays a big role in modern corporate data security.
You were focused on collective intelligence at eBay, and you are now at SecurityStarfish. What security threats do you think CISOs should be collectively addressing, and how can this start happening?
Dave Cullinane: There are two concepts going on there. One is intelligence-based security: What's the stuff that's going to bother you? One of the questions I always got asked when I was at eBay was 'What keeps you awake at night?' What kept me awake at night was whether I spent the right money in the right place. There were so many things that needed to be addressed. Every CISO has a limited budget, limited resources. How do you allocate those resources against the stuff that's really going to hurt you?
That's a big part of what we're trying to do with Starfish, too, is to take what I learned from eBay and create the capability to share information effectively about what's happening. It's not just 'We told Target that there was malware out there on point-of-sale devices.' Instead, we actually told Target that 'There's malware out there for point-of-sale devices, and this is what to go look for to see if it's happening to you. If you find it, we'll help you figure out how to fix it.'
How do you tie security to core business processes?
Cullinane: One of the things that I think had the biggest impact was we actually sat down and started to calculate what our risk was and quantified it. We actually went through an exercise where we did a nine-square diagram that assigned values and probability of occurrence. We put all of the things that could happen into the various blocks, and then figured out what that cost was.
Then we built a risk curve to try and show them this is where we are today, this is the investment, this is what I'm asking for an investment and this is where it'll get us on the risk curve. Then a very smart friend of mine who's a financial wizard sat down with me one day and said 'You're missing the fact that as you put processes and procedures into place, you can actually push that curve down and to the left.'
So, for the same level of investment, we can get an even lower level of risk. I showed that to the CFO and his staff, and the staff kind of chuckled. The CFO said, 'Wait a minute, we just looked at a marketing presentation about how we should go spend $30 million to do something and buy something or develop a new product capability, and it was no less scientifically designed than this. Why shouldn't we accept this?'
That's one of the things we were able to do: Show that we actually reduced the risk commensurate with the investment, and actually in excess of the investment. It was to the point where I was giving back $10 in risk reduction for every $1 spent. Being able to demonstrate that you can do that kind of thing had a huge impact.
What do you think are the most ominous cyberthreats out there? What are some of the security measures that you would put in place to offset them?
Cullinane: The biggest one to me is that the level of sophistication's getting incredible. It's getting scary. EBay was a technology company; they were expected to have technology sophistication to be able to do things like that. Target and Neiman Marcus are retailers. They aren't going to go spend the kind of money that a technology company needs to spend. Being able to share that data about what's going on and use it across industries and across businesses is really critical, especially when you start looking at [small and medium-sized (SMB)] businesses that don't have the resources and if they do have money, don't know where to find the resources they need.
I think that's one of the big ones. It's good intelligence information on what to go look for and what to do about it so that you can take those limited resources and spend them in the right way. There's a lot of fascinating stuff going on.
There's a lot of interesting things going on in the cloud space and very interesting opportunities to go leverage the capabilities of the cloud to reduce your cost and create a more secure environment. Amazon Web Services, for instance, offers us a PCI-certified environment. If you have a PCI requirement, you just move all your data into their cloud and they do all the PCI certification work for you.
Are more cloud providers becoming aware of and certified in specific regulations?
More on RSA 2014
In face of scarce resources, information-sharing key to data security
Data asset management plays big information protection role
Cullinane: Yes, they are. Amazon's way out in front of everybody in that space. The others are coming along. It's one of the things the Cloud Security Alliance is trying to do, too. We've got the cloud Security, Trust & Assurance Registry (STAR) where we developed a set of criteria that are best practices for security for cloud providers. They can get C-STAR certified. Then, if you're looking for somebody that you want to do a relatively benign application on, you can go and make sure that you find the least expensive one, but one that is still certified. You can be sure that you're getting good security in what you're buying and not going to get breached through that mechanism.
What's your take on using security as a means to a competitive advantage?
Cullinane: It can be and it should be, but that's actually a double-edged sword. That's one of the issues we're finding when getting people to share information effectively. They say, 'Well, I know what I need to know, and that's a competitive advantage for me.' That's leaving the [SMBs] totally exposed. We shouldn't be doing that, that's not right. We have a responsibility for information sharing in some spaces.
Company A and company B may be competitors, but they're dealing with a common adversary. The adversary is collaborating incredibly effectively to attack both of them. They should be collaborating to be able to deal with that. But as a differentiator, yes. If Company A is getting much better security, I'm much more likely to use them than I am to use company B.
But do you think the general public cares about security?
Cullinane: They do, but I don't think they understand it well enough. It's a pretty complex space. Particularly, when you start looking at things like 'The answer to Target is using chip cards' or 'The answer to Target is encrypting all the data, so even if it does get stolen, nothing happens.' Or telling Target what's going on beforehand so they can stop it from happening in the first place. Or is it a combination of all of the above? It gets to be pretty complex.
We did a bunch of work at eBay with our customers because eBay was very much a customer business. Their security was critical, and they were getting attacked. Most people are getting attacked today. Their PCs are being attacked in multiple ways.
Just trying to get them to do things from a security perspective proved a lot more challenging than we thought it would. We actually got Microsoft to give us Microsoft Security Essentials for free to give to our customers. We had to convince them that they needed it. It's about getting the untrained person or the unaware person to understand that there are certain things they need to be doing.