In the digital age, companies are increasingly expanding their IT networks to engage with tech-savvy customers and use technological advances for business gain. But as this network growth becomes commonplace, and even necessary, for successful businesses, it also increases information security vulnerabilities.
Dan Geer, a cybersecurity pioneer who is currently CISO of In-Q-Tel, said this trend is having a big impact on companies' information security processes and training. At last year's ISSA International Conference in Chicago, Geer sat down with SearchCompliance editor Ben Cole to discuss modern information security and how IT network growth is influencing companies' data protection efforts.
How can companies promote a "culture of security" that was the theme of the 2015 ISSA International Conference?
Dan Geer: Well, I'm going to reveal a bias: People my age were trained for something else, we weren't trained for cybersecurity. I was trained as statistician, so I think the best way to achieve a culture of security is to measure something. I think measurement causes you to think about the outcome in ways that don't actually happen if all you have are adjectives. I like numbers.
How has new and evolving technology, such as the IoT, complicated the information security professional's role?
Geer: The problem there is that locating resources is much harder when the network extent grows. Early on, a guy named Sarnoff, who founded RCA, developed Sarnoff's Law which talked about the radio world and said the value of a network is proportional to the number of listeners. That's how you can charge for advertising, for example, in the radio world. With the advent of what we now call the Internet, Bob Metcalf had what we call Metcalfe's Law, which is that the value of a network is proportional to the square of the number of people who are in it because that is the number of potential conversations that could occur.
Dave Reed had a more recent, different interpretation on that, which is that the value of a network is proportional to the number of groups that can form in it. In other words, the value of the network goes up very steeply as the network grows. Why do I say that? Because value can be either positive or negative. There's nothing that says that value has to be positive, it can just as easily be negative. The challenge with increasing Internet extent, whether it is the Internet of Things or cloud storage of data, is knowing the number of ways all of those pieces can be put together grows very fast. That change in the scope of what you have to worry about makes it so much harder.
How has the InfoSec professional's role changed as information security has become so important to a business' success?
Geer: The point of data security, I think, is best explained by noting that the percentage of corporate wealth that is data is a rising fraction of share value. I used to work with a bacteriologist, oddly enough, in the cyber field, and she pointed out that the higher order animals, the higher you go, the greater the amount of metabolic energy is spent on protection. Her argument is that if you want to learn from nature, as we get bigger, a greater fraction of our wealth is in the form of data. We should spend the Moore's Law dividend on protection, not on increased functionality. I think she's right.
How can companies make sure their security policies and processes are staying up to date with modern threats and network growth?
Geer: A professor at Johns Hopkins would regularly assign his classes to build something such as a Web server in small groups, then they all put their names in a hat and they draw names to attack other players and teams. That kind of thing is what you have to do. The other question is how do you avoid becoming complacent, and the answer is to red team it, and red team it hard.
Only 25 years ago the issues of cybersecurity that are played out in enterprises now were only the provenance of the intelligence community. One of the things the intelligence community has done over and over again is put a lot of effort into red team, and you have to do the same.