The second instalment of CBR’s exclusive interview with Brett Wahlin – Chief information security officer (CISO) HP Global. Ambrose McNevin asks the questions
CBR, Q: Are CISOs losing the battle?
Brett Wahlin, A: Depends how you define it. Those guys [the attackers] only have to be right once. We have to be right all the time. So it makes it really difficult to keep up with the attacks, in a world of decreasing budgets. It is a hard battle. It is a complicated scenario we’re facing.
When an incident happens – and it will happen to everyone – there’s always a view that we’re negligent. There’s an optic around being a CISO.
It’s like a war on crime or any other good guy, bad guy situation. Bad things are always going to happen. So it is really difficult to say we’re losing, because we do have a lot of victories that you don’t hear about. We do catch a lot, but of course it is the ones we miss that actually make it into the press and that makes it appear that the problem is impactful when in fact we stop quite a bit. So I wouldn’t say we’re losing but I’d say it is a difficult battle that we continue to fight.
Q: What is happening in the end user environment?
A: I view security as an end-user. We’re not a vendor, we’re just like everyone else and we’re protecting the company. We have a better supply of secure technologies, but we approach it in much the same way as in my previous roles.
Our approach is to get a handle on an ever increasing array of things. For example how do you keep up with the cloud? What a lot of companies are still faced with is: How do I do the basics?
Patching, vulnerability assessments, risk assessments, understanding the basic security principles and continuing to do so while I add in all the rest of these pieces.
Q: What are the disturbances?
A: The more we get away from the controls we have in place – from on-premise data centres where you can put your arms around it and control your own environment – there was a feeling that you had better control. And the big disruption on moving to cloud is that we don’t know where that data is going. So it could go to a cloud vendor. We’re assuming they’re protecting it, but we don’t know for certain. We’re assuming that the end user is taking some control. They’ve brought their own system and application but they’re still accessing company data. We’ve lost control of that end point. We don’t know particularly what’s happening.
There are things we can do to enhance that control, but it’s a risk. We have to get better at that discussion of risk with the business: is it important to have that new style of IT, to have that ability to use those types of cloud applications and the devices that employees want to bring, versus the fact that we’re losing sight of some of the data that is coming in from the network – we’re losing the ability to quickly lock down and track the end points. So there’s a trade off for this increased effectiveness and greater risk.
CISOs have to be really good at having that business risk conversation with leaders. How do I translate that into their language so they understand that if you do this, these are the potential bad things that could happen? And how can I help you with that. But it comes at a cost. It comes with a little less flexibility, so we have to walk that line where the user community understands the risk appetite in the company.
The data is going everywhere in big and small companies. The perimeter is no longer a perimeter, it is very porous.
As security professionals we have to change our approach and have that discussion, because in some cases there is not a lot we can do. The data is in the hands of the user. We can educate, we can increase awareness on many of those functions, but we’re taking a risk by releasing those controls.
Q: What is your view on education versus technology?
A: What’s changed is that security was focused on the infrastructure, then it was focused on the end point, and then it moved back. We see a lot of oscillation and we don’t really know the best place to put controls.
We move in conjunction with where the business is going. Years ago we’d concentrate on the end points. Let’s lock them down – you can’t have admin rights, then BYOD came in and we had to change. Now we have to balance.
The problem is if I were to design an infrastructure, design how data is classified and controlled, work on the policy piece today, and build an information architecture, it would be completely different from what we see in enterprises.
So we have to get that blend between what we have, because we can’t afford to rip and replace with all this new stuff. We have to rely on users to be aware of their surroundings and potential threats like ‘If I click this, what will happen.’ And to think ‘I have data and it is valuable.’
We have to continue that education across the board at a corporate and individual level and build personal awareness.
It is hard for security people to tell people about risk. For example, do you know the risk of putting your picture on icloud or on Facebook, because what we’ll do is paint this really scary picture.