This article can also be found in the Premium Editorial Download "Information Security magazine: Tips from the 2007 Security 7 Awards."
Download it now to read this article plus other related content.
By Bill Brenner
Long before online fraud and harassment were a mainstream concern, Kirk Bailey was passionate about them. In 1999, for example, he challenged computer security researchers to take a couple months to scour cyberspace for as much of his personal information as they could find. To the surprise of Bailey and others, the researchers amassed a pile of data in short order, proving that the Internet was a trove of information for good and bad.
Eight years later, Bailey, chief information security officer at the University of Washington and former City of Seattle CISO, is being praised by peers as an industry leader and someone who can spot security trends before others. He spreads the word as the driving force behind Agora, an expansive group of IT security professionals who come together to chew on the latest security challenges. And he is an expert on cyberstalking and risk analysis.
"Kirk has been on the leading edge of such issues as data privacy, critical infrastructure protection and active defense," says Port of Seattle CISO Ernie Hayden, a longtime friend and collaborator.
"He is often raising information security issues and concerns before the general community even recognizes the problem," Hayden says.
As one example, Hayden notes how four years ago Bailey was building
| the concept of active defense--ways to fight back against a cyberaggressor--at a time when few were paying much attention.
"Kirk's probing questions and concerns were hard to swallow by the mainstream information security community, but he was right in his perception of the issues, and today active defense is part of the general infosecurity dialogue and there are even conferences on the subject."
During his tenure with the City of Seattle, Bailey ran an innovative risk analysis exercise against the city's IT infrastructure called ALKI. The exercise produced innovative defense strategies, and Hayden says that without Bailey's leadership, such an exercise would never have happened.
Bailey says his passion for the job is driven by the fact that the public's appetite for new technology far outpaces the ability to secure it. "Not enough attention is paid to the potential consequences of all this technology," he says. "Places like MySpace create an enormous opportunity for problems.
"The big unintended outcome of all this technology has been the loss of privacy," Bailey says. "More than 160 million letters have gone out to people telling them their privacy has been invaded, and that's just not right."
Bailey's mission is to take what he learns and share it with colleagues, peers and anyone else who will listen. He has learned to rethink the concept of security as data breaches escalate.
"Instead of worrying about perimeter security and perfect scores for zero compromises, we now have to operate under the premise that all systems can be compromised at any time, and act accordingly," Bailey says
To that end, he says the building blocks of a good defense are strong forensics and incident response plans, public education, partnerships and continued public debate about the legal issues surrounding information security.
"I worry the public doesn't understand the true risks, so my mission is to educate them," he says.
|Making a Difference|
One of University of Washington CISO Kirk Bailey's missions in life is to raise awareness of cyberstalking and help pass laws to protect people and privacy.
Bailey was instrumental in getting a cyberstalking law on the books after he and his peers helped bring to justice a stalker harassing a fellow City of Seattle employee online. The Working to Halt Online Abuse site says the Washington law declares a person guilty of cyberstalking if they use electronic communication to intimidate, torment or embarrass another. Cyberstalking is considered a felony in multiple offenses against the same person.
This was first published in October 2007