There are two axioms that we have to live with. I'm paraphrasing a friend of mine at a major financial institution: Data wants to be free and shared. It's just the nature of data. And the second is that networks will be attacked. The combination of the two says we really have to take a data-focused approach to protecting information regardless of where it is, where it's located and its status whether it's in transit or not. Data will ultimately become visible to people to whom you don't want it visible and the answer is that it has to be protected regardless of where it is. The only way to effectively protect it is a well implemented and well constituted data encryption program.
The concern that we've had in the past is that when we encrypt a data string we get a much larger data string. And if you look at databases, you wind up losing all kinds of referential integrity and losing all your checksums that you've pulled into this. So the challenge continues and there is at least one company probably more coming out with what's called format preserving encryption where credit card numbers, personal identification numbers and personal health information can be encrypted and you maintain the size of the data fields, maintain the check sums and retain referential integrity across databases. Isn't that easier said than done in many cases? How easy is it to deploy encryption?
It's not as difficult as it may seem. Cryptography has come a long way. There are a number of good technology companies out there that make it relatively painless. It's a challenge to deploy anything, but the reality is you have to have a trust relationship with your customer base. One of the things we had in place when I was at Citi, we had an information security awareness program. We said Citi has two products: Money and trust. If you didn't sell the trust you would have a difficult time selling the money. Anytime I used an Internet system I'm trusting them to keep my information confidential.
But many companies don't have a good handle on their data. They don't know where all their data resides, especially with larger firms with multiple complex systems.
Katz: Like anything else you try to beat the elephant one bite at a time. I think you find the most critical data store and begin there and if you encrypt 50% of the problem you're 50% ahead of the game. I'll be the first to agree that we'll never get to 100% but let's get as close as we can. It's a complicated problem. Is it becoming cost effective for companies to deploy encryption?
My understanding is that the costs are starting to come down significantly. More people are rolling it out. You have a significant number of vendors competing for business and there's nothing better for cost than competition. Now that format preserving encryption has become a reality implementation is a lot more acceptable. There's nothing worse than trying to take a 15 character credit card number and turning it into a 150 or 180 character encrypted number. It doesn't work. But if you can go ahead and take a 15 character credit card number and come out with a 15 character encrypted credit card number … I don't see why there is a reason not to go ahead with it. You have such an extensive background as a CISO. What has become of the role of late and how do you see it evolving?
I was the first CISO in the industry in 1995 at Citigroup. I was two down from the CEO. This was really revolutionary for its time. We wanted to make information security a business risk management issue. A great deal of my time was working with senior business executives, Citi operations executives and working with the operations risk management committee, which was a subcommittee of the board. We're seeing much more of this now. More and more folks are moving into the chief risk officer role or chief information risk officer role who have a business perspective first and a technology perspective almost as a secondary role. There's an understanding that businesses take risks to grow and recognizing that there are tradeoffs in everything you do.