Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Best Advice

In this must-read compilation, we asked security luminaries to share their anecdotes, professional wisdom and success stories.

Scott Charney
Vice president of Trustworthy Computing, Microsoft
Trust but verify.

Some of the best IT security advice I've received--trust but verify--can appear simple in principle, but is more complex in implementation. It wars with our instinct as humans to inherently trust each other. When I am asked for advice, I often tell people to put the business leaders, the legal counsel and the IT staff in the same room--each department will learn how it is dependent on the others.

Mikko Hypponen
Director of antivirus research, F-Secure Trust no one.
"Trust no one," says X-Files character Fox Mulder.

Ultimately, we all have to take responsibility for our actions, and we can rely only on ourselves to get that done.

Ernie Hayden
CISO, Port of Seattle
Look at the whole picture.

Probably the best security advice I ever re-ceived was from my good friend and co-worker Kirk Bailey (CISO, University of Washington, and former CISO, City of Seattle): Try to stay at a strategic or high level to ensure that you look at the entire picture before making a security policy, procedure or decision. And, always be ethical and do the right thing.

Steven Johnston
Senior strategic research and policy analyst, Office of the Privacy Commissioner of Canada
Understand business requirements.

Before you do anything else, make sure you understand your business requirements and operations. This is an adaptation of a military maxim--primacy of operations.

Everything that a security consultant or a member of the security staff does--risk assessment, security architecture, policy and standards, safeguard selection, education and awareness--should be aimed at en-abling, supporting, protecting, recovering and restoring business requirements and operations.

Without a clear understanding of these principles, there's a significant chance that you will either forget to address a particular aspect of security, or that the security that is implemented will be inappropriate.

Krizi Trivisani
CSO, George Washington University
You get what you pay for.

A few years ago, I had the honor and pleasure of having lunch with Dorothy Denning right before she left Georgetown and moved to California.

She gave me some very good advice: Don't stress about the things you cannot change, and focus on the areas where you can make a positive impact. You can't force change--the culture has to be ready to change.

She also told me that, many times, the adage "you get what you pay for" is true: Organizations that want the best security professionals better be willing to attract, pay and retain them. There are so few of us, and we are hot property right now.

Stacey Halota
Director of information security and privacy, The Washington Post Company
Humor can help your image.

Never lose your sense of humor. This isn't to say that there is anything humorous about security incidents; but, if you can get your message across with humor, people often remember it.

Information security professionals can be perceived as intimidating, and humor helps do away with the "bad guy" persona.

Mike Nash
Vice president, security business and technology unit, Microsoft
Isolation and protection are key.

You need to assume that other people may be trying to attack you, even if you don't think they have a reason. I am a big believer in isolation, which is why I always use a firewall whenever I connect to the Internet.

The next thing I do is get my system up-to-date and protected by antivirus and antispyware software. I always carry a USB disk with Windows XP SP2 and Microsoft Anti-Spyware Beta One, and I install them for all of my friends and family who don't already have them.

Bruce Bonsall
CISO, MassMutual
Learn how to sell your ideas.

Seven or eight years ago, I attended a dinner seminar put on by a local security consulting boutique that was focused on marketing security. The event was one of the best I've ever attended in terms of the interaction between attendees and the presenters, and I came away feeling that my time was well spent.

The fundamental point was that security practitioners need to learn how to sell their ideas. One of the keys to accomplishing this is understanding the perspective of those to whom the ideas are being directed. In other words, market to the business people who hold the purse strings, and frame the messages in terms they can relate to.

Too often, we, as security practitioners, lapse into geek-speak and then fault our listeners for "not getting it." Whether you're pitching the need to fund security projects to business people, or convincing a child of the need to wear a helmet when bicycling, you need to put things in terms the listener can understand. Beyond understanding, you want the listener to actually like the idea. The more they like it, the more sure the sale.

Get inside the listener's head. Figure out what his hot buttons are and leverage them. Spend a little time getting to know your audience, establish some trust and build your credibility by showing that you understand the issues. Point out that you have shared goals, and then provide some alternatives on how you can work together to achieve them.

Securing information systems requires the participation and cooperation of a lot of people. You'll never manage it on your own, and that's why it's critically important that you capture mindshare and involve others in your security agenda. Start marketing now and build those key relationships so that, when the time comes, you're able to sell your ideas and gain that much-needed support for your security initiatives.

Rep. Tom Davis (R-Va.)
All it takes is one weak link.

During a government reform hearing, I was told that everyone must protect his or her own piece of cyberspace.

Given the interconnectivity of systems, all it takes is one weak link to break the chain. All users--whether they are at home, school or work--need to understand the impact of weak security and the measures that should be taken to prevent or respond to cyberattacks.

Eva Chen
CEO, Trend Micro
You can't stop a virus.

At the time of the insidious Code Red outbreak several years ago, my customers gave me the best advice I've ever received: You can't stop the virus; no one can stop the virus.

At first, I could not accept this. After all, our company invented ways to stop Internet-borne viruses at the gateway of the enterprise. But, these customers helped me realize a new path based on risk management.

Most enterprise customers have boundary-less, interconnected supply chains running on one global TCP/IP network. This smoothes the way to greater commerce, but puts my customers at greater risk.

They helped me understand that risk management needs to be multifaceted; it has to in-clude the product, the people and services, and a well-defined and scalable recovery strategy.

Delivery of these aspects, I learned, was just as, if not more, important as the delivery of the virus antidote or pattern file in record time.

Terri Curran
Director of information security, Bose
Know your business.

My mentors and friends taught me early in my career that you can't protect what you don't know.

Get out and meet your business partners and international colleagues. Learn how to make a widget, a pinwheel or whatever your company's product may be.

If you're in a manufacturing environment, go on the factory floor. If you're in academia, register for and audit a class. If you're in a financial environment, go to the trading floor.

Learning the business that you are trying to protect is the most valuable thing you will do as a security practitioner.

Eugene Spafford
Director of CERIAS, Purdue University
Breaking isn't the same as making.

Breaking something is easier than making something. Anyone can break a crystal vase, but not many can craft one--in fact, the ones who can probably know more about its weak- nesses and strengths than anyone. The same is true of IT.

Breaking most systems isn't that difficult compared to configuring and operating them to resist attack. Someone who demonstrates that he or she can break into a system has not demonstrated security expertise, but attack expertise. Be very cautious about confusing the two--one should not make appointments with a confessed ax murderer for one's annual medical exam.

Damon Small
Network security architect, Memorial Hermann Healthcare System
Use blogs to your advantage.

Many security professionals use blogs to read news and learn about emerging trends, but blogs are also useful to raise security awareness within an organization. My company uses an internally accessible blog to post stories of general interest to our IT staff; it's more efficient than e-mailing links to other blogs, and it provides a central location where readers can review all items of interest.

In addition to posting security news, the blog is useful to our computer security incident response team, which posts incident updates so that members of the team, mana- gers and key personnel can refer to it for status reports. It has proven to be a very useful and easy way to provide centralized access to important security information.

One word of caution--do not post sensitive information to your organization's security blog that an internal user with malicious intent can use to his or her advantage.

Rebecca Bace
CEO, Infidel
Paranoia isn't enough.

I have three pieces of advice that have been extremely helpful to me in navigating the straits of security.

The first is from Donn Parker, the dean of commercial information security: Paranoia isn't enough. It serves to refocus my efforts as a practitioner in times when it seems we're drowning in threats with no miracle cures at hand.

The second helped me weather the early years of my involvement in security, and comes from long-time friend and security auditor Robert P. Abbott: Security is a missionary sale. Your mission is not only to convince your client that there is a God, but that you are a legitimate representative of that God.

Finally, my old friend Fred Smith gave me a pearl of wisdom that I use every day: Technologists have a tendency to confuse those things that are interesting with those that are important. As security becomes more tightly integrated into traditional control structures of the business world, this has in-creasing relevance to security.

Ron Moritz
Chief security strategist, Computer Associates
Information systems are what counts.

CEOs who don't recognize or understand the importance of their in-formation systems and don't invest in their secu- rity will fail.

About a year ago, I met with the CIO of a large energy corporation that had successfully completed a review of the physical controls around one of its nuclear facilities. The Nuclear Regula-tory Commission auditors went home satisfied, having given the plant a thumbs up for its strong controls: The gates, guns and guards were in place, and access to the control room was restricted.

A month after this review, a panicked member of the IT organization went running into the CIO's office.

A tin shack had been discovered about a mile outside the plant perimeter. It was an unprotected structure resembling a tool shed. There were no guards protecting the shack, no cameras monitoring it and no intrusion alarms set for it. The only thing protecting the contents was a padlock. Inside the shed were a few routers and two network cables--one leading into the control room of the plant and the other into the corporate backbone.

As frightening as this sounds, what's even more frightening is that the CEO of this particular corporation does not even use e-mail-- it's nearly unthinkable.

Clearly, this corporate leader does not understand the value of the IT infrastructure to his company, nor does he acknowledge the need to secure those systems. In failing to do so, he neglects shareholders, customers (including, in this case, public safety and national security) and employees. It would seem there is no greater sin in corporate management today.

Dan Lohrmann
CISO, State of Michigan
Develop a committee for guidance.

An executive-level committee of senior business leaders can provide guidance and direction on enterprise security matters.

I am involved in the Michigan Information Technology (MiTECH) Security Sub-Comm-ittee, which helps me address business risks.

Peter Gregory
Information security analyst, Western Wireless, CellularONE
You cannot outsource accountability.

You can outsource support, operations and accounting, but you can- not outsource accountability.

You cannot protect your computers until you know where they are and what's in them. An appropriate amount of risk analysis should precede every important IT and business decision.

Also, remember that hackers have fertile imaginations and don't play by the rules.

Jeff Moss
Founder, Black Hat
Know when you've been breached.

Having recently moved offices, it was time to get the office doors rekeyed. I realize that a thief could just kick in the door, bypassing the locks, but that would be very tamper-evident; I would know that I had been broken into, and could contact the insurance and the police. What I was trying to avoid was a situation where a thief could pick the lock and enter the offices without leaving a clue. Without knowing our security was breached, we would never improve it.

Dan Geer
Chief scientist, Verdasys
Until you can measure risk, you cannot keep score.

I got to listen to a full day presentation on how a major bank does its "value at risk" calculation--a way to summarize the current risk to a firm when risks interact. It's big and complex, and the person orchestrating the presentation got to the end of the day and turned to his audience to say, "Now, you may ask yourself, 'Why does this all work?' I'll tell you why--because there is zero ambiguity about who owns what risk."

In a flash, I realized the difference between his field (financial risk management) and mine (digital risk management): There may be zero ambiguity about who owns what risk, but there is 100 percent ambiguity in mine. If ever there was latent advice in an observation, this was it: Unless and until we can measure our digital risks, we will not be able to keep score. If we cannot keep score, then there is no motivation to get better. If there is no motivation to get better, then we won't get better.

The key is measurement, and it's the only way forward.

Radia Perlman
Engineer, Sun Microsystems
Accept the human factor.

Humans are incapable of securely storing high-quality cryptographic keys, and they have un-acceptable speed and accuracy when perform- ing cryptographic operations.

They are also large, expensive to maintain and difficult to manage, and they pollute the environment. It's astonishing that these devices continue to be manufactured and deployed, but they're sufficiently pervasive that we must design our protocols around their limitations.

Howard Schmidt
Former national cybersecurity czar
It's all about the business.

Having started my security career in law enforcement and defense, the way to do security was pretty binary--either you did it, or you didn't. If you didn't have a great security plan, you didn't do the business at hand.

In my first private sector security job as the CISO at Microsoft, I was reporting to a person who didn't have a security background but was an expert at getting things done by applying lots of process and program management skills--neither trait was my strong suit.

After working together for a short period of time, it become clear that he was really a good person and manager, but wanted things done using good process and planning.

After reaching a level of frustration by explaining that security is about responding to and defending attacks, and that the business units had to change their way of doing things to comply with security controls, he gave me some great advice: "It's all about the business. Help the business departments build security into their processes and show how them how it will enhance their accomplishments, and they will beat your door down wanting more."

I learned how to build process and management into the business of security, and the business of doing security has been much easier given his insights.

Bruce Schneier
CTO, Counterpane
There's no such thing as cheating.

Many years ago, I was at a crypto conference at the University of California, Santa Barbara.

A bunch of us were talking about some sort of security attack, Brian Snow of the NSA included. Someone made a suggestion that bypassed the security model, and I said, "That's cheating." In response, Snow gave me a look--that look was the best piece of security advice I've ever received.

There's no such thing as cheating. Security is a system: It's the cryptography, key management, software, hardware, user interface and procedures, and breaking security doesn't mean breaking it the way everyone thinks it should be broken. It might mean breaking the system in a new way, or breaking the system surrounding the security, or breaking the interaction between systems.

A good attacker cheats, and a good defender thinks about the ways an attacker can cheat.

Mary Ann Davidson
CSO, Oracle
Always take on a bigger challenge.

A fellow surfer told me this a long time ago: You can take off on a bigger wave than you think you can. This isn't security-specific advice, but it's useful to me, and aside from the fact I use it to pump me up for literally taking off on bigger waves, it's good advice for the security professional, too. You can usually take on a bigger challenge than you think you can in security.

Another way of thinking about this is that you miss 100 percent of the waves you don't paddle for. You don't get the feeling of accomplishment (or the adrenaline rush) by sitting in the channel cowering and not going after anything because you are afraid of wiping out.

Furthermore, you can still get annihilated by an incoming "sneaker wave," so doing nothing isn't always a good option, either. You either need to paddle for the wave (to catch it), or paddle at it (to go over it before it breaks) so you don't get wiped out and sent through the spin cycle.

The security world is like surfing in that the conditions change all the time, the medium is extremely fluid, and, yes, there are large predators out there that are a little scary to think about. But, all in all, it's a blast.

Nothing beats a big drop and a great ride, so go for it: Don't let fear of failure (or of the predators) keep you out of the water.

Sara Santarelli
Vice president of security, MCI
Don't be complacent.

If you aren't working an incident, you probably aren't looking hard enough, in the right places or in the context of the creativity of the bad guys.

You just can't be complacent with secu-rity given the rate of exploit and trend of issues we are facing today.w

Article 8 of 13

Dig Deeper on Security industry market trends, predictions and forecasts

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All