Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Security 7 Award winners tackle important information security issues

The 2008 Security 7 Award winners have their say on information sharing, perimeter security, relationships, convergence, strategy, history and progress.


Ready for a history lesson? How about some thoughts on convergence, information sharing, relationship management or developing a strategic plan?

If you answered yes to any of those, then feel free to turn the page and read personal essays from the 2008 Security 7 Award winners. In their own words, this year's selections lay out their takes on these topics and more, drawing from years of experience in building security programs, executing important projects and meeting rigorous corporate and regulatory demands. This is the fourth year Information Security has handed out the Security 7 Awards, but the first time we've afforded our winners such a forum. Security professionals need to be heard, and you need to read what they have to say.

More on Security 7 award winners

Watch a video on security operations from last year's Security 7 awards program.

Security 7 Winners




secure collaboration
Perimeter Buster by Bill Boni

Safely leapfrogging the perimeter firewall can enhance innovation and provide the right balance of access and security.



Bill Boni
  • TITLE Corporate vice president, information technology and security
  • COMPANY Motorola
  • INDUSTRY Manufacturing
    • Board member: International Society for Policing Cyberspace; Information Systems Audit and Control Association (ISACA); Certified Information Security Manager's (CISM) certification (ISACA).
    • Author of I-Way Robbery: Crime on the Internet, High Tech Investigator's Handbook: Working in the Global Environment and Netspionage: The Global Threat to Information.
    • Past chairman of the American Society of Industrial Security (ASIS) Council on Safeguarding Proprietary Information.
    • Past chairman of the Information Technology Governance Institute (ITGI).


Bill Boni is a 30-year information protection veteran who continues to develop innovative security and risk management programs in step with changing business and IT trends
Security practitioners frequently face the challenge of how to help their organizations deal with threats to information assets. Too often, they must focus on the negative part of the job: stopping bad actors, preventing attacks, patching systems and detecting insider threats. These activities are absolutely necessary, but, after a while, these tasks can become, at best, tiresome, and at worst, an excuse for dismissing opportunities to remain relevant and solve other problems.

In 2007, the Motorola information security team started a project to find better ways to protect key information assets while also enabling employees to be more innovative. First, we changed the way we looked at firewalls. The perimeter firewall has been a primary tool for protecting networks, enabling appropriate connections to the outside and controlling unauthorized traffic in and out of the enterprise. While providing protection, this also creates barriers to the kind of ad hoc, unstructured and unpredictable needs for communication that are imperative in the age of mobility.

So we implemented a novel security concept called enablement zones (E-zones), a logical collection of users, software applications and systems that have similar need for connectivity and protection. They embrace the need for increased protection without suppressing innovation and mobility. E-zones facilitate sharing of information with mobile employees, business partners and customers, while improving the protection of critical data. For the more than 65,000 individuals in 50 countries, E-zones eliminate the traditional corporate firewall perimeter and historical friction that security compliance generated. A business unit, department or functional unit can support any number of E-zones, and there can be any number of systems per zone. E-zones can be short-term or permanent.



secure collaboration
Perimeter Buster by Bill Boni

The E-zones architecture abolishes the status quo concept that physical location is a reliable measure for protecting organizations against risk of information leaks. E-zones empower business managers to select the right balance of network protection and connectivity for their applications and other digital assets.

E-zones have been designed and built to feature:

  • Ease of use

  • A well-defined information protection posture, balancing protection and connection

  • A set of roles defining typical user activities and access rights

  • Roles organized and defined for any business, operational, financial or risk management criteria

  • A specific level of network performance and quality of service.
The business benefits are dramatic. E-zones slashed secure partner integration time from two months to days, enabled deployment of business-critical dashboards to more than 10,000 smart phones, and facilitated collaboration by more than 60,000 staff members.

E-zones are vital to the company's culture of innovation, increasing flexibility for interpersonal and interorganizational communications with substantially reduced friction to the creative processes essential for new products. The results prove we can have better protection with increased flexibility, a necessary combination in the hyper-competitive global marketplace.


biggest security worry
That the "bad actors" have now gone covert, and will be (or perhaps already are) using sophisticated exploits to commit crime and information theft...some of them with the advice and assistance of their national intelligence service.

military buff
Downtime includes reading up on history, hand painting military miniatures and playing tabletop war games.

Must have: Sun Tzu's The Art of War. "Technology changes (rapidly!), but the essential principles of conflict between opponents remain unchanged over the centuries."

security hero
Benjamin Franklin, for being instrumental in establishing the country's first police force.



building relationships
Relationship Expert by Mark Burnette

Making connections inside and outside the enterprise helps foster a healthy security organization and career.



Mark Burnette
  • TITLE Executive director of IT operations and security
  • COMPANY Gaylord Entertainment
  • INDUSTRY Retail
    • A certified public accountant (CPA)
    • Has compliance and security responsibilities for Gaylord Entertainment's 14,000 employees, nearly 5,000 servers and network devices spread across numerous properties, including the Grand Ol' Opry.
    • Collaboration with vendor ArcSight to develop custom event collectors for each Gaylord property, as well as a master collector at headquarters.
    • Organization monitors 79 million security events daily.
    • Events are correlated to 20 that are investigated by Burnette's team.
    • Strategy saves up to 2 GB of storage daily.
    • Distributed collectors provide a measure of fault tolerance.


Mark Burnette leverages hard-earned relationships among colleagues and suppliers to improve the efficiency and effectiveness of his organization's information security program
When I was in high school, a man from Junior Achievement spoke to our class. He told us that many times in the business world, opportunities come about by who you know, rather than what you know. The speaker was not telling impressionable high school students that their education wasn't important. Rather, he was pointing out that education is one of many life experiences needed for success in the business world.

He was right: The ability to build and leverage strong relationships is indeed a key element in the success of today's information security executives. To build a successful program, CISOs must align themselves with many departments within the organization, including internal audit, legal, HR and, sometimes the most difficult, their own IT department. If any of the leaders in these groups don't recognize and appreciate the role of the CISO, the CISO's effectiveness will be significantly weakened, because an opposing senior executive may create roadblocks or delay progress.

Conversely, the ability to build relationships with others within one's organization creates opportunities to advance security initiatives.




building relationships
Relationship Expert by Mark Burnette

Throughout my career, many of my work experiences have been created through business relationships I've developed with my peers and other security leaders. My first invitation to go into the boardroom came about because my company's external auditors suggested to the CFO and CIO that information security would be a relevant topic of discussion for the audit committee. Of course, the exposure to my company's senior executives through my board presentation proved invaluable in furthering many of the security initiatives we were working toward.

Several jobs I've held were offered to me because of relationships I made with someone working at those organizations. Each job provided even more opportunities to build relationships with coworkers and vendors, which provided additional learning opportunities and career development. In each role, effectively collaborating among teams and implementing security technologies in innovative ways has been a key tool for building rapport and strengthening ties among IT staff.

For example, when we rolled out a SIM at one company I worked for, we provided the remote IT teams with view-only access to the event console; this gave them additional visibility into their environments. More importantly, this gave them a sense of ownership of the initiative and the tool, helping ensure their ongoing support for our critical monitoring initiative, which otherwise risked being viewed as "big brother" spying on them. In another organization I worked for, a strong relationship with the legal department provided the support needed to get a critical compliance initiative funded.

I am honored to win the Security 7 Award. There are many leaders within the security profession who are deserving of this recognition. The interesting thing about being recognized by your profession is that you have to be nominated by someone who believes you worthy of recognition, which, like most other opportunities, stems from the development of strong working relationships. I guess that Junior Achievement guy was pretty sharp indeed.


unwinding with ... sitcoms
Big fan of "According to Jim," "Two and a Half Men" and his all-time favorite, "Coach."

hometown team
Favorite professional sports franchise: Tennessee Titans

what you don't know
Biggest security worry is the unknown: "If a risk is known, even if it isn't adequately addressed yet, it can be quantified and communicated. [Unknown risks] are ones that can really bite an organization."

he's got pipes too
Sings in an a capella quartet, and harbors dreams of being a professional vocalist.



security for the masses
Primary Care by Michael Mucha

Security cannot be a discipline unto itself; it must serve all entities in the enterprise.



Michael Mucha
  • TITLE Chief information security officer
  • COMPANY Stanford Hospital
  • INDUSTRY Health care
    • Manages a 30-person security team.
    • Primary focus is security risk to student and patient data, compliance and business considerations.
    • Relies on outsourcing and software as a service to address operational security tasks.
    • Built an ecosystem of vendor technologies, services and support to augment the experience of his team.
    • In the midst of a four-year clinical information security project that addresses privacy and regulations.
    • Helped create the Stanford University Medical Center Network, a secure collaboration and communications network enabling appropriate access to apps, research and administrative systems.


Michael Mucha's attention to secure collaboration and proactive investments in SaaS and other outsourcing ventures enables his team to focus risks specific to the Stanford Hospital environment
An executive I barely know recently dropped off a parcel in my office, something I was nonetheless expecting. A few hours later he mentioned it to me in a meeting, with both humor and trepidation: "I was nervous about going into the security officer's office when he wasn't around." Hearing that I thought, "My office doesn't have a whole lot of sensitive data in it. I don't have access to the financials. The HR investigation reports are on a server elsewhere. My screen is locked. Why should my office be a little fortress, compared to the cubicle the junior accountant populates?"

Sensing that the particular moment wasn't right for a speech on security philosophy, I quipped, "You know, it wasn't a problem because the lasers didn't activate." This drew hearty laughs.

This anecdote illustrates a commonly held belief that security is not a meta-discipline that serves all walks of enterprise life, but rather that "security is what security people do." Lay people, i.e., those who aren't full-time security pros, tend to think about security to the extent that security people bug them about it. Security is a bunch of paranoids creating ridiculous things with lasers and so forth, while the business moves along on its own.



security for the masses
Primary Care by Michael Mucha

A lot of this is the fault of security professionals. Far too many of us see security as an end unto itself. Many don't realize that simply finding a policy violation does not equal success. It's no wonder those outside of security often treat security as some weird realm to be entered at your peril. This attitude places an upper limit on meeting security requirements, because security activities are generally viewed somewhere between necessary evil and unnatural act. The security team walks into meetings with the de facto goal of serving as a random requirements generator lobbing overhead onto the project, rather than consciously moving the business forward by solving problems using a specialist's toolkit.

Some people, when given a hammer, would rather hit someone with it instead of using it to build a house.

In our corner of the enterprise world, the security team is composed of Security Conscious Problem Solvers (credit my enterprise security architects Bryan McDowell and Barbara Vibbert for this phrase). We're here to solve business problems, and recognize that when your eye is on the ball of customer satisfaction, revenue, scalability, connectivity, etc., you can miss out on the need to cover security requirements as well. Security work needs to promote business needs, not just implement some set of rules that looked good in the abstract when someone wrote them down. The intent of the rules needs to be understood. The rules need to be clear and repeatable as much as possible.

The security team always needs to be open to the possibility that the rules are wrong and need to be changed. That's harder than saying "No" formulaically, but it's sustainable in the long run.


not so twitter-iFIC
"It's a service to subscribe to interruptions."

ipods are for...
"Most of the time, it's iTunes U, tech and science podcasts. Duguid's History of Information class at Berkeley is an eye opener."

cross-country devotion
Favorite sports franchise: University of Miami Hurricanes

just plain folk
If there's still room on his iPod, chances are there a few Neutral Milk Hotel tunes to be found.


convergence and information sharing
Convergence Model by Marc S. Sokol

Integrating operational risk and sharing vital information serve the greater good.



Marc S. Sokol
  • TITLE Vice president, chief security officer and head of operational risk
  • COMPANY The Guardian Life Insurance Company of America
  • INDUSTRY Financial services
    • Successfully converged operational and security risk management services.
    • Provides a single risk management resource for business and support units.
    • Chairs Guardian's operational risk management subcommittee.
    • Program reports to Guardian's risk management committee and audit committee of the board.
    • Developed and instituted a building permit process, in conjunction with the corporate project management office, that evaluates risk in IT and business projects.
    • Active member of the Financial Services Information Sharing and Analysis Center.


Lauded by his peers as a visionary and difference maker, Marc S. Sokol's advocacy for information sharing and the convergence of risk and security operations is the type of leadership more need to emulate
A prominent executive, inspirational leader and mentor I know tells me time and time again that successful business, like life, means taking calculated risks, overcoming challenges and obstacles, and maximizing new opportunities. In many cases, this means embracing new ideas and charting new territories.

Security organizations need to enable, not inhibit, these opportunities, fortify the road they take and ultimately build confidence in the country's critical financial services infrastructure. Just as we insure our families to protect their future, we must also insure the financial services infrastructure in order to be strong and resilient in the face of growing threats for generations to come.

We can realize this vision in two steps: integration with operational risk and information sharing.

Through these two steps, we position our organizations to maximize performance and productivity, take calculated risks that are in the best interest of shareholders and customers, and more efficiently adapt and respond to our changing environment and the threat landscape.




convergence and information sharing
Convergence Model by Marc S. Sokol

Operational risk is naturally present in all business activities and incorporates a broad range of risks, including reputation, legal and regulatory risk; business disruption and system failures; information security and privacy; employment practices and workplace safety; processing errors; theft and fraud; and damage to physical assets. An organization's ability to drive an effective and practical operational risk management program with corporate-wide governance practices, values and integration sets the foundation for managing these risks effectively. This foundation can be further fortified if we are willing to advance opportunities to converge security and operational risk management disciplines and to share information--resulting in more efficient and effective business services.

Break down internal silos among executive business leadership, risk management, facilities, physical security, business continuity management, fraud, information security, privacy, IT, human resources, compliance, etc., and work together to seek opportunities for operations excellence.

Information sharing also means actively participating in external information sharing forums with peer companies. One such example is the Financial Services Information Sharing and Analysis Center (FS-ISAC), founded under presidential directives and embodying a public-private information sharing partnership. Forums like FS-ISAC create a virtual fusion center where ideas, threats and intelligence can be gathered, analyzed and communicated efficiently.

By sharing, issues are identified early in order to contain and resolve risk, impact and exposure to participating organizations. More importantly, it provides a platform to team up against terrorism and other threats that impact our industry and day-to-day lives. By participating in initiatives like the FS-ISAC, we are not alone.

Ultimately, I believe that breaking down the barriers to convergence and information sharing is a broader responsibility we all share--and only by working together can we protect the future of this country's critical financial services infrastructure.


Steve Katz, known to many in the financial services community as the grandfather of information security and world's first CISO.

breaking Away
Motorcycle riding; off-road dirt biking; motorcycling with youngest son; or mountain biking with both sons.

must-have book
Not a security book: Crucial Conversations­–Tools for Talking When the Stakes Are High by Kerry Patterson, Joseph Grenny, Ron McMillan and Al Switzler.

guitar hero
John Mayer is a favorite, in particular "Say" and "Route 66."



industry progress and attitudes
Progress Report by Gene Spafford

Uniform security among IT systems is nonsensical, yet that attitude still prevails in many instances.



Gene Spafford
  • TITLE Executive director, Center for Education and Research
  • in Information Assurance and Security (CERIAS)
  • Organization Purdue University
  • INDUSTRY Education
    • Founder and executive director of the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University
    • Renowned adviser to government and industry.
    • Along with Steve Weeber, is credited with defining the concept of software forensics and aiding in the first prosecution of a virus writer.
    • Developed and released the COPS network security scanner.
    • Along with Gene Kim, developed the first free intrusion detection system, Tripwire.
    • Coauthored the seminal Practical Unix Security with Simson Garfinkel.


'Spaf' is one of the most influential security and risk management thinkers. His work has made CERIAS one of the top security research centers in the country, doing top work in risk management, privacy and other disciplines
I'd like to introduce a theme I have been speaking about for nearly two decades by taking a long view of computing. Fifty years ago, IBM introduced the first all-transistor computer (the 7000 series). Transistors were approximately $20 apiece, and storage was about 10 cents per byte (both measured in current dollars). Costs and capabilities have changed by a factor of tens of millions in five decades.

Yet, despite the incredible transformations in hardware, operating systems, databases, languages and more, overall information security may be worse now than it was in the 1960s. We're still suffering from problems known for decades, and systems are still being built with intrinsic weaknesses, yet now we have more to lose with more systems coming online every week.

Why have we failed to make appreciable progress? In part it is because we've been busy trying to advance on every front, and have every system perform all possible tasks. There is a general lack of awareness that security needs are different for different applications; instead, people seek uniformity of OS, hardware architecture, programming languages and beyond. Ostensibly, this uniformity is to reduce purchase, training and maintenance costs, but fails to take into account risks and operational needs. Such attitudes are clearly nonsensical, so it is perplexing they are still rampant in IT.




industry progress and attitudes
Progress Report by Gene Spafford

For instance, imagine buying a single model of commercial speedboat and assuming it will be adequate for bass fishing, auto ferries, arctic icebreakers, Coast Guard rescues, oil tankers and deep water naval interdiction--so long as we add on a few items. Fundamentally, we understand that this is untenable and that we need to architect a vessel from the keel upward to tailor it for specific needs, and to harden it against specific dangers.

Why can't we see the same is true for computing? Why do we not understand that the commercial platform used at home to store Aunt Bee's pie recipes is not equally suitable for weapons control, health care records management, real-time utility management, storage of financial transactions and more? Supporting everything in one system results in unwieldy software on incredibly complex hardware chips, all requiring dozens of external packages to rein in problems introduced by the complexity.

The situation is unlikely to improve until we start valuing good security and quality over the lifetime of our IT products. We need to design systems to enforce behavior within each specific configuration, not continually tinker with general systems to stop each new threat. Firewalls, IDS, antivirus, DLP and even virtual machines are used because the underlying systems aren't trustworthy.

A better approach would be to determine exactly what we want supported in each environment, build systems to those more minimal specifications, and then ensure they are not used for anything beyond those limitations. To use some current terminology, that's whitelisting as opposed to blacklisting. It's also craftsmanship--using the right tools for each task at hand, as opposed to treating all problems the same because all we have is a hammer.

As an academic, I see how knowledge of the past combined with future research can help us have more secure systems. The challenge continues to be convincing enough IT professionals that "cheap" is not the same as "best," and that we can afford to do better. After all, we no longer need to pay $20 per transistor.


intolerable tolerance
Biggest security worry: "Once we begin to tolerate or accept bad behavior, we've lost the battle against it."

polar opposites
Has visited Tasmania and the Isle of Jersey, as well as Tromso, Norway, which is north of the Arctic Circle.

If you weren't a security professional, you'd be a...
"That's actually what I consider myself to be first and foremost now, with inventor second."

favorite musician/band
The list is eclectic:
Tangerine Dream, Everything But the Girl, Genesis and Phil Collins, Joe Satriani, Pat Metheny.



a personal history lesson
Memory Lane by Martin Valloud

Systems and security have matured in parallel, but some still appreciate the good old days.



Martin Valloud
  • TITLE Enterprise platforms team lead
  • ORGANIZATION Rogers Communications
  • INDUSTRY Telecommunications
    • Sets corporate IT security strategy.
    • Focus is group policies management, patch management, and security scripting and auditing.
    • Responsible for safety of 35,000 workstations and servers.
    • Crafted patch management policies and procedures, testing and deploying fixes without disrupting business.
    • Leverages vendor relationships to build better patch management and virtualization solutions.
    • A 20-year veteran of IT security.
    • One of the first people to be certified on Windows Server 2003.


Martin Valloud appreciates the urgency of uptime and availability, and leverages his experience and industry resources to build resilient patch management systems that keep Rogers Communications up and running
I still remember my first days online. I had my XT PC with a fast 4 MHz processor, a 10 MB drive and a whopping 640k of RAM, for which I paid a fortune. DOS 5.0 took a few seconds to load, and then browsed my drive using Norton Commander to launch a Telemate terminal. The thing was magical; you typed ATDT and then the phone number, and my 2400 baud modem was singing for a few seconds before you were online.

I remember the excitement I felt after seeing the banner and saying, "Awesome, I'm online! Now what?"

I had some friends who warned me not to forget the floppy drive inside, because the Michelangelo virus was in circulation. Nobody knew much about what that meant, but we started buying antivirus software. There weren't many options back then, so I got my F-Prot package on a floppy that you installed and set up in about a minute. Also, now I had a reason to log in to my BBS [bulletin board system] to download the antivirus definitions once a week.

Back then there was not too much worry about security in the corporate IT environment--not on Novell or on NT 3.5. My first manager once said to me, "This NT box runs non-stop for three months, and then it crashes itself. What is the reason to patch it? Or even install antivirus to slow it down?" Of course this all changed once viruses began hitting the boxes, and we were staying all weekend to rebuild them. Then our mindset shifted to paranoia, and we started the patching process.




a personal history lesson
Memory Lane by Martin Valloud

I learned a lot about security and the patch management process during those days, patching NT servers at 3 a.m. and praying for the servers to come back online after the restart. Backups were done once a week if at all, and offsite tape storage was just a fantasy.

Information services on the Web were just starting too. A few forums were available about security, and people were talking about how the Ping of Death can bring systems down if SP4 for NT hadn't been applied. At that point we all started deploying service packs, and our transition to full-time paranoia mode was complete.

These days of course, you would not even consider connecting your box to a production network unless it had the latest service pack, patches, antispyware, antivirus, a firewall, and was properly maintained.

Today we have more reliable OSes. We have patching solutions that scan and patch thousands of servers, compliance tools, auto-update antivirus, group policies that secure the servers, firewalls and IDS. We have rootkit detection, daily backups, off-site storage, books, forums, blogs and more. And still, you'll never have a 100 percent secure box, unless of course the network cable is disconnected.

Security is a never-ending story. It changes and mutates, gets better, faster, more complicated and fun. Sometimes, though, I miss the old BBS days.


blog stops

  1. Trika's Blog for Microsoft
  2. Rory McCaw's MOM Blog (Microsoft Operations Manager)

plan b
If I wasn't running security for a large telecommunications giant in Canada, I'd be a parachuting instructor.

exotic escape
A small town in the South of Chile called Punta Arenas, located where the Atlantic and Pacific oceans meet.

iPOD shuffle
Three songs buzzing through his buds: Pink Floyd - "Marooned," Genesis - "Mama," ZZ Top - "Rough Boy."



strategic planning
Prerequisite Strategy by Mark Weatherford

Ignore strategic planning at your own peril.



Mark Weatherford
  • TITLE Executive officer
  • COMPANY California Office of Information Security and Privacy Protection
  • INDUSTRY Government
    • Appointed in April to this new office by Gov. Arnold Schwarzenegger.
    • Former Naval cryptology officer.
    • Six years as Colorado CISO.
    • Proactive about data protection and governance.
    • Developed a Data Governance Working Group that defined the data security lifecycle for state agencies.
    • Initiated a threat and vulnerability management program (TVMP) that reviews and tests Web applications for security issues.

  • Other initiatives:
    • Enterprise, statewide security policies
    • Critical system inventory program
    • Laptop encryption deployment
    • Incident response program
    • Outreach and training programs


Mark Weatherford is a prolific strategist and planner whose skills built an all-encompassing information protection program in Colorado, covering everything from policy creation to threat management
I've spent considerable time recently pondering that mystical subject called strategic thinking. I'm not sure why it's considered mystical, but as I talk to colleagues in the public and private sectors, people roll their eyes and take on an aura of resignation when they talk about developing a Strategic Plan.

After some interesting discussions over the years, I've concluded that much of our strategic thinking efforts and subsequent strategic planning amounts to little more than brainstorming drills that happen to occur around a certain time each year. The result is typically more of a tactical plan than a real strategic vision for our security organization. Why?

Here's an interesting thought--we're in a tough business where decisions can (and do) cost a CISO his or her job, so when it comes to dividing resources between the strategic-of-the-future and the tactical-of-the-now, perhaps it's simply a personal economic decision to keep a roof over one's head and bread on the table. Maslow said it first! Can you relate?




strategic planning
Prerequisite Strategy by Mark Weatherford

When the wolves are at the door--and they're at the door every day--it can be difficult to focus strategically on where we think the threat may be in three or five years and what our reaction should be. That, however, does not preclude the requirement for the CISO to set the strategic course.

So once a year, we gather our team at an off-site meeting to create--drum roll, please--the Strategic Plan, which often ends up being more tactical than strategic. The result is that we end up without a true strategy because we haven't devoted the deep thought necessary to create a vision worthy of being called a Strategic Plan. I've done the annual strategic plan dance more times than I care to admit because creating a Strategic Plan takes real time and real effort, which is difficult to justify when you find yourself in more of a firefighter role than a CISO.

Perhaps if we'd done a better job as an industry in our strategic planning and thinking, we wouldn't be overrun with the poorly coded applications we have today that just beg for a hacker's attention. In retrospect, my strategic thinking should have focused more on these kinds of big problems that have business implications, because as we all know, business is typically what suffers when you have a security incident. I knew legacy applications were vulnerable to the kind of command-execution and client-side attacks we are seeing today, and you probably did too. Have we just been too focused on Patch Tuesday vulnerabilities or the latest vulnerability assessment results? When did application security show up on your Top 5 list of things to worry about? Think about it--we've known about the problem of protecting personally identifiable information for years, but when did it be-come your No. 1 priority?

I think times are changing in most business circles, and hopefully security is finally being appreciated as being business critical. Perhaps not always happily, but recognized nonetheless, due to the growing regulatory environment, increasing requirement to protect intellectual property--and in the government sector, the need to guard our citizens' perception that we are protecting their personal information. So while it takes a degree of boldness to look into the future, I believe CISOs neglect true strategic planning at their peril because real success is impossible without the road map a strategic plan provides.


On the iPod: Andrea Bocelli and Il Divo for quiet times; Warren Zevon, Green Day and Eminem for running and working out. Big Jimmy Buffett fan too.

my famous boss
Appointed by Gov. Arnold Schwarzenegger to the newly created Office of Information Security and Privacy Protection.

security heros
Alan Paller of the SANS Institute and Alfred Ouyang of MITRE Corp.

last vacation
White water rafting in Colorado, where he also competed as part of a team that ran the 195-mile Wild West Relay race.



Q&A Catching Up with...
Dorothy Denning


A professor and information security pioneer, Dorothy Denning won the 2006 Security 7 Award in education. She continues to teach at the Naval Postgraduate School in Monterey, Calif., with a focus on cyberterrorism and cyberwarfare.

ON THIS SUMMER'S DDoS ATTACKS ON GEORGIAN GOVERNMENT WEBSITES: I haven't seen any good evidence it came from the Russian government, but who knows. Clearly a lot of hacker activists were involved in that, much the same as with Estonia. You could see Web forums where Russians were advocating conducting these attacks and telling people how to do them.

ON THE POTENTIAL FOR CYBERWARFARE AND CYBERTERRORISM: I don't know; I don't like to speculate too much. There are plenty of people who are happy to do that, and tell you either there's nothing to worry about or we really should be very worried because they'll go after the electric grid and all that kind of stuff. I don't know what will happen. The history of it is that it seems to be something mostly that people do on their own initiative, maybe in small groups. It looks more like hacker warfare to me. You have conflicts taking place on a state level, but now what you have are these citizen warriors who are joining in and doing their thing. It's kind of chaotic; I don't think the state has control over it. Maybe some governments inspire it, and maybe they sort of condone it by not doing anything about it.

ON HER CURRENT CLASSES: One is on Conflict in Cyberspace; we look at the cyberwarfare issues. We don't do too much in the way of security in that class, although in the class next week, we look at the broad homeland security issues. The other class I teach is called Trust Influence in Networks, but it's about social networks, so a lot of it is just on building trust, social influences and underground networks and how you might undermine terrorist networks. I do a lot on terrorist networks. It's more psychology and social science; it's nothing about information security.

ON HER RECOMMENDED READING: One of the best books I've read in the last year on security is Geekonomics by David Rice. He looks closely at all the problems that come from faulty software. You start thinking about should there be more liability put on the vendors, should there be more requirements put on the vendors to develop better software, how do we deal with that issue. It's a very thought-provoking book; I recommend it.

by the numbers

LinkedIn or Facebook?
Our Security 7 winners are unanimous in their LinkedIn love.
LinkedIn 7*
*Four of our winners also have Facebook profiles.

The 2008 Security 7 winners like Barack Obama for president by a narrow margin:
*Four v. Three

Five of the seven 2008 Security 7 Award winners hold the Certified Information Security Manager (CISM) certification.

The iPhone 3G has not turned many heads among the Security 7 Award winners;
only two have taken the plunge and bought the phone.



Article 2 of 12

Dig Deeper on Information security policies, procedures and guidelines

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All