IT security can be a daunting topic – but the reality may be bleaker than many imagine according to Christopher Rouland, CTO of ISS, and Daniel Ingevaldson, manager of technology strategy at ISS, now part of IBM.
ACN caught up with them at Hack In The Box Dubai in April.
Given the continuing rise of infection rates and failure of security, does the way companies such as ISS, IBM and others – as well as enterprises and consumers – look at security issues need to change?
Christopher Rouland:One of the assumptions we have to make today is that any client on the internet is currently infected.
The rates are very high – between one in four and one in ten – but when you’re doing business on the internet today, you have to assume that the end user has a very high potential of being infected.
We operate from that model: how can we provision security to the end user to make transactions secure for them. So that’s one of the big problems we’re trying to chase.
I think a lot of the base of the problem we’re talking about is the consumer – that is a space that definitely need to change. Whether it’s one in four or one in ten – split the difference, call it 20%: it’s a pandemic environment.
If 20% of the human population was sick with one disease, we’d be trying to fix that. I don’t think this problem has got enough airtime, because these vendors that are providing client security to consumers have failed.
It’s now a public safety issue, a public health issue – and unfortunately there’s no real business model out there.
The real challenge there is no one wants the phone call: no one wants the consumer to call, because the call costs more than any revenue they’d ever make. On the other hand, there is a big business model for the enterprise.
If there’s a business model for securing the enterprise, why are enterprises still infected: is it because the technology is still of mixed quality, or because enterprises themselves are not implementing it effectively?
CR:I’d give you a third answer – the management of multiple vendors’ security products is simply untenable. Trying to run a different management console for every security product is where the ball’s getting dropped.
So just as we’re seeing consolidation in the security space, we’re seeing that consolidation solve this problem. One reason is because the Fortune 50 want to spend their money with a few vendors, not with 20 vendors.
The average enterprise has 32 security vendors – you think anyone can get that working? Our customers want to buy more from us, they want us to manage more for them.
Just as people pay someone to monitor alarms in their homes – they don’t want the alarm to beep them and tell them their house is on fire, they want it to call the fire department.
Enterprises want spending consolidated with one vendor so they get better value, but also they want more control over their vendor, and they want someone else to manage it.
There’s been a lot of interest in attacks against core enterprise applications – is this the next wave of security threats?CR:It’s not next, it’s now! Nick Donofrio, who’s basically head of all technology at IBM, refers to application security as “the hackers coming in through the chimney”.
It’s a funny metaphor, because we never expected them to come in that way – I wouldn’t say never, actually, because over the last few years we realised, as we saw the number of vulnerabilities, and as we made web applications easier to write, the denominator became lower to deploy them.
They’re happy to get stuff working, they don’t make sure it’s secure. Daniel Ingevaldson:There’s some inherent differences in how application security is managed by a corporation today; if you look at your Microsoft boxes running an Oracle database, if there’s a vulnerability in that code you go to Oracle or Microsoft – or often times they come to you – for patches.
They own that problem – and you hold their feet to the fire to resolve issues.
Most of the time applications are built over decades, in some cases, from all sorts of different components, owned by all sorts of different people – a lot of the time, the code is owned by the corporations themselves.
How do you maintain this, how do you assess this? It’s very difficult, because the code is infinitely variable.
When there is a security breach in the US, and to an extent Europe, there is automatic disclosure. Here the culture is completely different, with no disclosure – does this run the risk of enterprises saying “security threats are nothing to do with us”?CR:I think it’s a false sense of security – I think you’ll find that many organisations here are compromised, and they don’t know or they’re not reporting.
DI:The primary difference between the security environment in the Middle East and the US is that we have more information in the US – and that’s only because of disclosure laws.
Chris and I have been at ISS for ten years, and we’ve had a hard time quantifying what we’re trying to do, because there was no data.
Now, there’s almost too much data – and this drives everything that we do, and it leads to a much freer discussion about what the true problems are.
Bruce Schneier’s talk [at Hack In The Box] was about the mapping of the security feeling and the security reality – and when those two things are separate, that’s when problems ensue.
I guess you can extrapolate from this, that when you have no data and no sense of security or insecurity, the reality can be completely divorced from that – and definitely causes problems, and potentially the misallocation of resources here by organisations who don’t know their security status.
So what’s the answer for regions such as the Middle East, in terms of making enterprises aware and motivated to solve problems?
CR:I think the flipside might happen here – companies differentiating themselves on security. Instead of reactively spending on security to cure problems, they’ll go out to customers and say: “We have the most secure bank in the Middle East, here’s what we’ve done, that none of our competitors have done.
In any financial services organisation, any B2C enterprise, there’s a great potential to establish leadership here – and I think that will fit well with the culture.
There will certainly be some compelling events or “near-death” experiences – we have them every week in the US, where some company almost goes out of business, or does go out of business, because of some breach. And it will happen here in the Middle East, eventually, regardless of whether there’s disclosure laws.
But I think the opposite may be more effective here – I don’t know whether they’ll have disclosure laws here or not, but I would guess probably not.
The direction IBM was taking its new acquisition became clear when it announced the security firm would be rolled into IBM’s services arm instead of its software division. IBM wanted a slice of the growing security services market – worth $22 billion at the time – as well as the ability to offer a broader services portfolio.
IBM has increasingly focused on its services division in recent years, reducing its emphasis on hardware sales, especially evident in its sale to Lenovo of its personal systems division in 2005.
Follow us on
