Former NSA technology boss Prescott Winter has a word for the kind of security he sees even at large, technologically sophisticated companies: Appalling.
Companies large enough to afford good security remain vulnerable to hackers, malware and criminals because they tend to throw technological solutions at potential areas of risk rather than focusing on specific and immediate threats, Winter said during his keynote speech Oct. 1 at the Splunk Worldwide User’s Conference in Las Vegas.
“As we look at the situation in the security arena… we see an awful lot of big companies – Fortune 100-level companies – with, to be perfectly candid, appalling security. They have fundamentally no idea what they’re doing,” Winter said, according to an Oct. 2 story in U.K. tech-news site Computing.
During almost 28 years at the National Security Agency (NSA), Winter established the spy agency’s Technology Directorate and served as the agency’s first CTO. He also held positions as the NSA’s CIO, its deputy chief of Defensive Information Operations and, oddly, as chief of Customer Response.
He is currently managing director of Chertoff Group, the strategic management and security consultancy established by Michael Chertoff, secretary of the Dept. of Homeland Security under Pres. George W. Bush and co-author of the USA Patriot Act.
Digital security threats to large companies are becoming far more common and far more serious, Winter said. In less than a decade, typical attacks have evolved from attempts to smear a corporate reputation or deface a web site to DDOS attacks, extortion, direct theft of money, identities, credit-card fraud, bank fraud and theft of intellectual property widespread enough that it is “more than anybody can calculate or begin to make sense of,” he added.
The most effective approach is to match IT security to a company’s lines of business and most valuable assets, not simply reinforce security built to match a network or system topology. Making good rules for security isn’t enough, either: Ttey have to be enforced. “You’ve got to audit and make sure that people are following the rules. Minor mistakes lead to vulnerabilities,” he said.
Even figuring out what to protect requires the same kind of big-data analysis many companies use to identify new markets or develop new products, but that few actually employ to identify their own most valuable assets – both physical and intellectual property – and define how those assets contribute to key strategic business goals, Winter said.
But it’s not enough to do that analysis and protect those potential targets once in a while; it has to be done regularly, almost continually, using information that is close to real time rather than archived. “Big data is the thing that makes the risk management approach work. It’s being able to see enough of your enterprise with enough information that you can actually understand what’s going on,” he said. “Security has to start with a clear definition of what matters to your enterprise. What makes you special?”
Effective security is not limited to building a series of firewalls and data-protection policies. Good security is a process that requires the constant collection and analysis of data on the business and its competitive environment in order to be ready to counter threats before they become attacks, let alone breaches.
“Many companies today don’t discover that they’ve been attacked for months,” Winter said. “The key is to catch breaches quickly.”
Image: Shutterstock.com/ Kheng Guan Toh