Listen to or download the entire 10:07 podcast below:
What follows is a transcript of my discussion with Mike Rothman, top analyst and founder of the website Security Incite, where we discuss if things are ever going to get better with security, the concept of 'endpoint security', five reason for security from a business standpoint, whether 'Patch Tuesday' is outdated, corporate compliance, and finally, Rothman's own 'The Pragmatic CSO Bootcamp.'
The first time you were here, I asked you how things would get worse before they would get better. This time, I’d like to start out by asking how you ever see things getting better with security.
Well, you know, one point of view is that if we don’t ever see it getting better, why do we even bother? So, I’m not necessarily a defeatist by nature, although I assume many security folks are. I just think we have to get back to the basics, you know. We’ve really made security a lot more complicated that it needs to be. There’s a new device for every new type of attack and it is very complicated and the problem space and the attack services are very broad but, you know, as you mentioned, in my book, “The Pragmatic CSO”, what I talked about is the idea of trying to contain risk by doing some fairly simple things ahead of time and really monitoring your environment very aggressively because, again, I don’t believe you can really get out ahead of the threat.
What you have to be able to do is react a lot faster. And that means you have to know what is happening on your network, you have to know what is happening on your devices and within your applications and when something is a little bit amiss there, then you have to be able to react quickly, figure out if it is an issue. And if it is an issue, then obviously jump into an incident response type of process very quickly to make sure that you are containing damage because I just don’t think this idea of buying another widget is really going to solve the problem.
Now tell me how anti-virus is evolving into what you refer to on Security Insight website as “endpoint security”?
That’s actually a great question, because for a long time everybody just kind of assumed that anti-virus equaled security. So, hey, I’ve got anti-virus on my desktop and life is good. With the sophistication of the attacks now, as well as the general maturation of the business, where we’re at is really a set of, I’ll call them security applications that happen to run on your desktop that are all basically managed by a common, certainly if you’re in an enterprise or a mid-size business, a common management framework that gives you things like anti-virus, anti-spyware and maybe something called application control that only allows you to run applications that have been authorized and a VPN type of client to make sure that you can connect into your network resources regardless of where you are in the world or on the network.
What’s happening is that you see companies like Symantec and McAfee and Sophos and Trend and all the big anti-virus vendors, Webroot coming at it from an anti-spyware standpoint, really continuing to add value to their general suite because there’s a new entrant here and I think a few people out there are familiar with them. They’re called Microsoft and that’s obviously going to really push the existing, incumbents in the securities space to continue to add to their value proposition because you try to fight Microsoft on their turf and I’m pretty sure that game doesn’t end too pretty.
Now, while I believe that most businesses are concerned with security, why do you think they need to think about security in a business context?
That’s actually pretty simple because the people that pay the bills, regardless of what organization you work in, they think about things from a business context. So, if you come in as a Security Professional and really expect them to worry about cross-side scripting attacks you probably need to have your head examined. You know, the folks that sit in the C level positions are interested in, basically a couple of things and I break that down in The Pragmatic CSO into basically five reasons to secure:
1) Maintain business system availability
2) Protect Intellectual Property
3) Limit corporate liability
4) Protect the corporate brand
5) Ensure compliance
In every kind of business problem, every security capability that we can bring to the table can really be couched within a value proposition of one of those five different things that we’re trying to achieve for the business. So, don’t talk about, “hey, we’ve got these new attack vectors and all of our applications are at risk”, you talk about the fact that “hey, if one of our applications is compromised, we could lose critical data”. Or, we could lose, our systems could go down and then we basically, can’t collect money or ship things or support our customers, so on and so forth. So, it’s not really about talking about the technical nuances because, again, people that write checks don’t really care about that. What they’re interested in is “how is this going to affect my business? How is this going to really impact my shareholders and my customers and my employees?” How they do it is really not so much of an issue.
Earlier this week was another “patch Tuesday” from Microsoft. Do you think “patch Tuesday” is an outmoded concept?
I don’t so. You know, a lot of it has to do with people who kind of say these things have never really spent a lot of time with large organizations that have thousands and thousands of devices that need to be patched. You know, these folks tend to have 2, 3, 4 days, sometimes they’re 2, 3, 4 week change control processes, especially like at the end of the quarter. So, if Microsoft were basically just to willy nilly go out and say, “hey you’ve got to patch all your Windows machines now”, you know, you take a Fortune 50 type of company, and that kind of creates a ripple effect in terms of their whole change control process that would be very difficult for them to really manage. Obviously, there are times and situations where it requires an out-of-band patch.
The ability to run one of those things when the danger is imminent but for a lot of these other issues, again, I think monthly is very reasonable and actually may be even too frequent for the way a lot of these organizations actually run their businesses. So, from that standpoint, what Microsoft has done is a model that the rest of the large organizations out there – do you hear that Apple? – should be paying attention to because these guys have learned through the school of hard knocks what works and what doesn’t work at scales that no other company in the world has to deal with in terms of kind of updating software.
Let’s shift to compliance. To me, it seems like compliance is getting more complex every day. How should companies approach compliance?
Well, this is a little bit of a controversial position, Peter, but I actually don’t think that companies should be positioning or thinking about, I mean, you’ve got to think about it, but really being focused and approaching compliance. See, when I sit down with somebody and I ask them what their two biggest projects you’re working on and one of them is compliance, you know, I know it’s either going to be a very short conversation or I have a lot of work to do in that organization because the reality is, you don’t really do compliance. You protect your assets, you do security and then if you do all that stuff right, and you can document what controls and capabilities you’ve put in place, then you actually get compliance. So, this idea of somebody saying “hey, I’ve got to get PCI compliant”, it’s like, what does that mean? How do you do that? Is that a product I can go down to Best Buy and buy off the shelf? No, I mean, you know, so why counsel my clients and my readers in terms of thinking security first.
If you have a strong security posture, a replicable security program and you’re taking and documenting the controls and metrics about the effectiveness of those controls, then you can pretty much prove compliance with whatever regulation you’re worried about as opposed to sort of reacting to the regulation du jour, you know. Five years ago it was HIPAA and then there was GLB and then Sarbanes-Oxley and now, you know, PCI. It’s just, it becomes one of these hamster wheel things that you can never get out ahead of so, again, I always counsel people to think security first and if you do that well, then compliance will kind of fall into place.
Now I read that you recently finished with The Pragmatic CSO bootcamp. Tell me how did it go and what do you think people learned from it?
It was great. The Pragmatic CSO is a 12-step program and what I did, we got a number of people in the room and I kept it, actually, intentionally small because I wanted to foster a lot of discussion because you can read the book and you can talk to me and you can read my newsletters and get a feel for what the process is, but there’s so much to be said about actually sharing that valuable perspective and insight with your peers. So, what the boot camp is really designed to do is use the 12 steps as a model for kind of how you go about doing security but the reality is that you kind of go all over the place depending on what the attendees need to think about and what their biggest problems are.
I put together a new set of templates that help kick-start the effort so we spent some time going through those. I found it just very valuable, not just for me, but I like to think that the folks that were the attendees actually found it fairly valuable, too, just in terms of sharing information and really kind of understanding and adding to the body of intellectual property that I built with The Pragmatic CSO and really making it their own kind of process and how it’s going to work in their own environment and that was very gratifying to see.