We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Twenty-Four Seven Security

Peter Schooff

The Criminal in the Next Cubicle: Talking Security With Xerox

Vote 0 Votes

In this podcast I spoke with David Drab, the Principal and Security Thought Leader for Xerox Global Services, and what's particularly interesting about this podcast is that Mr. David Drab is an ex-FBI man, and I think having him sound off on IT security issues really brings home how hacking has truly evolved into a full-time criminal enterprise, and either it's a criminal who's delving into online crime or a someone in the cubical next who's reckless activities have now become criminal. David and I talk about current enterprise security issues, and how Xerox is addressing them, and make sure to listen for the quote: Mercy to the guilty is cruelty to the innocent.

Listen to or download the 10:41 minute podcast below:

Download file

--------- TRANSCRIPT ---------

First of all, just why don’t you just give me the top security solutions companies need to be concerned with today.

Well, I think the -- one of the greatest challenges is really comprehending the risk that we face in an ever-changing global environment. There’s no question that senior executives, in particular, have a very difficult time really understanding the context of risk, what the implications are and many times don’t know really what to do about it. I think that is one of the things that is really a necessity in moving forward.

The studies have shown that many companies really have applied more resources to deal with security but it hasn’t necessarily meant improvement because it’s more understanding what you didn’t know previously. So I think one of the big challenges is its really getting proactive, getting strategic to be able to more effectively manage security and have a stronger voice across the enterprise.

Too often, it’s a matter of picking up the headlines and getting together around a table the following day and saying, what are we doing about laptops, or what are we doing about social networking sites such as MySpace and Facebook, and what kind of risks do these present to us. And unfortunately, piecemeal security is always going to be lagging far behind and not have it in a strategic kind of mode of operation.

Now, why do you think companies need to employ more than just security technology?

Well, security clearly is about people. We can't really have a meaningful discussion of security today without considering the role of those who are actually handling the information. I’ve never had to slap a set of handcuffs on a printer, or copier, or laptop, or desktop, it just doesn’t happen that way.

Now, so how should companies then hold their employees accountable for security lapses?

Well, that’s -- I think that’s a great question, Peter, because to draw on a quote, one of my favorites, actually, from Adam Smith, “Mercy to the guilty is cruelty to the innocent?. And in my experience in interviewing spies and criminals who have sort of decided to try to make right their wrongs and have talked to us about their experience in conducting crimes within organizations, have said over and over that you folks had the greatest rules and policies and procedures in place but you don’t enforce them.

And so enforcement is one of the elements of security that has to stand on its own two feet. If a senior VP has decided to setup his home computer with confidential data and it’s not done in a manner that is consistent with security policies and procedures, then he’s got to be held accountable like everybody else. It’s not a matter of objectively applying security concepts. So it’s really a topdown, bottom up mandate that organizations first have leaders who get it, who really understand it, because I can assure you that there are others out there who do get it and understand the opportunity that lies in the world that we live in today.

Right. Now, as a former FBI agent, why do you believe that companies need to use counterintelligence tactics in their security model and exactly what are those tactics?

Well, securities and even law enforcement, Peter, is always behind, always lagging and reacting to what is occurring. And in our experience in the U.S., you may recall, we had a deeply entranced mafia organization that its existence was even denied by the FBI, that it was a national conspiracy, and after years and years of plodding along in the media and various sources, it became evident that there was such a thing and a national conspiracy.

And it wasn’t until that was exposed and readily recognized that we were able to be effective to deal with that threat. So in a nutshell, the mafia organizations in our country recognized that there was value in organizing their operations in these 24 families around the country because America was a big piece of pie. So they very strategically addressed it and we all know what happened.

It wasn’t until the ‘80s when we really comprehended the threat that we were able to get the Congress to enact laws that enabled us to effectively deal with this kind of a threat. It wasn’t until we had witness protection, and wiretapping protocol, and RICO laws, and things like, the right kind of tools to deal with the problem. And then, we had to change our approach.

We had to become strategic, we had to scale down the number of cases we were working and take out the big fish instead of a lot of little fish. So applying that kind of approach to the corporate environment today, we need to have some person or organization as another layer that’s looking across lines fault lines of the organization and has their eye on the ball from start to finish.

And we see this over and over today with organizations where know there’s good security policies, we know there are good controls in place, we know there is a good culture in place around security. Yet, we wonder how and an up and coming researcher or engineer can travel to another country, and then we later find out he was recruited and became a part of an espionage operation that compromised enormous amounts of proprietary information, and it happens over and over.

And I think that the problem is we have this failure to track content to run its lifecycle wherever it resides, in the paper, or the digital world. And I think that that’s a really important need today. And this layer of counterintelligence is one that is really independent of the other security structures within the enterprise such as risk management, and IT security, and so. And what this does then is provides another element of accountability to ensure that the palace guard, for example, is in order and acting appropriately.

Right. Now, it seems to lead to my next question is; how can a company incorporate document intellectual property security into their enterprise?

Well, I think that’s the -- clearly the direction of information security moving towards the management of content rather than documents. Documents are the containers of critical information. And now we recognize the importance of using technologies that enable us to manage content within a document throughout its lifecycle.

And this, I believe, requires a framework in which critical information, the innovation of a company’s future. The bloodline of a company is really needing to be captured within this framework that begins with a clear inventory of what the critical information is; a categorization of it to be able to effectively pigeonhole the information as it moves through its lifecycle.

Now we know that when a critical idea is spawned in R&D, it may be a matter of time before it moves towards production. And then all of a sudden we have marketing plans, we have all kinds of strategies that are trades secret in nature and need to be protected. So the categorization element of this framework is one that really enables us to get our arms around information that’s dynamic, that’s constantly changing and moving and in its value.

And then the next level is identifying it, which is really measuring it against the law. Is it a trade secret, does it measure up and meet the requirements of a trade secret under the law? And then classifying it, which of course enable any user to understand what is required of them in managing the information and handling it and then valuing it, and continuing this process to ensure that the information is effectively secured to round its lifecycle.

The standard model today is that critical ideals, and innovation, and information that really sets up the future of the company is managed in a patent office, with a legal department. And this needs to be integrated so that there is a clarity around the security goals and objectives to ensure that it’s not walking out the door and we see that over and over. As you well know, Peter, that information that is not effectively identified and controlled is likely to walk out the door with an employee that is charting the course of their career.

And that’s something that is really under addressed and needs to be more fully addressed. And what we do in the document world here in my experience with Xerox Corporation, is looking at the document in the context of what happens to critical content once it’s been accessed by authorized users. And we can have all the technologies in place for a very secure environment but what is the insider doing, those who have been entrusted with the information?

And there are no silver bullets to answer that question, obviously, but there are a number of things that we are looking to do in security printing technologies to help track paper and documents as it moves in and out of the paper digital world and really build a chain of custody around the content. And this the future, this is the direction that is going to be absolutely essential in securing a global and enterprise that is facing unprecedent competition.

Leave a comment

Peter Schooff's blog is a daily look at what's going on in the world of computer security with an emphasis on how it affects businesses.

Peter Schooff

Peter Schooff is Contributing Editor at ebizQ, and manager of the ebizQ Forum. Contact him at pschooff@techtarget.com

Recently Commented On

Monthly Archives