To Winkler, reducing security risks comes down to creating the right culture rather than aiming for bulletproof technology
With a resume that includes certifications, several books, and frequent speaking and guest columnist gigs, Ira Winkler is a recognized leader in the security industry today. Currently president of the 10,000-plus member Information Systems Security Association, Winkler is also president of consultancy Secure Mentem. Not bad for a guy who majored in psychology and says he wanted nothing to do with computers in his college days.
How did he get from there to here? "No one else would hire me but the U.S. government," says Winkler jokingly. In truth, he took an aptitude test on a lark while considering career paths senior year and discovered to his surprise he had a flair for the technical.
After gaining the requisite clearance, he took a job as an intelligence analyst with the National Security Agency. Winkler quickly realized that jobs working with computers paid better than those that did not, so he grudgingly took a position as a computer science intern, taking computer classes and having rotating assignments that included programming support for cryptanalysis, system development, and field operations, where he spent three years. His background in intelligence taught him one thing: No one cares how you get the data, it's the data itself that's important.
This lesson served Winkler well in subsequent years, during which he hacked corporate information through unconventional means such as bugging the office of the Fortune 10 CEO, who hired him to do penetration testing. His goal was to get to the heart of the business value of a security breach, which is a much more relevant description to a business executive than the typical security terms, he believes.
With data gathered through social engineering, computer hacking, and the bugging, Winkler walked into the executive's office and reeled off detailed information about the company's mergers and acquisitions and products under development.
"I said, 'I have here everything you hold valuable to your whole company.' That put a business value on it. He bumped up the security budget by $10 million and hired security officers."
"Executives don't care if you get on their network," Winkler says. They figure other outsiders are probably on there already and it hasn't hurt their business any. What's relevant: the cost to the business-in dollars-of any past or imminent loss due to that security breach. Of course, proving your cost estimate is accurate is easier said than done.
In business, every decision requires a balancing act. In a perfect world, everyone would ensure that their networks were free from intrusions from foreign governments such as China, which is the main offender of late. But of course, that's not always how it works out.
"They want to do business with China, so they're willing to accept that some of their data will be lost in exchange for a larger portion of the Chinese market. It comes down to understanding the business risk: Here's what we are preventing and here's what it's going to cost to prevent," Winkler says.
It is critical, in his view, for security professionals to identify risks to the business and find cost-justified security measures to mitigate those risks. No CEO wants to hear he should spend tens or hundreds of millions of dollars to rebuild his computer network. After all, hackers will come right back the day you turn it on. What security pros must do instead is focus on securing the environment in a way that's aligned with business value.
Equally important is to instill the entire organization with security awareness that goes far beyond simple training and aims to change individuals' behavior. Secure Mentem, Winkler's current company, offers a security awareness methodology that takes culture into account.
"Awareness is a continual process," wrote Winkler in a recent column. "It is not a program to tell people to be afraid to check their email."
"Security is all about the human, from start to finish," he says. "There will always be a malicious entity out there trying to get on your network." But what Winkler calls the "malignant" security issues-employees clicking on unverified attachments, for example, or that old standby, writing -passwords on sticky notes-can cause even more damage.
For those issues, there is little to be done but raise awareness. Winkler has made that cause his lifework.
Read more about security leadership in CSOonline's Security Leadership section.
This story, "Ira Winkler: The Awareness Crusader" was originally published by CSO.