SANS official talks security

This is the second of two parts of an interview of Stephen Northcutt by technologist David Greer. Everything that follows is by Messrs Greer and Northcutt with minor edits. (See part 1.)

* * *

DG: It seems like many of the current security issues are problems that we have been dealing with for decades. How do you see the evolution of the problem space of information security?

SN: Twelve years ago, we were standing up for a cyber capability for the United States. All the things we are saying today and the stuff we are doing to our cyber capability I heard 12 years ago. We do make progress; for instance we now have the Cyber Guardian program and have already graduated the first class. The attack surface just continues to get larger and larger and larger. So we're dealing with more lines and more kinds of codes. We are more connected, so there's a lot more vulnerability points because we are increasingly connected and more code is exposed to potential attacks.

We are not dealing with that many fundamental problems. The specifics are changing, but the classes of the problems haven't changed very much. There is an ever-greater need for security people who can integrate with the business. I was just trying to explain to someone that the No. 1 thing a manager wants out of a security person is communication skills. We've done survey after survey after survey. Our challenge is to develop people's communications skills. You can't do business without communication.

I would also say that my personal observation is that people often think complexity is its own reward. If we don't put a tremendous amount of attention and simplify, simplify, simplify, we end up with things we cannot manage. This is true on the security level, technology level and organization-process level.

DG: How do you see evaluating and managing risk in the security environment today?

SN: A couple of years back I spent some time with the trade organization that represents the 100 largest banks in the U.S. We were trying to do some work around information security risk. More than once I heard the finance guys say "You information security folks have no idea what you're doing in terms of risk management. You are using qualitative methods when you need quantitative. In finance we know for any set of financial transactions within a few dollars of what our risk is." One of those quants was in the risk management department at Bear Stearns which is gone now. The finance folks have an advanced terminology and methodology. I am sure senior management were briefed on the risks, but because house prices and stock prices kept going up they thought this incredible risk of bubble deflation was an acceptable risk and they found out they were wrong. We need to make sure in information security we are never arrogant and that we make every effort to present risk to senior management in such a way that they can govern wisely. I think there are three parts to that.

1. Start using metrics to measure and quantify risk. There are several books such as Andrew Jaquith's "Security Metrics: Replacing Fear, Uncertainty, and Doubt" and W. Krag Brotby's "Information Security Management Metrics: A Definitive Guide to Effective Security Monitoring and Measurement"; tools such as security information and event management (SIEM) and vulnerability management products that are internally consistent provide a quantitative score.
2. We need to describe risk in terms of the business objectives. Instead of just saying "We might get hacked," we should explain the financial cost of a data breach or the destruction or manipulation of our data.
3. Finally, we need to present the information well and at the management level. I know that is a strength of the MSIA program at Norwich. I think every security person needs to read "The Exceptional Presenter: A Proven Formula to Open Up and Own the Room" by Timothy J. Koegel and "The Cognitive Style of PowerPoint: Pitching Out Corrupts Within" by Edward R. Tufte once every 18 months or so and struggle to apply that information to our lives.