CISO inner circle

Michael Barrett, CISO of PayPal in San Jose; Joseph Moorcones, vice president for worldwide information security at Johnson & Johnson in New Brunswick, N.J.; and Lynn Mattice, vice president and CSO for Boston Scientific in Natick, Mass., are among the industry's most outstanding CISOs. Here these well-respected security executives offer their insights on New Data Center-style, next-generation security, as well as give tips for securing everything from budgets to WANs.

Who: Michael Barrett, CISO, PayPal

Career highlights: Before joining PayPal, an eBay company, Barrett was vice president of security and utility strategy at American Express. He perhaps is best known for his groundbreaking work on identity management. He was a driving force behind the creation of the open-standards Liberty Alliance, and served on the group's management board, including as president, during its early years. That role twice earned him a spot on Network World's annual list of the 50 most powerful people in the network industry.

Barrett's thoughts on:

• Microsoft's CardSpace identity management technology

"I have two views on CardSpace. The technology stacks that it is using are great, but I wish the whole standards issue - essentially, fighting about what we did with Liberty - hadn't occurred. Now the Liberty Alliance is working to bridge that protocol divide so we have only one family of protocols. But CardSpace is good work. It very clearly follows the Laws of Identity that Kim Cameron [identity and access architect at Microsoft] laid out in May 2005 . . . and Vista is shipping with CardSpace, which will help give it critical mass with consumers."

• Phishing and PayPal's response, an optional public-key infrastructure (PKI) token called Security Key

"PayPal's Security Key technology is powerful . . . but phishing is a complex crime. If we want to disrupt phishing, we need to get much better about digitally signing e-mails. E-mail from PayPal and eBay are digitally signed. As a consumer, you can differentiate between legitimate e-mail and fake, if you know how to do it. Let's use those signatures and work with ISPs to drop improperly signed e-mails."

But confusion about standards clearly has slowed adoption of e-mail signatures, he says: "It's important for PayPal and eBay to demonstrate technology leadership. We'll absolutely support multiple standards if that's what it takes to get the job done." (See "Identity management for all by 2008," for more information on PayPal's PKI program.)

• Mobile security

"There have been various proof-of-concept attacks on the mobile device platform, but they haven't been very widespread. As more commerce occurs on mobile platforms, we'll see more attacks. Companies like Symantec and McAfee do have perfectly good antivirus platforms for those environments; no one's buying them yet, as people don't see such attacks as much of a threat."

Does virtualization pose a security threat? Read the story,  place a vote and share your opinions.

Those technologies will grow more popular as attacks rise, he adds, "and platforms like PayPal Mobile [a secure text-messaging and voice-activated method for accessing a PayPal account] will be more significant, too. . . . We don't view PayPal Mobile as the endpoint of where we're going with [mobile security] - we view it as our first toe in the water."

Who: Joseph Moorcones, vice president for worldwide information security, Johnson & Johnson

Career highlights: Before joining Johnson & Johnson, in 1997, Moorcones spent 24 years at the National Security Agency, last serving as assistant deputy director for information security. He also participated in the President's Commission on Critical Infrastructure Protection.

Moorcones' thoughts on:

• The most exciting emerging security technology

"Network access control is critical. I foresee networks without firewalls. I see a better way - to identify and authenticate machines, applications and individuals - not to have to spend time setting up accounts."

• Today's most serious security issues

"The biggest threat today is that we have more people around the world who have the skills, tools and capability to cause harm. Another challenge is that every company now has to partner, sometimes with its competitors. That opens the business up to potential threats. This is magnified by the increasing complexity of systems and technologies."

• Terrorist-related information security risks

"If you are talking about business intelligence, trade secrets, I don't think these are their interests today. They are more interested in getting on the news and making a big statement . . . blowing up the building as a target."

• The differences between national and enterprise security

"I find exactly the same problems. . . . Instead of talking about how we are going to have a relationship with an ally and control data while fighting a war, we're talking about how we are going to have a partnership with someone who is critical to R&D, or some [other] aspect of our business, coupled with the need to maintain control over the sensitive data we share with the partner. What's different is the impact - an impact on profitability, market share and compliance vs. national security and people dying."

• Data leakage

"We're looking at deploying hard-disk encryption. If I had unlimited budget, I'd say, let's just do it on everyone's computer, and I'll have taken 'lost laptop' off the table. I won't care who loses a laptop; there wouldn't even be an operating system [accessible] on it. The reason I'm still just considering this is that, what happens if a hard drive crashes and you have to work through support issues? The hard disk is encrypted; someone can't even turn on their computer when they are in the field."

• Integrating network and physical security

"It's easy but expensive. We could probably use [our employees'] public-key credentials to open the doors, or we could put the [PKI credentials] in a smart-card format, put a picture on it, or even put their pictures in our directory, use facial recognition, and have them type in their worldwide ID [to gain building access] if there was a business case to be made. The problem is that we have to upgrade all the turnstiles at 230 companies around the world."