Talking security with Motorola’s William Boni

CSO William Boni talks intrusion-detection, how his company is protecting itself and why IT security folks need to stick together

Being in IT security is more than a full-time job for William Boni. As Motorola’s vice president and chief information security officer, Boni oversees security for a global network supporting some 100,000 end users. He also recently helped form an IT security consortium with counterparts from other companies and last week gave a keynote address at the InfoSec World conference in Orlando. Somewhere in between all this, Boni spoke with Network World Senior Editor Ellen Messmer.

How would you describe the level of importance Motorola gives to IT security these days?

Motorola, like most other large, sophisticated global organizations, has become increasingly dependent on the running of its IT infrastructure, applications and technologies to support the success of its business strategy and operations.

In parallel to that increased recognition, you have increasingly visible and apparent risks and threats to that infrastructure and those operations and capabilities. It’s not just a matter of Sept. 11. We had a whole series of denial-of-service attacks in the spring of 2000; there has been the seemingly endless series of worms, viruses and other types of events.

Management has sought to obtain higher levels of assurance by giving this role executive-level status and accountabilities.

What sorts of security projects can you tell me about that are going on within Motorola?

Motorola is a major producer of intellectual property, proprietary-sensitive information, new product designs, trade-secret and patentable information across a number of industry segments. The challenge in developing new products and solutions is that it requires extensive use of digital technology to design, describe and bring them into production and distribution.

A common business practice is reverse-engineering, looking at ideas and seeing how it compares against the individual company’s product. The concern is to make sure we don’t have premature leakage of key forms of digital intellectual property. There are a number of different technologies from both mainstream leading vendors and start-ups that I am interested in looking at.

What’s been your experience with intrusion-detection systems?

Detecting something is always less desirable than actually preventing things in the first place. We got into the IDS technology fairly early and found, like everybody else, the existing tools and technologies suffer from creating a huge overload of false positives.

But we did make the effort to create the capability to allow us to do analysis and basic correlation and assessment – and have found even the detection tool to be a very useful adjunct in our efforts to manage the consequence of events whenever they do happen inside our network. We’re typically wading through 20 to 30 million events per month to find the dozen or so that require an appropriate response.

Have you started using intrusion-prevention systems?

We’re in the process of upgrading our existing technologies to be more preventive and retain the ability to detect and respond to things. We’re keeping our eye on the new technologies as they come out. There are some promising new vendors [which he declined to name].

But Motorola is far too complex an organization for me to want to be a beta-test laboratory for somebody’s new idea. I need proven capability before I can go to management here and outline the business case for additional investment or supplemental spending. But it’s really important for all the vendors to understand that preventing the attacks is a much higher payoff. Detecting is helpful, but it’s still after the fact.

What’s the goal of the Security Metrics Consortium you helped launch in March?

When you get a group of security professionals together, especially in a social context, the conversation very quickly turns to: What are you doing, and what are your challenges? One of the big gaps here is what amounts to a framework that can be referenced as to: How are we doing in our security program compared with what amounts to a best-practices baseline?

We want to make that more professional and, if we can, establish a baseline that can be used for ongoing apples-to-apples kinds of comparisons across organizations. It helps to answer the questions that CEOs, CFOs and CIOs have, which are: Are we doing enough? Are we doing too little? Are we doing too much? Are we doing the right things? Are we doing well at what we have to do?

If you don’t have some kind of impartial or consensus-based framework to measure that against, it ends up being very much anecdotal or driven by the particular preferences and abilities of the individual security officer.

One goal here is to try to equip people who may not have majored in debate science in college with tools and data that will make them more effective in articulating risk management efforts.

I see you also belong to the Police Futurists International. What is that?

This is a group that has over the past 20-plus years gotten together periodically to try to map the potential of the future and what the consequences are from social, political, economic and technological dimensions. And to influence that future so it will be a more positive destination.

We say if the world is going to look like this in 2015 or 2020, what kind of skills, technology, resources and approach to protecting society against criminals and miscreants ought we be developing. Especially in the public sector, it can take a long time to develop sources of funding and to develop a public consensus. Go back about 15 years – the idea of computer forensics – why would we need to have police officers looking into people’s computers? Yet today in almost every major law-enforcement investigation there’s a computer dimension somewhere in that chain.

Most of the members have master’s degrees or Ph.D.s in various areas of social research, science, technology. It’s mostly North American-based, but with good representation from Australia, U.K. and other European nations. It’s trying to support a global consensus on areas for research and practitioner development in police forces so they’re prepared to cope with the future and don’t get overwhelmed by the relentless change we’re all going to face as we move forward in the 21st century.