Former Homeland Security chief: C-Suite needs to get a grip on cyber risks
SAN FRANCISCO---For the business enterprise, the virtual world is a vague world being that much of the C-Suite is only concerned with the bottom line, according to former U.S. Secretary of the Department of Homeland Security Tom Ridge.
Read this
Speaking at the Kaspersky Lab summit on enterprise IT security on Tuesday morning, Ridge reflected that it wasn’t long ago that the concepts of warfare and information technology were not intrinsically linked.
"Flash forward to today, to 2014, and it’s a brave new world. An interconnected, interdependent world,” remarked Ridge.
Yet he was frank in his comments that cyber domain risks are prevalent, growing, and spreading across both government and private enterprise IT networks.
"The private enterprise is foolish to draw those conclusions because we are definitely a target-rich environment,” argued the former Pennsylvania governor. The C-Suite understands physical damage, he continued, but virtual damage and cyber attacks are shrugged off — much to these companies’ peril.
Also the chairman of the U.S. Chamber of Commerce’s National Security Task Force, Ridge outlined that there will be "two conditions we’re going to be dealing with" as companies, countries, and individuals: "the global scourge of terrorism" and the digital “forevermore,” which Ridge defined to mean that we will never be less connected but always more connected.
"Do you want to be reactive or be preemptive?” Ridge asked rhetorically.
Ridge suggested executives didn’t have to look much farther than the massive security breach experienced by Target last year to consider the dire costs of a debilitating cyber attack.
"Do you want to be reactive or be preemptive?” Ridge asked rhetorically.
Shoring up the supply chain, in particular, was a hot topic on Tuesday being that this pipeline is often overlooked by both executives and IT administrators.
Eugene Kaspersky, chairman and CEO of Kaspersky Lab, asserted during a later panel discussion that shoring up security along the supply chain “is a very major problem,” suggesting that most companies don’t allocate enough security resources in this regard.
"That’s good news for IT security companies, Kaspersky quipped, “But bad news for the rest of the world."
Fred Schwien, director of homeland security programs and strategy at Boeing, noted he leads an internal group that looks supply chain security, responsible for inspecting suppliers for malicious parts and whatnot, all of which requires government inspection and certification every few years.
Sullivan concluded, "You can’t judge the security of an entity by their market cap or how long they’ve been around."
On the aviation front, Schwien highlighted an aviation security council coordinating government and law enforcement agencies, airlines, and other aircraft manufacturers such as Airbus to share security and threat knowledge on a routine basis.
When it comes to sensitive user information, Facebook’s chief security officer Joe Sullivan said his team must look at it not just from the website side but every other type of vulnerability possible, from the back-end infrastructure to employees to vendors.
Sullivan cited Facebook’s bug bounty program, which launched in 2011 and doled out more than $1.5 million in rewards to developers last year, as a successful method of not just finding loopholes Facebook missed, but also engaging with a new community.
Facebook also has a vendor security program. Reminding that “sometimes you need to get your hands dirty,” Sullivan stressed that one can’t jump to conclusions by the size or history of a company.
Sullivan provided two contrasting vendor examples, the first of which was a 15-person startup that sold a product Sullivan characterized as "really secure because it was built with security in mind from the start."
On the flip side, Sullivan described how Facebook was "looking at a major financial institution,” which he hinted had less-than-satisfactory security standards being that for collecting consumer passwords, they couldn’t differentiate between capital and lower-case letters and couldn’t recognize special characters “because they were using mainframes."
Sullivan concluded, "You can’t judge the security of an entity by their market cap or how long they’ve been around."