Security is a battlefield
newsmaker SINGAPORE--Organizations must understand that security is like warfare, and in a world where they will be compromised, they have to strategize the best approach to defend, revise their battleplan and eliminate adversaries, according to Eddie Schwartz, RSA's first chief security officer.
Schwartz, who came into office in June this year, said information security involves three elements: studying the enemy, attack and defense. He finds it fascinating to think about how organizations defend themselves in a world where you cannot "put a wall around" themselves nor predict the nature and timing of cyberattacks.
The C-level executive, who has practised karate and aikido for as long as he has been in the security industry, said that like "defending a castle or yourself on a battlefield" traditional concepts sometimes do not work for organizations and new concepts must be applied.
In his 25 years in the information security industry, Schwartz has held security roles at CSC, Nationwide Insurance, Global Integrity, ManTech and NetWitness. He began his career as a foreign service officer at the U.S. Department of State after graduating from the George Mason University School of Management with a B.I.S. (Bachelor of Individualized Study) in Information Security Management and Master in information Technology Management.
At RSA, the security division of EMC, he is responsible for both security of corporate networks as well as product security. The executive also works with customers to discuss what RSA is doing from a security perspective.
Acknowledging that he has always been "a bit of a geek", Schwartz believes in the "whole brainer" approach--utilizing both the creative and mathematical side of the brain for information security to think creatively and innovatively, to solve problems associated with scientific applications.
In town this week to speak at GovernmentWare 2011 Conference and Exhibition, the executive sat down for a chat with ZDNet Asia to share his observations about the defense methods of organizations today, in light of sophisticated threats and talented cybercriminals.
Q: What made you decide on a career in IT security?
Schwartz: In the 1980s, I met someone who was one of the pioneers in the field at an event and he influenced me to get into it. I was working for the U.S. government then and he told me that security was going to be "the thing of the future". In the early 1990s, he founded a laboratory and asked me to run it for him, giving me the opportunity to get involved with security at a senior level.
What exactly about security do you find fascinating?
It is constantly evolving. "Agility" is a term we use at RSA to describe what we do, because the landscape is constantly changing. The good thing about this field is that there will be new surprises when you come to work every day. For example, how do you develop solutions that are agile enough to adapt to the evolving threat landscape? I would be very bored in my career if it was static, producing the same result every day.
Why did RSA decide to create a CSO position?
Before I came on board, we had a security function at EMC and I reported to Dave Martin, the chief security officer. We felt that as the security division of EMC, we should have a unique focus because we did some things that were different from the rest of EMC. We also thought that people needed to understand specifically what RSA is doing--we need to explain to potential customers, press and analysts. This is a job which is very specific to this division. The overall responsibility however, is still on Dave Martin at EMC.
What have you done as the first CSO of RSA since taking office three months ago?
Part of my job has been to understand what we actually do in terms of security management: the processes we use to manage risk, how the different processes tie together and to ensure that all of them are working like a well-oiled machine. In any organization, there are always activities going on but one has to look at how well they are coordinated and whether there is an enterprise perspective of risk. I've been focusing a lot on that and looking at specific problem areas where we might to spend more time than others, as you can't protect everything the same way.
What are you hearing from the market when it comes to security?
Organizations have invested significant amounts of their IT budgets in information security over the last 10 years, depending on which market sectors they belong to. In some sectors, it's 5 to 7 percent and in others it could be 15 to 20 percent of your IT budget. Organizations are beginning to question whether investments in traditional security approaches are effective in stopping cybercriminals, hacktivists, nation states, advanced persistent threats (APTs) or insiders. They're looking to companies such as RSA for solutions to these advanced threats, solutions to these problems.
What kind of threats do you see in the market so far?
In the last two years, there has been a surge in illegal activities. Traditional crime has moved from where people will show up with "guns and knives" to the cyber world. More crime occurs in the cyberworld than the old physical world today because it's anonymous, cheaper to do and there is no bloodshed. There is also more espionage. The spy game has moved from the traditional world to the cyber world. With cyber spying, it is hard to figure out who's doing it or know it is occurring. People refer to them as APTs. There are also different hacktivist groups, activists that are doing the hacking, with different reasons for doing be it for a social cause or political agenda.
One of the problems is that most organizations don't have the ability to defend themselves against the many malware out there. You don't know whether malware is coming from some "un-sophisticated" group or some extremely resourceful, well-sponsored nation groups. It has become a difficult situation for organizations.
What do these organizations lack in defending themselves against cybercriminals?
They must change the way they think about security. Many organizations still think about a traditional approach where they have a parameter and build up a wall to keep the bad guys out. This parameter would include signature-based defenses. The problem is, adversaries know how you build the wall and what signatures you build. They are going to build techniques to attack you. For example, they send e-mail to your end users such as so-called spear phishing attacks. The whole notion of parameter defense and the idea that signature-based defense is not a workable solution anymore. We must rethink security, not just the technology we used but the way people are hired, the skills they have, the processes they use to deal with it.
What do you think of the security scene in Asia-Pacific specifically?
There are certain countries here in Asia that have developed very strong IT and cybersecurity capabilities. As you look across all countries, there are certainly awareness of problems and ability to respond to them. Singapore, for example, has a well-thought through IT policy, mature IT infrastructure, great plans and operations relative to IT security and good awareness of the problem. However, that is not true uniformly across the region.
One of the themes of GovernmentWare 2011 is that public and private collaboration is needed to combat security threats. What are your thoughts on that?
It is great--the more collaboration, the better. We had a summit at Washington on July 13-14 and one of the findings is that government and nation states are better at sharing information than the security industry. There is a failure either within market sectors or in public-private partnership to share good intelligence. If the finding from the summit is that we have to do a better job, one of the critical findings would be better sharing of threat information.
With your experience in the U.S. government and security industry, what do you think Singapore can learn from the United States when it comes to security?
There's a variety of things. Certainly, there are already a lot of good sharing going on right now between the U.S. and Singapore with respect to knowledge and technology transfer. A lot of these lessons are being shared on different levels including by multinational corporations.
One thing to note is cyber laws can either help you defend your networks better or create obstacles. Looking at which laws work, and which created more problems, in countries can help Singapore develop its regulatory framework better.
Do you think consumers and enterprises find security overrated?
Consumers already have a growing awareness of security but the issue is that it is very hard for them to practise it. They can get a suspicious e-mail claiming to be from their bank that says their accounts has been frozen and they have to do what the e-mail says and statistically four people out of 1,000 will actually follow. In fact, people would open it even after stepping out of a security class, it is human nature. That's one of the things our APT summit found, that the new security parameter is the human. There used to be this concept of creating network parameters but now it is the human that's the barrier between good and evil. We're going to see that as an issue.