Marcus Ranum on 2011 Security Outlook
CISOs Need to Sell Security to Peers and Senior Leaders
If Marcus Ranum were your CISO, this would be his resolution for 2011: To plan a "War Games" style exercise.
"It's very enlightening for everybody," says Ranum, a noted security thought-leader, :and it actually helps a great deal in helping sell the need for security to the entire executive team."
In an exclusive interview on the 2011 information security outlook, as well as the biggest stories of 2010, Ranum discusses:
- The growing insider threat and how organizations must respond;
- Biggest lessons learned from 2010;
- Potential storylines of 2011.
Ranum is CSO of Tenable Network Security. Since the late 1980s, he has designed a number of groundbreaking security products including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Ranum has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC "Clue" award for service to the security community, and also holds the ISSA lifetime achievement award. In 2005 he was awarded Security Professional of the Year by Techno Security Conference.
Lessons from WikiLeaksTOM FIELD: So, this is hot in the news; I've got to ask you up front. What is your take on the security and privacy issues that have been raised by the WikiLeaks case we've all been reading about?
MARCUS RANUM: Wow, well there is a tremendous amount there. Let me not focus on the obvious stuff. I think one of the things that we are seeing from the WikiLeaks case is there is a transition that happened after 9/11 from the old school need-to-know in intelligence, where only people who absolutely needed to have access to a particular piece of intelligence data were granted access to it. And I think in an attempt to kind of clear up communications post-9/11 there was a breakdown of those walls as far as need-to-publish. I think what we may be seeing is that the chicken is coming home to roost on that, because one of the questions that's not being asked about this is why is it that a relatively junior analyst was given access to all of this information? No one human being can legitimately have anything useful to do with that.
Then the other piece of the puzzle that I find is really interesting is the apparent inability of the people who lost the data, the original data holders, to tell what data was stolen and while it was being stolen. And this is an important message for anyone who is a CISO because it shows what can happen when your data leaks if you don't have auditing and logging in place so that you can go back and say, "Well, OK if we do believe this guy leaked a bunch of information, what information did he actually access and when?" Of course, ideally you would get in front of that process and maybe detect the fact that somebody who really didn't have a need to access this particular information was downloading [this information] in one fell swoop. That is kind of a red flag, I would think.
So, from a security prospective, I think the story behind the story is almost interesting to me then kind of the details of government has lied to us, what a surprise.
FIELD: So, since then we've seen the response by WikiLeaks' supporters this week against MasterCard, PayPal and others that are deemed "unfriendly" against CEO Julian Assange. What should we make of the response and the sites have been shut down, that've been affected by this.
RANUM: Well, I think that was inappropriate. I mean more interesting would have been if people had started to say, "Hey, by shutting us off you're violating your service agreement," or a passive protest would have been effective. If we're concerned with this as a freedom of speech issue, let's not do business people who are supporting the government against freedom of speech. I don't think that kind of going on the warpath is necessarily an appropriate response.
FIELD: So, what are the questions that organizations ought to be asking and answering for themselves now after witnessing data leakage certainly, but then also after the response -- because this sort of signals a new level of protest against organizations that do business.