Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
Making Information Systems 'Trustable'
Former CIA CISO Robert Bigman on Battling the Latest Cyber ThreatsDon't blame a lack of information security standards, security products or cybersecurity competence for the failure of breach defenses. In many cases, the culprit is design and implementation flaws in IT products, Robert Bigman, former CIO at the CIA, contends.
In an interview with Information Security Media Group following his presentation at the recent ISMG Fraud and Breach Prevention Summit in Washington, Bigman contends existing collections of commercial hardware, firmware and software aren't consistently reliable - what he characterizes as "trustability."
In the interview (click player beneath photo to listen), Bigman:
- Explains what organizations get wrong about trustability;
- Discusses how enterprises can boost trustability of their systems as technologies rapidly evolve; and
- Addresses the cost to enterprises to ensure their systems are trustable.
"Trustability is the capability to ensure that those security mechanisms work in a computer system ... as they're intended by the vendor and by you - via your security policy - and can't be modified or changed to do something they're not allowed to do," Bigman says. "And, if they're changed, you'll see it, as part of the trustability matrix."
In his presentation at the recent summit, Bigman explained that zero-day exploits are being written and tested as enterprises add millions of lines of poorly secured code to their base of vulnerable applications and operating systems. "What sophisticated hackers understand - and many IT security practitioners don't - is that regardless of the amount of security products and services deployed, internet-connected systems remain vulnerable to exploitation," Bigman said.
The only solution to this dilemma, Bigman says, is to raise the trustability level of computer systems high enough to make even sophisticated hacking riskier and more susceptible to easier identification.
Bigman founded the IT security consultancy 2BSecure after retiring from the CIA in 2012, where he spent 15 of his 25 years overseeing information security. While at the CIA, Bigman contributed to many intelligence community and federal government information security policies. He frequently briefed congressional committees and advised presidential commissions.