You spend a lot of time talking to information security leaders working in different industries. What keeps them awake at night?
In the field of information security, we often believe that we have a reasonable set of controls in place to manage risk. The truth is that we have very few risk metrics to work with. Our life is an exercise in managing known and unknown risks. It's the unknown risks that leave security leaders sleepless.
In terms of topics: Highly targeted attacks are a very serious problem for large organisations. Attackers have moved from technical exploits to manipulating people. The human element of security has long been ignored in enterprise defense, yet, it is often the starting point for targeted attacks. I think we have a lot of work to do in this area.
Based on your experience, how has the role of the enterprise C-level executive dealing with information security changed with time? What challenges does such an executive face today that haven't been part of the job description a decade ago?
Today's successful C-Level security executive has to be a master of the "soft skills." More than ever, security leaders need to be able to communicate effectively, all the way up to the board, laterally across their organisations, and down to rank and file employees.
We are in a discipline that can't be boiled down to performance metrics on a PowerPoint slide. We operate in an arena of nuance, of uncertainty, and as a result, security executives need to be skilled ambassadors. Security executives also need to have the ability to deal with ambiguity and uncertainty.
Given all the potential privacy and security implications, is there a place for social networking in the modern enterprise? How can a large company expect to battle data leaks when so many employees are inadvertently over-sharing potentially valuable information?
I think that the over-sharing of information on social networking is both a technology problem and an awareness problem. It is a technology problem in the sense that we need to equip employees with easy to use tools and services that will help to preserve their privacy and protect potentially sensitive corporate information when they post to social networking sites.
Technology can help strip geolocation information from photos or context information from an update for example.
The greater challenge is the content of posts. Most employees don't wilfully post sensitive corporate information online for attackers to find. In many cases, the problem is that they believe that the audience for the information they share is their friends, family or colleagues
If there were only one security thought you could have run through the minds of employees to help, it would be this: remember, attackers and competitors may be your audience. If employees looked at their behaviour online under that lens, and if you demonstrate to them how these information breadcrumbs are gathered up by attackers, I think they would naturally behave differently.