Before joining the SEI, Christopher was a scientist at Carnegie Mellon Research Institute, where he developed mobile robots for hazardous environments. He also worked at AT&T Bell Laboratories, where he designed information systems to support AT&T's advanced manufacturing processes.
How did you get interested in computer security?
My background is in risk management. Before becoming involved in computer security, I developed techniques for assessing risk on software development projects. Moving to information security risk was a natural progression.
What operating system(s) do you use and why?
The organizations with which we work use a variety of operating systems, so we need to have some familiarity with many operating systems.
How long did it take you to write "Managing Information Security Risks: The OCTAVE Approach" and what was it like? Any major difficulties?
It took us about a year to write the book from concept to completed manuscript. Writing a book requires a significant time commitment. We had a lot of material with which to work. However, it took us a while to sort through all of the information and set a workable scope for the book. In the end, writing the book was a very rewarding experience for me.
The biggest difficulty in writing the book was making a fairly dry subject as readable as possible.
If you could start working on the book all over again, would you make any changes?
We went through much iteration before settling on the format of the book. I don't think that we would make any major changes. However, each time I read it, I find minor revisions I would like to make.
What are your favourite security tools?
When people hear the phrase "security tool," they often think of a tangible product. If you view security tools in that sense, there are many useful products available today. One problem is that not enough people are knowledgeable in the use of those tools.
I like to broaden the definition of "security tool" to include any means that helps to improve security. Security-related education and training is number one on my list. This includes general security awareness training for staff and managers as well as specific technology-related training for administrators.
In your opinion what are the most important things an administrator has to do in order to keep a network secure?
Too often the burden of enterprise security is placed squarely on administrators' shoulders. Information security is a complex discipline in which everyone has a role, including administrators, general staff members, and managers.
Administrators play only one role required to successfully manage enterprise security. Among their duties is working to secure the computing infrastructure. As such, administrators need to be armed with the proper training, education, and tools to succeed.
What do you see as the major problems in online security today?
I think that the biggest problem in security today is that too many managers view it as solely a technology problem that can be solved by applying technological solutions.
I view security as an organizational problem with a technology component. You cannot separate the people from most security issues. Security solutions need to consider both people and technology. I see this oversimplification of security issues as one of the major problems facing us today.