What's the upside to these data leakage products -- what's new with them? In what ways are they improving?
They're all getting better at "stopping stupid" and they're all getting better at helping managers have more visibility into the traffic that is moving from inside their organizations to the outside. Our recent survey for Mind The Gap showed that only 37 per cent of commercial enterprises had done work to determine where data resided within its organization, and while 26 per cent had created a data classification scheme (with data classifications such as "public," "confidential" and "regulated") more than half admitted that enforcement was non-existent. Only 22 per cent of organizations surveyed had even conducted any analysis into interdepartmental communication at all, let alone analysis of whom people inside the company were talking to outside of the company. ADL products can help with these kinds of analyses.
What's the market for mobile security going to be like now that the iPhone has opened up a bit? Is this what F-Secure has been waiting for?
Interesting that you say that because F-Secure seemed to back away from its very expensive strategy of serving the needs of mobile malware sufferers. Like the guy who gambled on Newark real estate in the 1940s because NYC was getting too big and people would need to expand, F-Secure was right but a long, long time too early. Now that we are starting to see smartphones actually having much of the functionality of endpoints, I do believe that we will start seeing those kinds of threats emerge slowly. And look who's making hay? McAfee!
What do you think is the biggest "real" security problem that enterprises are facing?
It's really broad, but the most important thing, I think, is to get an understanding - and this might require a committee comprising a business leader, an IT leader, an apps and DBA and security leader - of what traffic is going on in your networks or through / to / from your servers and why. What business purpose do we suppose, on a truly enterprise-wide basis, is served by the flows we observe? That's when we start to see the true impact of broken or ad-hoc business processes on our IT infrastructure. It takes time, commitment and senior business leadership support. And at the end of the day we think that information protection is far more a business problem than an IT problem. What hoops have we set up inadvertently as security professionals that have had the downstream effect of asking well-intentioned people just trying to do their job to take shortcuts to circumvent our "fixes"? How can we fix processes that are broken and better understand how people ARE working, rather than how we would like them to work? Getting that horizontal, enterprise-wide, non-siloed view into our operations is really, really hard - and I say this as someone doing it, as well as someone talking to hundreds and hundreds of people doing the same thing. The key is that there's no magic box, no goddamn "solution" and you're never done. Ever.
The other thing that drives me crazy is the oft-repeated malarkey about 'secure computers being ones encased in cement.' Helloooooo? Security comprises confidentiality, integrity and AVAILABILITY. People need to use the stuff, not just look at it. It's like with instant messaging. Our managing analyst Nick Patience said that with IM there were three distinct steps: Panic ("Shut it down! Shut it down now!"); followed by step two, Peasant Revolt ("Hey, we can just download Gaim/Skype/Whatever"), closely followed by step three, Capitulation and an enterprise-wide strategy to adopt a new technology. Step 2 was caused by removing the availability of a great business tool that people were already using. Skipping it and going directly to step three has tremendous ROI in terms of not having to fix the zillions of holes opened by the adoption by users of whatever the hell they can get their hands on to circumvent a silly attempt to stanch the flow.
When we talk about enterprise-security, we talk only about the decision makers. Shouldn't end users be made part of the whole process, since that's where most of the problem starts?
Great question and yes, absolutely. I think the part of the last thing I said in my rant was addressing that entirely. What we find when speaking with end users is that the vast majority are nice people just trying to do their jobs and finding ways around the roadblocks we have set up to let them just get to it. So it's really important to have a look at the traffic on your subnets and networks and see what pops out; see if you can for example tie the most popular server in the place to an actual business process or something else ... then find out why people have reverted to doing whatever it is that they're doing that you didn't figure they would do ... and then doing something about it.
So what's the solution to keeping tight security and not setting up too many "hoops" for people to jump through? That's the trade-off isn't it? If they don't want hoops, they don't get much security.
That one is another great question. But basically in a nutshell I would say that business should drive your IT and security infrastructure, and not the other way around. That sounds simple enough until you realize that for the most part that just does not happen. The real issue we find in talks with end users and in our analysis of our own networks is that we don't know where anything is!
It does sound like you're giving a lot of credit to end users. I know a lot of them that are walking security holes...
Totally, but if we think about what they're actually trying to do we can come up with ...oh, GOD, better ways to help them do what they want in a way that we want them to do it.
On the topic of NAC - are you seeing many successful real-world enterprise-scale implementations?
It depends on what you mean by "successful" - we believe that the definition of NAC has changed in the past five years and just released a report about that last month. A F50 customer told me that NAC to him was "Just tell me if the damn firewall is turned on and the AV is on and relatively up to date" where others, like in Israel, are looking seriously to throw people off the corporate resource and also to get visibility into what is actually connected to the network at any given time.
What's the outlook for typical security consulting as we head into a recession?
I think that midsize and smaller businesses that are regulated either by governmental or industry rule sets like PCI offer a tremendous consulting opportunity to smaller consultants - these are folks who can't necessarily afford the PWC or the IBMs but they have as burning a need as those larger brethren who can afford it. Smaller shops have a tremendous opportunity here for semi-bespoke services and audits.
How should we roll out ADL what steps and what tools?
I just grabbed two graphs from our upcoming report, Mind The Gap: The best customer for any category of ADL product is one that has determined roughly the scope of its problem and the areas of its most immediate concern. These data points would have been derived through a fearless examination of its business processes to determine the business risk associated with various activities and the business impact of a leak or loss resulting from those activities.
Such well-informed customers increase vendor profits by reducing sales cycles and effort spent on education; our research indicates that such customers tend to buy more initially, and deploy more thoroughly than do non-informed customers. In the words of one vendor, a customer able to articulate the scope and breadth of its problem and specific areas of priority is, "Our dream customer." He then said that of all his customers, only one fit our description of a "well-informed" one.