Security Execs Share Advice at RSA Conference

By Tony Kontzer

Vint Cerf, the legendary co-creator of Internet Protocol and current chief Internet evangelist at Google, started his keynote at the <a target=”new” href=”http://www.rsaconference.com“> RSA Conference </a> in San Francisco on Feb. 27th with a theoretical tale of a small village threatened by a large boulder barreling down a nearby hill. An onlooker realizes that by placing a small pebble in the boulder’s path, the village can be saved.

Cerf intended the pebble to be an analogy for the potential impact of embedding strong enough authentication technology into devices to protect their interactions with each other. But he could just as easily have been talking about the state of information security today.

With threats evolving faster than the tools and practices to fight them, IT security staffs have to marshal every pebble at their disposal to divert the oncoming boulder. That much was made clear during a panel discussion earlier in the day featuring a high-profile group of security executives.

At Google, outside-the-box thinking drives threat prevention and detection efforts. Among its unusual tactics is a bug bounty program in which developers are compensated for finding software flaws. It’s a  similar program to the one <a target=”new” href=”http://www.mozilla.org/security/bug-bounty.html“> Mozilla </a> uses with its community of developers to ensure its software is secure.

“How much I’m spending on this tells me what we need to do to improve development efforts,” said Eric Grosse, Google’s vice president of security engineering.

For the Obama administration’s <a target=”new” href=”http://www.whitehouse.gov/cybersecurity“> former Cyber-Security Coordinator Howard Schmidt, </a> who retired last year, an effective dashboard was critical if he and his staff were to effectively coordinate responses to threats to federal systems. “I met a new CISO [chief information security officer] every day,” Schmidt said. “There was no other way to keep up with it all.”

When Jason Witty took the CISO post at U.S. Bank last June, he quickly zeroed in on what he felt was an overly complicated and wordy security strategy that undermined efforts to respond quickly to incidents.

“We needed to change our vernacular a bit,” Witty said. He instituted a simpler system that ranks risks as high, medium or low, and identifies the part of the business—the brand, customers, etc.—that’s most likely to be affected.

Gary Warzala, CISO for Visa also has taken the simplification route in evaluating the impact of security technologies, which are validated using three criteria: evidence of risk reduction; ability to support security controls; and effectiveness in supporting innovation. “If I show the business any of those three things, then I’m good,” Warzala said.

Moderator Gary McGraw, CTO of software security consultancy <a target=”new” href=”http://www.cigital.com“> Cigital </a> later asked the panelists if the tide of incidents could be stemmed by building security directly into applications—something he said occurs in about 10 percent of development efforts today.

Schmidt’s response was an enthusiastic yes. “About 80 to 85 percent of successful intrusions could have been prevented by writing better code or doing a better job of writing security in during development,” he said.

The way Warzala sees it, the fast-evolving sophistication of cyber-threats necessitates companies to consider all of these tactics—embedded security, simplified language and criteria, bug bounties, effective use of dashboards and more. For evidence, he pointed audience members to <a target=”new” href=”http://www.verizonenterprise.com/about/events/2012dbir/?__ct_return=1“>Verizon’s annual data breach report </a>. 

“It’s the same thing over and over,” said Warzala. “Things just keep getting worse.”