As the former CIO of Symantec Corp. and VMware Inc., Mark Egan has seen his share of data threats and how quickly...
these threats morph. Take cloud and virtualization, two areas CIOs dubbed cringe-worthy in terms of security a few years ago. No more, given the maturity of the vendors' own security controls -- albeit because of customer demand for better data security and privacy, he explained. Today, Egan is a partner with boutique technology consulting firm The StrataFusion Group out of Los Gatos, Calif. -- and he has a book out called The Executive Guide to Information Security. In his new role he thought he'd be working on "a lot of transformation work." Instead, CIOs are asking him to take care of a "little security issue" first.
In your 2009 article Seven tips to improving data protection, you warned CIOs about the immaturity of data protection technology for cloud services and virtualization. Are data threats now being addressed in these areas?
Mark Egan: Amazon, or Amazon with third-parties is now used by government services. They're starting to be accepted. They're removing that security question. The industry is maturing, but use caution because some providers could have controls that are so weak that my 14-year-old son could jump over them. At the same time, some of these cloud providers have been doing this for long time, like ADP. Payroll is super sensitive data, but they've been doing it for years.
When I was with VMware, a lot of resources were dedicated to making sure that vSphere was secure. But, at one time, security wasn't a big deal. I can tell you because I knew the staff that was devoted to it and I see how they redirected resources to security. Again, it just became a priority because customers said, "We can't do this virtualization stuff because it's not secure." If it is going to affect the vendor's business, they will re-prioritize.
What are the top data threats today?
A lot of it is advanced persistent threats coming from China. They are very, very good. In my opinion, China could spend billions on R&D, but it's just cheaper to steal. Most companies haven't spent the time or devoted the resources to protect their IP. They think the laws will protect them -- copyrights, etc. China doesn't care about that. Look at Huawei and Cisco. In some cases Huawei didn't even change the Cisco code. On the IP side, there are companies and countries that believe it's easier to steal than to develop.
It's much harder to protect IP than it is to break in.
What's your key piece of advice against these data threats?
When I left VMware, I thought I'd be doing a lot of transformation work: cloud, social, mobile, big data. I'm doing some of that, but they say, 'There's this little security issue.'
When they call us in, it's one of two things: a fire drill repair mode, or it's a proactive, 'I'm not comfortable with what's going on out there. Can you help me?'
In both cases, we do an assessment or benchmark them. Where are they? What are their risks? Let's put a roadmap in place. What you have to do is a penetration test. Act like a bad guy and try to break in. Environments are pretty complex with all the hardware, software and third parties. There are all these little IP holes that one set of actors is after. The other set wants to steal your money. This is the more mature area, like the banks and financial services; they're losing money to these bad guys. It's become part of doing business.
When I left VMware, I thought I'd be doing a lot of transformation work: cloud, social, mobile, big data. I'm doing some of that, but they say, 'There's this little security issue that I want you to help me with first.' And the little issue turns out to be a lot bigger than they think.
Companies should include endpoint devices in their security strategies, but are they?
I've been called in to do a fair amount of security work since I left VMware in January, and it's just not a priority for many of these companies. They're focused on how do I help my company generate new products as fast as I can; how do I help the sales organization provide better customer experience. Security becomes a lower priority until you get into an incident such as a customer event, but I always encourage CIOs to find out where [their business is] and then come up with a longer-term roadmap. As part of that you have to make sure that employees are productive, but balance that with reasonable controls and make reasonable incremental improvements over time. Security is not a project. It's a program.
The challenge [with BYOD] is the diversity of it. If I standardize and say you can only use this, employees say, 'Oh, these IT guys are always locking me down. Anything that's cool they won't let me use.'
At VMware, we went to bring-your-own-mobile and had a very diverse laptop and tablet environment as well. You could have Mac, Linux, Windows. We struck that balance, encrypting the laptops to make sure we had that level of security. We had filtering in place so that when employees were communicating between that end user device and the back-end systems, we used two-factor authentication, not just a password but a token.
You don't want employees to go off and do their own thing by being Draconian. It's about a reasonable set of controls and following that up with security awareness training.
With the push for big data to make money and create new services, how do you address privacy and security with all data moving around on the cloud and mobile devices?
As a consumer, we're a little more lenient in terms of what we're willing to share. I have a Gmail account, and if I went back and looked at the user agreement, I probably agreed that they could anonymously use all my information. We think that Facebook and Google are really cool, but they're using our behaviors as their business. Would you be willing to pay for email though? I probably wouldn't -- or pay for services like LinkedIn either.
More on data protection
Five steps for data privacy and protection
Virtualization still data protection challenge
Data protection: Complying with privacy laws
The flip side of that [is] there are simple things you can do like freeze your credit to prevent identity theft. As a consumer, there's free encryption on your laptop. These are simple things you should do. We have this blend of personal and work life, it's really grey. When I develop security awareness training, I talk about personal and work email phishing and it doesn't matter what type of email account it is, identity theft is applicable. But you need an annual security awareness program with major topics such as passwords and protecting IP. They may not know it isn't safe to download a product plan to their personal laptop without certain controls. Your finance people may not know that the file they send should be password protected.
But you have to make these lessons fun, interactive and personal. Instead of a session on protecting IP, say instead: "You spent all this time creating these incredible products, so you want to protect them, right?" This gets their attention, as opposed to here's the IT guys telling me, again, to change my password. The sales organization -- ask them if they'd like it if one of their customer's information were posted on the Internet or sold to one of their competitors.