Based on 25 years of professional experience in various businesses around the globe, I can say that many industry verticals have a pretty good state of safety culture as it relates to the health and safety of their employees. This is especially true for companies involved in high-risk businesses such as oil and gas, (nuclear) energy, manufacturing, chemicals, food processing, and so on. In such industries, it is pretty clear that there is a risk that something may blow up, hurt, or even kill people.
However, it seems that the next big driver for them is business alone, and they are not as focused on information or IT security when it comes to the logic side of security like bits and bytes, document handling of confidential information, and similar subjects. This is in stark contrast to their keen attention to physical safety and security issues.
It would seem intuitive that any organization with a commitment to safety by counting (and incentivizing) the hours (days, weeks, months, …) of safety-incident-free time should also be easy to convince that taking a similar approach to information security would be a good thing. But it is not that easy. Operations in these businesses are very physical, so it is not really in the mind-set of a rig guy or gal, a welder, a component mixer, machine operator, or similar, that another devastating incident (attack) could happen from “within” the system(s), by a human adversary committed to do harm in the interest of their nation state or paying agent. All those systems in the above mentioned industries that are working at the process level (sensors/actuators, process control, SCADA (supervisory control and data acquisition) are designed for efficient and effective, good performing, and reliable operation, but they were not really designed and built to resist logic attacks from a human smart guy who can outsmart almost every defense.
In industrial networks, spanning the areas of instrumentation, control bus, operations, business, or enterprise, the often cited Purdue reference model that provides for several “levels” or “zones” of abstraction and segregation can be used. A really good introduction can be found in the Secure Data Transfer Guidance for Industrial Control and SCADA Systems.
I have been coaching youth sports for the past seven plus years now and one of my common mantras when speaking to the girls and boys each season is that “we will win as a team and lose as a team.” In other words, I will never tolerate one player acting selfishly enough to think he or she is above everyone else on the team. I strive to instill the objective that we will collectively pool our talents for the betterment of the team. We use this approach because each boy and girl, believe it or not, brings with himself or herself a unique set of abilities and strengths with which the entire team will benefit.
So why should you care about my coaching philosophies? :-) Read More »
We all know that the virtualization and cloud megatrend is a game changer for data centers, leading to profound shifts in everything from IT services and business models to architectures. Business benefits include reduced capital investments, new revenue growth opportunities, and the greater efficiency, agility and scalability demanded by globalization.
Enterprises have held back from making the transition to virtual and cloud environments primarily because of the inherent security risks and concerns.
Targeted attacks and security breaches are getting more sophisticated. The Verizon Security Threat Report for 2011 showed that 3.8 million records were stolen in 2010, and 94% of this data came from servers (an increase of 18%).
As security concerns are the primary barrier to making this transition from virtualized data center to cloud, we must rethink how security fits in to these new architectures and develop new security tools to ensure the secure transfer of information.
For enterprises to confidently seize the business benefits offered by data center virtualization and the cloud, security must be seen as the art of the possible, not as a hindrance.
Watch below as I explore the challenges and leading practices for securing virtualized environments today, and into the future.
Please join me also for a special webcast ”Defending the Data Center “ today at 10:00 am PDT /1:00 pm EDT /17:00 GMT -- To watch register here
I have a thing for metaphors. I wrote my dissertation on them. And they have helped me enormously as a non-engineer working in IT security.
Metaphors are powerful tools (that’s a metaphor, by the way). Literally referring to something as something else enables us to make mental connections between concepts that are not really the same. War and weapons have proven historically useful metaphors. In wartime, everything changes. We look at the situation, our opponents, and even ourselves very differently (I like the image of a noble warrior on the battlefield more than that of a guy who spends most of his day sitting and typing…)
But metaphors also cause trouble, especially when we use them to over-simplify. I am skeptical of “security as war” metaphors, including that of the arms race. The metaphor detracts from the very real threats of cyber- and information warfare. War doesn’t define security any more than war defines firearms. Unless we are specifically talking about threats from nation states (and a few other actors) using information technology as part of armed conflict, we are not talking about war. And this is not what we are usually talking about in information security.
During my 25-year career, I’ve been fortunate to work closely with some of the best and brightest, supporting government and enterprise customers around the world regardless of where I worked. These experiences have enabled me to meet with statesmen and CEOs, into open and closed-door meetings on “the Hill” and abroad, to serve as a member of the CSIS Commission on Cybersecurity, and participate on numerous think tanks, boards of directors, and advisory boards. I’ve worked and learned from leaders in private industry and global governments, the defense and intelligence communities, and I’ve always gotten after it with the goal of making a difference and producing positive results.
When Brad Boston asked for me to succeed him in leading the Cisco Global Government Solutions Group (GGSG) in addition to my role overseeing the Corporate Security Programs Organization (CSPO), I was humbled, honored, and excited. GGSG/CSPO is a great organization. Fortunately for Cisco, our customers, and me, Brad will remain nearby, focusing on our go-forward strategy for Satellite Solutions. This expanded role certainly ups the ante for me, yet it is not an altogether new one. As a member of GGSG senior staff since it was formed, and in my role leading Corporate Security during the past ten years, I’ve watched the organization grow and thrive.
In taking the helm, I will build on this team’s outstanding achievements in meeting the unique requirements of governments around the world. We’ll continue to address the challenges faced by global government agencies, defense and intelligence communities, and work to advise our public sector customers on the leading practices and technology solutions that can achieve and enhance their mission goals. In my ongoing role as Chief Security Officer, I’ll continue to oversee and work with my leadership team to drive initiatives focused on Information Security, Product Security and Government Security, with focus on crypto, advanced government services, and cybersecurity—in support of our customers.
My expanded leadership team and I recognize what a critical role we play for our global government customers. To all of you, rest assured, we will continue to strive to become your most-trustworthy vendor and a true partner—one that works hard to help enable your mission success, delivers on our commitments, and gives only our best.