Five Questions With...

Robert A. Clyde, a recognized industry leader, has more than

25 years of experience as a security software executive with

demonstrated leadership success at startup companies, small

businesses, midsized businesses and large companies, including

Symantec and Axent Technologies. An Internet security pioneer

and innovator, he is credited with the creation of the first

commercial intrusion detection system. He is a founding board

member of both SAFEcode and the IT-ISAC.

As chief technology officer at Symantec, Clyde was a key part

of the management team that drove the company to grow from

slightly under US $1 billion to more than US $5 billion in revenue,

during which time the stock split three times. Clyde currently

serves as managing partner of Clyde Consulting LLC

(www.clydeconsulting.com), which provides advice and

assistance for companies seeking strategic partners or exits;

technology review, advice and due diligence for companies

considering acquisitions or partnerships; computer and Internet

security advice; and speaking engagements on information

security and technology.

When not working, he enjoys fishing, hiking and boating with

his family in the beautiful canyon lands of Utah.

Rob Clyde, CISM

Q What do you see as the biggest security threats/risks? How can businesses and individuals protect themselves?

A To understand the greatest security risk, let’s examine the motives of the attackers.

Today’s attackers are trying to make money, not just prove that they can hack into a system or create chaos through cybervandalism. Stolen identities, bank accounts, credit cards and e-mail addresses are easily sold online in an underground economy. In fact, according to Symantec, the credit cards and bank accounts offered in the underground economy are worth more than US $7 billion.

That makes this kind of identity-related personal data the primary target for cyberthieves. Most businesses collect, transfer and often store personal information about their customers and employees. All individuals have this kind of information for themselves. So, we are all a primary target and we are all at risk. Over the past couple of years, the largest and most publicized cyberattacks have revolved around the theft of identity-related information.

Malicious code continues to grow rapidly. According to both McAfee and Symantec, unique instances of malicious code exceeded US $1.5 million in 2008. With US $1.2 million in the first half of 2009, unique instances of malicious code are likely to have totaled well over US $2.4 million in 2009. However, while several years ago malicious code seemed primarily

designed to disrupt systems and networks, today’s malware is frequently designed to steal information that can be sold for a tidy profit. For example, many instances of malicious code include keystroke loggers collecting passwords, Social Security numbers, credit card numbers and online banking login information.

So what can we do to protect identity-related information? Individuals should take care about entering private information online and should do so only for legitimate web sites using Secure Sockets Layer (SSL).

However, attackers using fake web sites in phishing and pharming attacks can make such a determination difficult for even expert users. In addition, legitimate web sites are a constant target for infection, making any site a potential risk. Given the sophistication of today’s attacks, it is essential that users always run strong antivirus software that includes browsing protection that can automatically detect suspicious sites and malicious code. Most major antivirus vendors offer such capabilities. Especially consider those that include reputation-based protection.

The first line of defense for businesses is to limit the storage of identity-related information to that which is absolutely necessary. For example, oftentimes credit card or bank account information only needs to be transmitted for the transaction and does not need to be stored. Identity-related information that is stored should be encrypted. Format-preserving encryption, such as that offered by Voltage, preserves the format of the field, e.g.,

1ISACA JOURNAL VOLUME 2, 2010

a 16-digit credit card number is encrypted into a new 16-digit number, allowing it to be stored and used by existing software without requiring modification. Transmitted identity-related information should always be encrypted.

Web sites can use site keys (user-selected images) as part of the login process to prove to users that the sites are not phishing sites. Sites can also use biometrics, strong authentication software that is tied to a specific user’s system or hardware, and strong authentication keys to improve user authentication. However, stronger authentication can make it more difficult for users to sign up and access web sites, and in many cases could limit business.

Unfortunately, web sites are often developed quickly and with little concern for vulnerabilities. Today’s attackers comb the web looking for weak web sites and infect them with malicious code. It is essential that web site owners and developers have their software tested for vulnerabilities and regularly scan their web sites to ensure that they are not infected.

These are just a few of the things that individuals and businesses need to do to protect themselves, but one thing is clear. Given the sophistication of the attackers’ tools, defenders have to employ sophisticated tools of their own. Gone are the days when merely being cautious will protect individuals and businesses.

Q How do you see cloud computing changing the way we do business? What are the biggest security concerns with cloud computing and how do you see them being addressed?

A Cloud computing is one of the most significant trends of the traditional server for many IT applications. Why

buy a server to run an application, when you can run it over the web for less money and less hassle? For example, for less than US $50 per user annually a small business can leverage the web to quickly deploy e-mail, calendaring and storage for shared files without installing a single server. And, yet, the user experience is as good as, or even better than, traditional server-based solutions. Managing customer contacts, health insurance, payroll records, 401(k)s, etc., are all done in the cloud by many businesses.

In many ways, cloud computing is leveling the playing field between newer or smaller businesses and large established businesses, allowing new players to quickly ramp up IT

infrastructure capabilities equivalent to their larger competitors at a drastically lower cost and with breathtaking speed. For their part, larger businesses are moving traditional server applications to the cloud to improve nimbleness, enable broader access, leverage data through innovative mash ups, and create new ways to do business with customers and partners.

Cloud computing is also an enabler for mobile computing, allowing applications to be used not only from traditional PCs and notebooks, but also from smartphones and handheld devices. In many cases, it is easier to move an application to the cloud to enable mobile computing, than to try to add handheld support to the traditional server application.

Of course, cloud computing does change the security paradigm. Sensitive data are no longer stored in a server farm controlled by the business, but rather in systems connected to the web and probably not owned by the business. In many cases, a business’s IT governance and security policy may need to be adjusted to reflect this. Most of today’s automated compliance tools do not cover the cloud computing applications and data. Even though many cloud computing environments are built with security in mind, businesses are still coming up to speed with appropriate governance and policies.

Cloud computing providers are part of a business’s IT supply chain. As such, businesses should require minimum security measures and ensure that there is a mechanism in place to assure compliance. Cloud computing providers can make this simpler for their customers by following standard IT governance frameworks, such as CobiT.

Since handheld devices and smartphones can often be used to access cloud computing applications and data, it is essential to review security policies for mobile devices and to make sure that they specify adequate controls to protect access and sensitive data. For example, the devices should require a passcode upon startup and screen lock after idle time. If sensitive data can be stored on the device, there should be a way to remotely erase the device if an employee is terminated or the device is lost.

”“Cloud computing is

leveling the playing field between newer or smaller businesses and large established businesses.

2 ISACA JOURNAL VOLUME 2, 2010

Q What are your predictions regarding information security/privacy legislation and how do you see it impacting business in the near future?

A As I indicated in my answer to the first question, identity theft is the greatest risk businesses and individuals face

today. Indeed, more than 330 million records containing personal identity-related information have been involved in data breaches since 2005 (according to the Privacy Rights Clearinghouse).

In the US alone, businesses are faced with a myriad of data privacy and data breach notification laws from 45 different states. Trying to comply with each state’s individual laws and breach notification rules is confusing and costly. The result is that companies are forced to plan for whichever state has the most onerous rules. For example, if a notebook that contains customers’ personally identifiable information is stolen, many states require that the company notify customers of the theft and potential danger to their identity.

Some states require breach notification even if the stolen data was encrypted on the notebook, even though no danger really exists. Ironically, such a law actually reduces security since there is no incentive to encrypt and protect data. After all, why go to the expense of deploying encryption, since even with such protection, the business still has to notify its customers?

On 5 November 2009, two key federal data security bills were approved by the US Senate Judiciary Committee: 1. The Personal Data Privacy and Security Act of 2009,

sponsored by committee Chairman Senator Patrick Leahy, D-Vermont

2. The Data Breach Notification Act, endorsed by California Senator Dianne Feinstein, D-CaliforniaThese bills have bipartisan support and are likely to pass if

they come to a vote.Both bills would provide federal laws that supersede the

existing state laws, making it simpler for businesses to make security policy and comply with privacy and data breach rules. While Leahy’s bill would require organizations to notify individuals whose information was compromised through a breach, organizations would not have to do so if the breached data were encrypted or otherwise rendered useless (e.g., a stolen mobile phone’s flash storage was securely erased.)

The bill also requires that companies set up security policies for the handling of personal data, establishing guidelines for risk assessments, vulnerability testing and

controlling access to private information. It also calls for a new Office of Federal Identity Protection inside the Federal Trade Commission, which would provide the necessary oversight. While Feinstein’s bill also imposes breach notification requirements on businesses and federal agencies, it includes a “safe harbor” provision, eliminating the need to notify if a risk assessment shows that the incident will not damage consumers.

The potential passage of these bills has strong implications for today’s organizations. The new bills would provide clarity to businesses about breach notification and policies for handling identity-related information. Overall, I believe the bills are a net positive for business and should reduce some of the cost and confusion inherent in the myriad state laws. Moreover, the bills would be a catalyst to beef up security policies, and implement encryption as well as risk assessments and vulnerability testing. This would provide security professionals with the ammunition to better secure data and should also benefit security vendors providing relevant solutions.

Q How do you think the role of the security professional is changing? What would you recommend to security students or new security professionals to better prepare them for this changing environment?

A IT has been evolving from a technology profession to a business profession that uses technology to meet the

goals of the enterprise. Chief information officers (CIOs) have seats at the executive table and are expected to help drive the overall business, not just keep the lights on. The roles of the chief information security officer (CISO) and security professionals are affected by this paradigm shift.

Traditionally, IT security professionals are known as the people who say “no” to new projects and innovative ways of doing business. We always come up with good reasons why something new is a security risk. For instance, I can remember asking attendees at an ISACA conference in 1991 how many had a policy against connecting their business to the Internet because it was too dangerous and nearly every hand went up. Those companies that waited too long to figure out how to leverage the Internet ended up playing catch-up, while those who figured out how to do it quickly were more likely to prosper. Today, we face similar challenges relative to cloud computing and mobile computing.

3ISACA JOURNAL VOLUME 2, 2010

Today’s security professional must evolve from being a “no” person, to a “let’s find a way” person. By “let’s find a way,” I do not mean just blindly saying “yes.” A “let’s find a way” security professional figures out how to effectively manage the risk by developing appropriate controls that support a new business method. Those companies with security professionals who actively work with others in the company to develop new and innovative ways to do business

will succeed. Those who focus solely on creating rules, trying to foil hackers, and just saying “no” will fail.

The implications of this are profound. Security professionals have to be more than just security experts. Now a sound business understanding is

essential. Communication and collaboration skills are a must. Security students should consider taking business courses or even getting a master of business administration (MBA) to complement a technical undergraduate degree. New security professionals should work to become intimately familiar with the products and services their company offers, talk to employees in the lines of business, and visit customers to understand what they like and do not like about the way the company does business. Trying to understand how current security controls get in the way (and you will get an earful on this) enables new professionals to figure out ways to simplify things while still maintaining an acceptable risk posture.

Q What has been your biggest workplace challenge and how did you face it?

A I think my biggest workplace challenge has to be letting employees go, especially when it is for economic

reasons and not lack of performance. People are what make organizations successful and I have had the honor of working with some of the brightest and most talented people in the industry during my career. Laying someone off is never easy and, I dare say, I would never want it to become easy. The way I have faced those situations is to be honest and straightforward about the situation and not try to sugarcoat the situation or offer any false hopes. Getting straight to the point and giving clear honest answers seems to work best for me.

I really do not want to end on a down note by discussing layoffs, so I have picked another challenge to discuss as well. I recall vividly struggling to make Clyde Digital succeed in the 1980s as one of the first security software companies, specializing in intrusion detection, policy compliance and vulnerability assessment. The challenge was trying to convince customers that they needed computer security at all. There were a few major break-ins such as Kevin Mitnick’s exploits, documented in Cliff Stoll’s The Cuckoo’s Egg, but not enough to drive huge sales and most companies did not have any security professionals on staff. Nevertheless, financial institutions and the federal government were concerned enough about the insider threat to keep us going and we were able to become profitable.

In 1991 Clyde Digital was acquired by Raxco Software, where I ran the security business unit and then out of that we formed a new company, Axent Technologies, to focus on security. We were lucky, because at the same time the Internet became more pervasive and the need for security became painfully obvious. Axent Technologies grew rapidly and did a successful initial public offering (IPO) and then in 2000 it was sold to Symantec for US $1 billion.

So I guess the lesson is perseverance and adaptability. Maybe I was just stubborn, but I held on to an early vision that security would be important in and of its own right and not just something that IT professionals tried to ignore as best they could.

”“Today’s security

professional must evolve from being a “no” person, to a “let’s find a way” person.

4 ISACA JOURNAL VOLUME 2, 2010