The Equifax security breach is on everyone’s mind. Equifax has broken our trust and made clear that security is everyone’s problem — ultimately, no one is immune to the effects of poor computer security.
With Equifax in mind, it’s time to talk trust and security. To dive deep, I invited the chief trust officer of Unisys, Tom Patterson, to be a guest on episode 238 of the CXOTalk series of in-depth conversations with world’s leading innovators.
Unisys traces its history back to 1873, with typewriters and adding machines, and the company is an iconic brand in American business. Unisys brought in Tom Patterson to lead its global security business.
During our conversation, Patterson explains why effective security must go beyond technology to encompass business strategy and practice at the most senior levels in an organization. It’s a perspective that explains why organizational leaders and technologist are jointly responsible for securing data, corporate assets, and even critical infrastructure.
However, the technology itself is also fascinating. From micro-segmentation to predictive analytics, there is plenty of material for the most hardened technologist to study and enjoy.
Watch our entire conversation in the video embedded above and check out the edited excerpts below. You can also read the entire transcript of our discussion.
Is security a business or technical problem?
It used to be bits and bytes and routers and firewalls. Now, it’s boardroom decisions and what should we do about an M&A? How should we go into a merger? How should we partner in this country or that country?
These are all business decisions. And, the threats are dramatic. There’s not only the threat of being shut down or having all the information that you are entrusted with taken from you, but there’s also regulatory compliance now. New regulations coming that starts next year where the fines start at $20 million dollars and go up from there.
It’s an issue that goes well beyond the technology. That’s what the chief trust officer role works with here. We’re a coordination point for privacy, physical security, and business security issues.
Whether there’s a hierarchy, whether they’re in the same group, whether they get together informally, all their voices need to be respected and proactive. If the group is getting together for the first time after a security event has happened, that’s the wrong time. These folks should be working together on a regular basis.
A lot of time, privacy reports to the legal counsel, and the physical security reports to the COO and the chief security officer reports to the CIO, which are still different towers still. We haven’t evolved that much that quickly.
But, having them work together at the direction of the board, at the direction of the CEO and the global leadership team. Get together, work this stuff out together, that’s where they’re finding these great synergies. That’s where they’re saving money. That’s where they’re lowering risk overall; privacy risk, and security risk, and physical security risk. We can address all these things together.
Where does technical debt have an impact?
Most every company of any size that’s been around for a while has issues like technical debt. They’ve got old stuff and there’s not enough money to buy all new stuff.
So, they’ve got to work together and be realistic with each other, and say, “Well, we’ve got this privacy spin that we’ve got to do, and we’ve got this technical debt issue here, and we’re trying to go an open business in country X and country Y. Let’s design a system, maybe using a cloud provider and some micro-segmentation and we do this.”
Suddenly, we’re addressing all those issues with one spend. That opens the eyes not only of the practitioners but also of the business leaders and the governance leaders across the board. Literally around the world.
What is micro-segmentation and why is it so important?
Security people have long known that it’s better to segment their network, so, if one part gets broken into, the other parts will be safe. It’s a concept called “east-west collateral movements,” which you want to stop.
They used to do by putting a firewall between this building or that building, or between this giant network or that giant network. That’s how they segmented their networks.
Well, we have gone to clients that had over 100,000 individual rules on one firewall. No one can keep up with that! They don’t know what rules are there, who wrote them, what they’re for; so they don’t touch them. In those old days, it was so expensive to segment that people stopped doing it.
Enter a new concept, a new technology, called “micro-segmentation.” We’ve been working on it for over five years with individual clients, but it’s now a generally available commercial product called “Stealth,” which we can weave into any existing network to allow you to create little, tiny microsegments, completely transparent to the users, that don’t require any firewall rules. If you’re in accounting, you get to see the accounting resources and nothing else. If you’re in marketing, you can see the marketing resources and nothing else.
Even though all the networks are still interconnected, the packets are locked into these little, tiny microsegments, which makes it easier to protect the network and deliver the resilience that’s necessary. Someone still might click on the wrong thing, but that attack is going to be limited to their little group. The accounting people and Poughkeepsie might be affected but not the rest of the world.
We use artificial intelligence to create the whole mapping. When we roll out micro-segmentation with Stealth, it can be transparent to employee or associates. If they are not breaking the rules, they’ll never even know it’s there.
Explain the concept of resiliency?
Resiliency is a key word in 2017. They UN is focused on that. Many big, global organizations are trying to shift the focus because in security you have to be perfect to be any good at all. Resiliency and “perfect” are difficult to achieve in this day and age. Even the best systems are attacked successfully because something breaks down. So, we’re focused on resiliency.
For example, what if someone at a power company clicks the wrong thing in their email or leaves their laptop on the train with the password taped to the top. Or, they lend their laptop to their kid who clicks on the wrong website at home one night. Those things happen; it’s part of life.
The concept of resiliency, which Unisys really stresses with its clients, recognizes that’s going to happen but don’t let it shut off the lights for an entire country.
We deploy all sorts of countermeasures within an organization to make sure that when something happens, we can limit it. It starts by segmenting so if one part of the power system is corrupted, the rest will not be.
But now, we’ve implemented cool things, like predictive analytics. If we look at many data points within the organization and around the world and use artificial intelligence to analyze them, we can predict threats forming that look like they’re going to attack. At the same time, we now have machine-to-machine defenses that can automatically reconfigure themselves into a more defensive posture when they see predicted threats starting to form.
That’s the future of what critical infrastructure really needs. They need it not only in power, they need it in transportation, in banking. There are 18 critical infrastructure sectors around the world. That critical infrastructure needs protection.
Any quick thoughts on Blockchain and security?
I love Blockchain for distributed trust. It’s going to be a huge enabler, especially around the Internet of Things, where trillions of devices that are connected. There won’t be time to go to a trusted third party, so we need peer-to-peer trust. That’s what Blockchain brings us. Great place to focus on learning, and investing, and working with building into your systems.
What about security and IoT?
IoT is a privacy issue, first and foremost. Internet of Things devices are used as industrial control systems. We protect a lot of the valves that open and close gas pipelines and oil rigs, and electrical switches on towers.
All those are little, mini computers. Those have to be secured. The things like the FitBits and the health monitors need to initially be secured for privacy, but we need to design the same level of security that we’re doing in the industrial control systems into all sorts of IoT.
It’s a big issue coming out. First, you’ll see it in privacy on the consumer side. Then, you’ll see it as security, as we move from cars entertaining us to cars driving us home. That’s going to be the big change and we need to take security seriously across the board.
Finally, quick thoughts on security in cars?
Cars scare me because they have never historically taken security seriously. There’s a thing called the Can bus, which is an interconnection point for sensors that have been on cars all along. In the beginning, everything plugged into that, including turning your steering wheel to “park” and pressing the accelerator or your brake.
Now, we’re starting to have better systems, like little, tiny firewalls and microsegments in the cars themselves. You definitely are going to choose which brand of vehicle to buy based on their cybersecurity safety record, and it’s something that every manufacturer is getting very, very serious about.
CXOTalk brings together the most world’s top business and government leaders for in-depth conversations on AI and innovation. Be sure to watch our many episodes!
(Cross-posted @ ZDNet | Beyond IT Failure)