The massive data compromise at ChoicePoint Inc. earlier this year has made the Alpharetta, Ga.-based data aggregator something of a target for those calling for tougher data protection laws. In an interview with Computerworld, Rich Baich, ChoicePoint"s chief information security officer, talked about the breach, the measures that have been put in place since then and the lessons inherent for other CISOs.
You have in the past said that what happened at ChoicePoint was not really a security breach. Then what was it? It all comes down to how you define a breach and how you define an incident. This was fraud. Someone fraudulently provided authentication to the system. It"s no different than credit card theft and credit card fraud. Those are never referenced as IT-related issues though they happen millions of times every year. In fraud terms, it"s called an account takeover. And that"s what occurred. All I was trying to do was educate the press more than anything else that this was not what everyone would call a traditional hack.
So has the press got it now? I see it"s much better now because we"re at 65-plus incidents (reported) so far this year, I believe. There are a couple that are being referenced as hacks that are truly hacks and the rest are fraud or lost tapes. There was one time people were screaming, "Rich, you"re a victim of social engineering" and that "you"re in charge of all the information because you"re the information security officer." Well, am I in charge of the mailroom when someone loses mail? Because that"s information as well. And that"s all I am trying to say. People are trying to point to a person when we really need to be looking at things as an industry.
But wouldn"t better IT controls have helped? Sure. As an industry I think we have gotten better with our fraud analytics tools. There"s technology that can do geographic IP locations. (Such tools) can help mitigate the risk. Then again, a very intelligent adversary can figure out a way around that by bouncing off proxy servers and different things. But there is some technology that can help mitigate the risk -- not stop it.
So are you doing anything differently now? Yes, we absolutely are. We are looking at our entire credentialing process, the entire business process and how it"s being done. We are looking at putting additional technologies in place and the way we do business with others. We actually went down to an even better level by looking at the type of data they need. Do they need stuff that relates to PII (personally identifiable information), or do they not? If your job function doesn"t require that, then you don"t get it.
What"s the take-away from that whole incident? What"s your advice for CISOs? If you are going to have this role at a time when there is really no firm guidance, make sure you have selected a model to implement. ... I think today when people ask, "Are you providing adequate security?" that is such a big, open question and it may be interpreted by so many different people in so many different ways. I think if you have selected a model and you are implementing a program around that model I think you can be successful, regardless of what happens.
Why are we hearing about so many major data compromises these days? What"s happening? I think in general more organizations are reporting it. But I also think the processes and the technologies have matured so that they are now realizing it. You have to remember an incident is an incident only if it"s reported. So, as frightening as it is, there is also a positive end to it because at least the people are catching it.
Will the concern generated by the recent spate of data compromises inevitably result in more mandated controls? When people say they want to put controls in place, it may be difficult because what controls do you put for what kind information? Every good security practitioner knows you have to understand the assets and then you build protection profiles around it. So this particular asset may be a Type 1, and its protection profile may have five components to it. Type 2 may have 15 components and a Type 3 may have 26. The government may have a tough time labeling that. But I think something has to be done. Intervention is good. Education is better, and technology and processes make it more so. I think the incidents have caused a new focus within many organizations, and I think in the long run that itself will also help mitigate future risk.
Are companies looking at compliance requirements more as a baseline set of controls they have to meet from a security standpoint, or as the ceiling? I think every company is always evolving to be stronger in their own maturity model when it comes to security. Our own focus more and more has been on data protection. We had a data destruction policy before this recent (Fair Credit Reporting Act) came along. We already had a destruction policy in place and software in place to erase hard drives and to make sure media could not be accessed when destroyed or sold. We have tried to stay ahead of the curve. But the toughest part about legislation right now is you don"t know where it"s coming from and you don"t know to what to expect.
There"s a lot of legislation being done at the state level right now based on when you have to respond to customers. It can be difficult if there are 50 different requirements. So, hopefully we"ll see some sort of federal guidance around that.
You just released a book on what it takes to win as a CISO. So what does it take to win? Winning as a CISO is really about getting a seat at the boardroom table and becoming a true member of the senior executive team. It"s when you are able to intertwine security into every business aspect. It"s about leaning more toward risk rather than talking about security. If you ask every CISO what they do and what they are responsible for, I think you"ll get a scattergram of responses. How can you win if you haven"t decided what your responsibilities are?
Salespeople know when they win because they bust out their quota. CEOs know when they win because they meet their earnings. Security officers win when there are no incidents.