Brian O'Higgins, Top International Security Executive and Expert, Board Member Sector Advisory Council, CTO Third Brigade
An exclusive interview with Brian O'Higgins.
Chief Technology Officer, Third Brigade Inc. Mr. O'Higgins is a seasoned professional in the security industry, and is best known for his role in introducing PKI (Public Key Infrastructure) technology and products to the security landscape. He is also a recognized speaker on IT and Internet security.
Prior to joining Third Brigade as a member of the founding executive team, Mr. O'Higgins was the co-Founder and Chief Technology Officer of Entrust, a leading Internet Security company. While at Entrust he had overall responsibility for the technology vision and direction for the company. He was previously with Nortel where he established the Secure Networks group in 1993, and was instrumental in spinning-out this group as an independent company, Entrust. Prior to this, Mr. O'Higgins was with Bell-Northern Research (BNR) where he was involved in a variety of technology development programs including public key security systems, technology for new telephone products, in-building wireless communications systems and high-performance computing architectures for digital telephone switches.
Mr. O'Higgins' current list of affiliations includes advisory board positions with Defence R&D Canada, Information Technology Association of Canada, Communications and Information Technology Ontario, Algonquin College, and the Armed Forces Communications and Electronics Association. In addition, he currently serves on the boards of Recognia and Fischer International.
To listen to the interview, click on this MP3 file link
Interview Time Index (MM:SS) and Topic
|:00:31:|| ||Can you provide a profile of your roles and challenges?|
"...My role is a Chief Technology Officer with a small technology company called Third Brigade which provides security products to keep your server safe. But I'm more or less an industry spokesman for this type of technology....speaking to customers, analysts, including the press ...."
|:01:12:|| ||What are your recommendations for security governance (PCI and SANS work)?|
"....Compliance is driving our industry. One of the latest security standards which probably has the biggest bang for the buck in terms of compliance and is driving a lot of improvement in security is PCI (from the payment card association)...It's a risk taking standard....SANS is helping to produce another set of guidelines called the Consensus Audit Guidelines...It's very new and can be found through the SANS website (http://www.sans.org/cag/....This is sort of a Top 20 of the most important controls and metrics for effective cyber defense and continuous FISMA compliance...."
|:06:11:|| ||Can you talk about defense in depth and really what that means?|
"....You are not going to have just one layer of security....the more the better. If one should fail you will have others to back you up....The best way to think of this is that the innovation cycle in IT security is driven by the bad guy not from the good guy. In most industries it is the opposite...."
|:08:04:|| ||Brian profiles the Conficker worm and comments further on virus protection, malware removal. |
"....Patch the vulnerability....Make sure the virus protector product can detect and clean the particular malware....A four strong password policy....Standard controls for log inspection....Registry control....Look at traffic to and from server....Shield the specific vulnerability....Any one of them can stop it, but we need the combination of them to be defense adept and to be protected...."
|:11:18:|| ||What about Cloud computing?|
"....We lose what we know as security by default...where you had all your little groups of experts that really knew their stuff and doing the right thing....As opposed to the virtualized world, a few mouse clicks and you can spin up a new server and maybe host it in another country. It is so easy to turn on and deploy that a lot of the security processes that we had by default can very easily get lost...."
|:13:47:|| ||What do we need to consider with Virtualization?|
"....We have some very important issues with security....Your server images become like laptops now and in the corporate world the laptop is a catalyst where you really need to have end-point security on your machine. Before, you could live with perimeter security where the network was clean on the inside. But where you have computers totally protected one day and then move off the network and connect elsewhere and then return infected from the inside out - that is a problem. The same issue is happening to servers as we go forward in this cycle...."
|:16:34:|| ||Provide your predictions of future IT/Business security trends and their implications/opportunities?|
"....We are getting more and more interconnected....and we spend less and less energy putting security in....We have more capability, more inter-connectiveness and less control for security....In the enterprise we have another problem, I call it the security skills divide...."
|:19:27:|| ||Which are your top specific recommended resources and why?|
"....There are a lot of government organizations which are very good for looking at policy and guideline publications....Security organizations such as SANS...."
|:19:57:|| ||If you were doing this interview, what questions would you ask and then what would be your answers?|
"....The world is getting harder and the bad guys seem to be winning....What do we do?....How do we turn this around?...."
|:22:19:|| ||Brian shares some thoughts about his work.|