CIPS CONNECTIONSINTERVIEWS by STEPHEN IBARAKI, FCIPS, I.S.P., ITCP, MVP, DF/NPA, CNP
Rosaleen Citron: Eminent International Security Authority, Acclaimed Top-Ranking Entrepreneur and Executive, and CEO of WhiteHat Inc.
This week, Stephen Ibaraki, I.S.P., has an exclusive interview with acclaimed top-ranking entrepreneur and executive, Rosaleen Citron.
Rosaleen Citron is the Chief Executive Officer of WhiteHat Inc., an industry leading Information Technology Security Provider. Ms. Citron oversees the overall vision of the company within marketing, partnerships, alliance programs and supplier relationships. She is actively involved in the public media, and corporate awareness programs helping their partners and the public understand the need for security in today’s high-tech marketplace.
As an active member of the Computer Security Institute (CSI), the Information System Security Association (ISSA), and the Women’s Executive Network, Ms. Citron is actively pursued for speaking engagements. As a result of Ms. Citron’s widely respected elite expertise in security and business, she keynotes at numerous conferences around the globe, including at the 2005 e-Financial WorldExpo, October 27-28 in Toronto.
Ms. Citron is amongst the Profit and Chatelaine Top 100 Women Business Owners for the past several years and has been nominated for the Ernst and Young Entrepreneur of the Year Award. Profit Magazine has nominated Ms. Citron as Canadian Woman Entrepreneur of the Year. Most recently, CRN Magazine names Rosaleen Citron #2 in the 5 Canadian Innovators worth Watching in 2005, and she was selected by the Canadian Embassy in Washington to present a keynote speech on cross border security.
Q: Rosaleen, with your extensive history of career successes and demanding schedule as CEO of WhiteHat Inc., we are particularly fortunate you found time for this interview. Thank you for sharing your considerable expertise with our audience.
A: Thank you Stephen; my pleasure.
Q: What are your key guidelines and processes for anticipating and managing business risk, ensuring accountability, and enhancing competitive advantage using technology and credentialed IT professionals as the key drivers?
A: IT security is a market community. We have a privileged trust relationship with some of the world’s most security-conscious organizations and their IT security staff. In other words, we’re connected. We know what works and what doesn’t work for them; we know what they have done, what they are doing and what they are thinking of doing. We’ve also witnessed the entire evolution of the Internet and IT security. (I have been around since dinosaur mainframes ruled the world.) Our IT Security practitioners carry numerous industry specialized certifications and security clearances. They understand what products and services the clients require and are very careful of the clients’ resources, budgets and abilities in the implementation of same. The strong corporations today are very cognizant of the compliance issues and Brand protection. As the CEO of a company who understands the issues, I would want my Security handled by people who really know what they are doing and know they are trusted. After all you are allowing them the ability to get close to the keys of your kingdom; client data, patent information, intellectual property, personnel data and more. Industrial espionage is at an all time high, it is amazing how many methods someone can use to get data and trade secrets out of a company. We see a lot of companies that do some security work as a sideline, to us that is analogous to a plumber building your network. All of these factors lie at the heart of our decision-making and competitive advantage. We work in IT Security, it’s all we do and we really understand it.
Q: You speak of corporate brand, compliance, client privacy, digital identity, scandals and disasters as segments of the business landscape.
Q1) How do these areas influence how executives look at technology and how do we as business executives and IT professionals secure these areas?
A1: You have touched on a key issue. Executives don’t look at technology, they look at ROI. So you install a chain-link fence, barbed wire and a guard post. What’s the ROI on that? There isn’t one. But security doesn’t have an ROI, it should be considered as part of the cost of doing business. The issues we deal with are Security tends to be event driven, so should be classified as tactical. Security needs to become part of the everyday process and should be treated as strategic from the get go. However, we are seeing a shift as compliance issues, governance and privacy regulations are forcing companies to look at security, strong policies, client privacy protection, brand protection and are moving them into a “best practices” area. It is not unusual today to see a CPO or chief privacy officer; just a few years ago this position did not exist.
Q2) What is the association or relationship to mitigating business risk?
A2: Every corporation accepts some risk; the decision that has to be made early on is how much risk you are willing to take. Having best security practices, technology and a savvy workforce serve to reduce risk while generally resulting in a better-running and a much more competitive organization. For example, when a company does not take the time or care to protect client personal data and it becomes exposed, several things will happen. The clients will lose confidence in the company and take their business elsewhere, the corporate brand will take a negative hit, and the competitors will learn a lesson that you pay for.
Q3) Can you provide an overview of the processes required to reduce risk and enhance competitiveness?
A3: First, there has to be a will to improve. Next, the threat environment needs to be identified, along with the attendant risks. The business assets need to be identified and their value established. A gap analysis shows up any deficiencies of the safeguards that are in place. Finally, required safeguards are identified, budgeted, implemented and monitored. Then, you repeat the process because it’s a new day.
Q4) How have elements of these areas become critical to competitive advantage and how can credentialed information technology professionals be leveraged to ensure continuing and sustained success? Do you have added comments, best practices and standards of practice recommendations, to make specifically about governance and compliance?
A4: As I mentioned earlier, the well organized and prepared corporations have taken a good look at themselves and determined how much risk they can afford. Then they have looked at the personnel who are best to carry out the plans. Professionals at all levels that are credentialed are important to the plans because they keep themselves up-to-date in their area of expertise and their value is very high to the company.
We have a five step strategic plan that we work from, the one thing we all have to remember is if everything is a crisis then nothing is.
1) Start with a twenty thousand foot view of the corporation: What are the priorities? A strong 5 year business plan is a great start. This helps you understand where the company wants to go; then you can create security strategic objectives.
2) Risk Assessment. Once you have your priorities in order you look at which risks you face that could slow down or immediately stop the business in its tracks. You achieve this with a strong security assessment, internal and external.
3) Set goals that can be measured. What do you need to protect? Generally we recommend that you need to protect your people, products, profits, processes, hard assets, and of course, your reputation. Each industry is different and has specific risks - these are just the general ones.
4) Time frame in strategic planning long term - 3 to 5 years is the norm. With security, the maximum you can have plans in place are usually a year to eighteen months. New threats emerge all the time and also have to be taken into consideration as “unknowns”. Regulations and compliance within an industry can change rapidly due to events.
5) Be flexible, you can’t plan for everything. A good example of this is Google hacking; hackers use the search engine to do vulnerability analysis of your company. Or Phishing and spyware; two or three years ago there is no way you could have included this in your strategic security plan.
Even with all of these plans and tight security, sometimes something happens. What does the corporate internal and external communications strategy look like? We have all witnessed in the press issues with specific banks: corporate data exposed, faxing problems, Canadian Tire money coming out of ATM’s, credit card information exposed or stolen. The easy way to tell if the company involved had the right risk mitigation and communications plans in place is to ask, which ones do you remember as “boy that was bad”. They generally have a very poor communications plan for the media and the public. The companies that did an excellent job of communicating the issues, and even more important, communicated the remediation plans are the companies that ultimately won that war. You probably remember the story but can’t remember the company name - and that’s the point.
Q: Where do you see your company positioned in 2006 and into the future to address the changing landscape?
A: Some things change and some stay the same. As I have shown with a corporate strategic security plan, we take our own advice (quite a concept); WhiteHat must remain flexible. We have a core business philosophy and ethic that will continue to serve us well into the future. We have been very diligent in staying ahead of the curve in threats, changes and laws; it’s part of our job and this is what makes us an excellent partner for our clients. As far as changes, we know that we are in a good position to proactively track the evolution of IT security and our clients’ business models. Compliance and brand exposure are two very busy areas. Security, compliance and privacy software/ hardware manufacturers are going through a high speed consolidation. In a few years there will probably be only five or six really big IT security manufacturers. Not something we view as a good thing. A lot of times a really tremendous technology is acquired by one of these companies and a couple of years later no one can remember the name, yet alone where it landed. One of the areas that has served our company and the practitioners we employ well is the ability to create interoperability of these security and compliance products. Our specialists don’t know one firewall they know the top five. Our recommendations are based on how these technologies/policies and protocols interface in the clients environment.
Q: From your substantial career, which experiences have generated the lessons of greatest impact; what are the lessons that you would want to share with other executives?
A: One of the strongest lessons I have ever learned I see nearly every week. We perform assessments for clients. Our practitioners write comprehensive reports, we look into the proverbial corners, sweep under the mats, look behind things and inform the clients what remediation they need to take. Most times there are no real hard costs involved - it’s just policy changes, or closing down holes in the networks, or changes to procedures and the documenting of same. Yet they still do not remediate. Then when something happens, they are surprised. The lesson is, when you take the time and spend the money to find out if you are secure, read the report, act on the high risk issues immediately and set a plan to complete the recommendations.
Q: Please make five predictions for the future and how business executives and IT professionals can best prepare?
1. SuperBugs- worms, viruses and trojans oh my! Put them all together and you have zero day superbugs. We have already seen zero day attacks, (this is an attack that affects millions of machines in less than a day), we have seen viruses and worms that have payloads (a virus gets into your systems, nothing happens then on a specific date, or time or event the virus launches). When you put this all together you will have a Superbug.
To prepare, your antivirus vendors need to be held responsible, but the end corporations and end users are responsible to update their software. None of it will work if you have not kept yourselves up to date. If the bug was powerful enough that it could shut down entire networks in seconds, have a plan in place as you would for disaster recovery.
2. Identity Theft – In June of this year, I predicted that by the end of the year (2005) a minimum of 10% of the US population would have had its personal data exposed in one form or another, putting these people at risk of ID Theft. Three days after I made this prediction, 40,000,000; that is, forty million credit cards and attending data were exposed.
To prepare for more of this, make sure you pay attention to changes in your credit; there are a number of free services and now you can buy insurance. Today if your identity is stolen, you are at risk of monetary loss, credit loss, and on top of this you are responsible to clear your name. The average person would need approximately 100-200 hours of phone calls and letters. Make sure that your credit cards have fraud protection. This is your life, protect it.
3. Industrial Espionage – this is at an all time high and we see incidents every week. Internal security has become a high priority for corporations that have intellectual property to protect. To prepare, have a plan and understand what is most valuable to the company. Scan for keywords of this valuable information, make sure its not getting out via e-mail, spot check courier packages, be very careful with instant messaging, keep the corporate jewels in a safe place with only trusted employees having access. Lately we have seen several incidents of industrial theft that was perpetrated by an employee of five or more years.
4. Phishing: Simply put this is Identity Theft of corporations. Here is where Brand protection comes in. Phishing is becoming more sophisticated and it plays on the psychological fears of humans. You get an e-mail that looks real, it has the corporate logos and correct electronic addresses, and it informs you the company is experiencing difficulties. The most popular being:
You tend to react by doing what the message tells you; from clicking on the link to a website that also looks very legitimate, to changing your passwords and ID’s online. In the meantime, the company whose name is on the e-mail knows nothing of this and you just gave your personal key information to someone with nefarious intentions.
To prepare for this, Corporations need a very good communications strategy and key messages, a remediation strategy. You might even want to look into the new flavor of companies that specialize in brand protection. Their mission is to scour the internet for anything with your corporate name, address, logo etc. on it and review the content. We have seen this type of planning reduce the threat and exposure to corporate brands from weeks, in some cases, to hours.
5. Cyber Terrorism: This is not an area I wish to predict; however, we have to face facts. If you want to disrupt a government or a country the use of cyberspace is inevitable. To prepare for this is difficult; government and law enforcement are very concerned about the potential threats and are taking steps to plan for these things.
Q: What does your research indicate about the burgeoning China-based market?
A: The emergence of China as an industrialized exporter will impact IT. The rate at which this happens will depend on whether that country can sustain explosive growth. History shows us that the markets are unkind to that kind of expansion. From the standpoint of the IT security business, it will be less of a factor. While IT jobs may be outsourced there, IT security will most certainly not. There will also be strong resistance to any IT security software written there. Security experts are very concerned about the fact that for $5,000 (more than an annual salary), it is very easy to bribe an employee into building a backdoor into certain technologies.
Q: How about India?
A: India has grown more organically and is a more stable economy. Further, when they made the decision to start writing software and became a recognized player in the area, they did some things very well. A good example of this is the standards to which they write software code. In North America, software manufactures/developers have long believed that 14 – 17 defects/errors per 1,000 lines of code were acceptable. The developers in India chose a path of quality and work towards 0.03 errors or defects per 1,000 lines of code. Again, IT jobs will be outsourced there, but we believe that IT security will most certainly not, and again for similar reasons to China.
Q: You are continually selected as one of the top executives. How do you wish to shape the world and contribute to the fabric of history?
A: We have a very strong corporate social conscience. Our executive team and I speak at a lot of events to educate people in proper computer hygiene. It is our responsibility to teach our children the right and wrong uses of computers and technology. We teach them not to talk to strangers on the street and in cars, but do we also warn them about the predators on the internet? The bulk of the security threats we suffer from today can be traced back to home computers. Over 200 million home computers around the world have been captured as zombies and are being used by hackers to create Denial of Service Attacks. We conducted a study recently with the CBC. (Our original statistics of a new computer connected to the Internet would be attacked, trojaned, or captured as a zombie came from SANS.ORG at 7 minutes.) The test we ran took 1 minute before the computer was attacked and taken over. Technology can be an incredible benefit, but it can be used as a weapon.
It is also a personal goal to help parents understand that their children are very bright and use technology like we used the telephone, record player or tape deck; it was inherent to our being and part of our social growth. Technology has become part of this generation’s techno-DNA. We need to teach rules and boundaries. I witnessed a mother telling everyone within earshot at an airport how proud she was of her twin boys - how technically savvy they were. These boys had very expensive notebooks and it only took me a minute to realize they were hacking into the airport control tower and the airport security office. We estimated they were 11-12 years old. Their mother had no idea what they were doing. All she knew was they were using the computers she bought them. Some of the most damaging attacks we have witnessed on the internet were launched by Script-Kiddies; they pick up the code from a hacker site and launch it without thinking about the ramifications.
As we learn lessons from the things we witness, we believe it is very important to pass this along and make people aware.
Q: Rosaleen, your extensive history has provided many deep insights that we all must carefully consider. Thank you for sharing your substantial wisdom with our audience.
A: Stephen, thank you for the opportunity.