Information Security Panel at #VenATL14


The official description of this panel from the Venture Atlanta web site is as follows:  This panel brings together world class experts on cyber security from four distinct perspectives: Military, Political, Entrepreneurial, and Investment.  We’ll cover both concerns and opportunities in the security industry that the technology-oriented audience can put to use when considering their product roadmap and business development strategies.”

 

What they should have said was this: “Think anything is secure? You’re wrong, and we’re way behind in securing it, but there’s a ton of opportunity for startups!  Oh, and what scares us most is what we don’t even know is going on!

 

And scare us they did.   The panel consisted of these four gentlemen, who are very much in the know when it comes to cyber-security and everything we don’t know about cyber security:

 

  • General Harry Raduege, senior counselor at The Cohen Group
  • David Aronoff, General Partner at Flybridge Capital Partners
  • Tom Noonan, TechOperators, General Manager, Energy Wise Solutions, Cisco Systems
  • Peter Swire, Huang Professor of Law and Ethics, Scheller College of Business, Georgia Tech

 

I only took 4 pages of notes as these experts spoke, but I managed to summarize all those notes below in bullet points.  The main point that they harped on quite a bit is that mobile + the internet of things (IoT) has made the cyber security infrastructure that companies like Noonan’s ISS obsolete. That is the basis for an entirely new generation of internet security systems like Nexdefense, Ionic, and Bastille Networks.

 

  • The internet of things is going to make the last 10 years’ mobility build out look like a “speck”, as the current universe of internet connected devices goes from about 12 billion to 50 billion by 2025.
  • IoT is a world of vulnerability requiring end-point, cloud, and mobile security.
  • We can no longer just detect and prevent, but we must understand and embrace that systems will be attacked, and that instead of trying just to keep the bad guys out (you can’t), we must build for resiliency and self-healing networks.
  • The current FBI Director’s demand that Apple and Google, et al, build phones & mobile software with a built in security hole for the government is insanity. Why would you purposely build something to be unsecure?!?  You wouldn’t.
  • The network perimeter is gone. Instead, we have cloud-everything, BYOD, a distributed workforce, and software-driven networks.
  • The threat surface of the internet is entire internet network infrastructure.
  • We are about to see and embark on an internet security renaissance.
  • The corporate CIO is the person who is least in control of the corporate network. When asked how many cloud services their companies had subscribed to – meaning “allowed access to their network” – the average response was “six”. The real number is 144. Corporate CIOs were wrong by a factor of 24.
  • Condoleeza Rice famously said, “The bad guys only have to be right once. We have to be right every single time.” The underlying strategy behind building security for this brave new world is that we must build so that the bad guys have to execute perfectly, rather than the other way around.
  • We must learn to use data to determine where the bad guys are.
  • Attacks are becoming more frequent, more targeted, more sophisticated, as evidenced by this year’s hacks on giant retail chains like Home Depot.
  • When asked what scares him most that he can share, General Harry Raduege replied that on 9/11, the attacks, while destroying buildings and killing thousands, also acted as a telecom DoS attack. You could not call in to NYC or DC. Lack of leader communication can cripple any corporation or government very quickly.
  • When asked what scares him most that he can’t share (??), General Harry Raduege responded, “What’s happening to our networks today that we’re not even aware of?”
  • Back in the cold war days, the threat of an EMP (electromagnetic pulse) was a big part of the threat of a nuclear attack because it would destroy electrical grid transformers and transponders and other major components of the power grid.  However, today an EMP would take out all that, and also every IoT connected device within range of the EMP.  In other words, electronic communication would simply go away.
  • A 4-pronged approach to internetwork security opportunities today looks like this:

    • Cloud security
    • IoT security – remember, IoT device proliferation will make mobility look silly.
    • Endpoint security – all browser/app based
    • Encryption of data at rest, in motion, and in process – no one has ever gotten this right.

  • The General’s “Cyber Security Triad” of requirements:

    • Resilience – fail-over & self-healing
    • Recognition – see who is attacking (social media? other data?)
    • Response – respond with like attack or legal/court based response if appropriate

  • If you think Google, Apple, and AWS have an obligation to protect your data, read the EULA. They don’t.
  • We must all assume that our networks will be compromised or already has been compromised, and build your risk management approach upon these assumptions.

What do you think?