There are almost no certainties in this brave new world of IT. A year before software-defined networking, it was big data, and the year before big data, it was cloud. Exactly how all of these pieces fit together is very much a work in progress, and as IT professionals, we are at the frontier of this unexplored world.
There is one certainty, however, and that is the need for security. The security paradigm is evolving on an almost daily basis, and for InfoSec professionals, staying one step ahead is a game of cat and mouse.
Quentyn Taylor is director of information security for Canon Europe, Middle East, and Africa. He believes that in order for security pros to get out in front of these evolving threats, they must take a step back and look at the bigger picture.
InformationWeek catches up with Quentyn prior to his keynote at Interop London.
InformationWeek: Quentyn, as director of information security for Canon, what are some of the things that make you different from the average CISO?
Quentyn Taylor: What makes me different from a lot of other CISOs is I also look after a large chunk on the product security side, and I’m very much on the more customer-facing side.
That’s not to say that we are part of a sales team directly, but if a customer has a security request or a security requirement as part of a tender, at some point in time, it will actually end up on our desk. And we will be responding directly to the customer, which means that the internal security team is very externally focused, which is different in most modern security teams.
If someone, for example, has an issue or a problem, we will be their first point of contact, and we will talk to them directly.
[To hear more on this topic, register for your free tickets to Interop London.]
IW: Where do you fit into the InfoSec landscape? When you say Canon, you think “cameras” and “printers,” and you don’t immediately think “security.”
QT: No, and that’s the problem; that is an issue. If you think about what goes through your printer versus what goes through your computer, the most important documents are generally the ones that you tend to print, scan, fax, via your printer. It’s not the junk; it’s normally the most important bits and pieces.
Obviously, all of the printers these days have hard drives in them, and the printer itself is not just a standalone printer. Most large corporates are running a print network, using some kind of print management software in the background that controls and guides the hardware. So, you’ve got all of this data that’s flying around, and a lot of information security people may be unaware of where that data actually resides and how sensitive that data is.
Couple this with the more practical things: Have you ever walked up to a printer and found a big pile of paperwork sitting there with very sensitive documents in it?
Just taking a UK perspective, there have been huge fines of tens, and tens, and tens of thousands of pounds from the ICO [Information Commissioner’s Office] for literally walking up to a printer, picking up what you thought was your print job, sticking it in an envelope and sending it to a customer. That’s enough to get people fired and fined.
There are real-world impacts with respect to print security that need fixing, and there are technological solutions to these problems …. When you click “print,” you print to a virtual print server in the cloud. You then walk around to whichever printer in the office that you quite like the look of, you authenticate with your badge to that printer – and suddenly your print job will appear on the screen, and you’re done.
IW: Okay, but in this day and age, when people are dealing with mega threats, cyberterrorism, and state-sponsored espionage, is print security really a big deal?
QT: This is exactly the point. You’ve heard of advanced persistent threats, you’ve heard of cyberespionage and cyberwarfare. For the majority of people these things are interesting, but they’re interesting distractions. A focus on the basics is much, much more relevant and much, much more impactful for those information security teams and IT teams.
IW: Your Interop talk is titled, “Is following the herd a danger or an advantage in the InfoSec world?” Let me pose that question to you.
QT: I’m a biologist at heart. That’s where I come from, rather than from the IT world.
When we look at the information security community, it is easy to see that there are herds. People like to follow, and they follow other people. These conferences are wonderful times where we start seeing this herding behaviour. Someone will stand up on stage, maybe me; I might say something and everyone will go, “Good, good, good idea. We’ll all think about doing that.”
But just as herds can be a big advantage, they can also be a problem; and they’re only a problem if you don’t know if you’re in a herd, and where you are in the herd, and what the herd is doing. It’s about thinking for yourself. It’s about starting to say, “Do I consider this to be relevant? Is this behaviour that we’re all doing here. Is it what I should be thinking about? Is this stuff that’s going to have an impact on my company?”
To give you a classic example, I mentioned before about the whole thing with cyberwarfare, etc. – very interesting to read about, but it is a particular direction that the herd is being pushed in. For the vast majority, cyberwarfare is really a non-issue, and they’re forgetting about the basics. They’re forgetting about the print, they’re forgetting about the antivirus, they’re forgetting about the policies, they’re forgetting about bringing the business along on their security journey.
It’s too easy to get caught up in the risk of the day and kind of forget why you’re there or why you’re being paid to be there, which is actually to help manage the risk in your organisation.
IW: Is there not an element of safety in numbers?
QT: If we’re in a herd, and we’re all using the same controls, and those controls are considered to be best practice, then yes, of course, we gain the whole shoaling benefit of protection – safety in numbers. We’re all doing our patching in the same way, therefore, we should all be safe.
IW: Should be?
QT: Did you ever see that “Blue Planet” on the BBC where the sardines were all herded into one little bait ball. Then suddenly, what happened? That minke whale came straight up from underneath and took the whole bait ball down in one go.
In the InfoSec world you can shoal so tightly together, all doing the same thing, not considering: “Why am I in the middle of this shoal? Why am I actually in an increasingly smaller, and smaller, and smaller bait ball? Am I going to get swallowed up by Heartbleed? Am I going to get swallowed up by the Ghost? Am I going to get swallowed up by one of these big vulnerabilities that might cause me a significant issue?
IW: I’ve seen other BBC programmes that talk about the positives of the herd. Collective intelligence, for example: If 500 zebras make a break across a river at the same time, more of them will survive than if they were each to make the same journey individually.
QT: I agree with you, the herd can be an incredibly positive thing. But it’s all about starting to ask, “Where are we in this herd and why am I in this herd? Am I okay to be in this herd?” because sometimes it’s perfectly fine to be in that shoal for protection; we all come together. The old joke about “I don’t need to make my house more secure; I just need to make my house more secure than my neighbour’s house” – that analogy applies very well in the InfoSec world.
Challenge commonly held perceptions. Don’t be doing something because everyone else is doing it. There are certain technologies in the InfoSec world where we all do it just because of the fact that it fulfils an easy audit question: “Do you have X?” “Yes, I have X.”
That’s perfectly acceptable, but it’s only acceptable if you know why you’ve done it – and that you have done it.
IW: So you’re asking InfoSec professionals to stop looking at the trends and to take a more introspective look at the realities of day-to-day. Is that right?
QT: Yes and no. I’m asking them to, at the very least, question, “What is it that I can really do to generate value for the company that pays me?”
Watching all of the dancers, it’s very easy to get lost in the ballet and to not step onto that balcony. Step back, take a deep breath, look down, and ask, “Actually, why are we down there?”
You might turn around and say, “No, we need to be down there; that’s good,” but you might also turn around and say, “Actually, I need to be doing something totally different here.” It’s all about understanding your position in the herd.
Interop, the flagship event of London Technology Week, takes place at ExCeL London June 16 to 18 2015. Find out more here.