Wednesday, March 4, 2015

The Future of Security, (Or Why I Joined Unisys)


I’ve spent more time than most in board rooms and c-suites talking about risk, trust, and security. Until recently I’ve been focused on how to deliver great security, but increasingly have been constrained by the security products themselves. So I’ve made a career move to focus full time on bringing a suite of new and advanced security products to market, and deliver them in the most trusted and efficient way. I’m thrilled to announce that I have been appointed the new vice president of Unisys’s Global Security Solutions group.

This shortfall of newer and more advanced security products has grown more pronounced as our adversaries around the world leverage more money, more organization, more expertise, and more determination than even in recent past. What’s happening is that good companies, with good CISOs, buying current best of breed products, are still getting exploited with increasing frequency and consequence. This isn’t the fault of the companies or their CISOs, or even the managed security providers that service them, but rather a noticeable and pronounced shortcoming of the current suite of products.

There are good point solutions masquerading as silver bullets, and there are very strong systems that are too complex to either install or manage properly—both giving off a dangerous false sense of security. There are also a spate of brand new emerging products that are highly innovative and aimed at solving some of the great problems we face, but these are often coming from brand new, very small, and untested companies that are difficult for large companies to hand over their enterprise trust to. I believe that the answer must lie in leveraging the best of both camps. We’ll focus on using everything we’ve got to solve some of the biggest and baddest problems we all face, in a way that produces agile and innovative new products that have the support, scale, and mission critical staying power to actually make a difference. So I have come to Unisys to pull together and head Global Security Solutions, with the goal to make that difference in the world.

Unisys has all the tools needed to make this difference, with a long history of providing mission-critical technology and services to both commercial and government customers around the world. They have an impressive intellectual property portfolio in the security space, and formidable teams of security practitioners who can both engineer solutions and deliver them in a trusted and efficient fashion. And they’ve been doing it quietly for years.

The world does not need more firewalls and anti-virus programs, as valuable as they were in their time. With the rapid emergence of data science, it does not need more security event management (SIEM) software. But it does need systems that can react to real time attacks in real time with software defined networking (SDN). It does need the ability to protect the most valuable of assets even after a breach, with micro segmentation (uSegmentation). It does need a way to hide enterprise endpoints and servers from malware (Stealth). It does need better ways than passwords to identify legitimate users, and it does need to work easily across all our devices and clouds to enable efficiencies and trusted user experiences.

Honestly, living here in Silicon Valley, I expected to join a Silicon Valley product company, and talked to quite a few before choosing Unisys. There are some great products and companies brewing out here, with some truly innovative ways to solve real problems. But as I talked with them, the conversation quickly focused on just one of the above areas, and I felt a pull to work on bringing a more complete security eco-system to the enterprises that need it.

I was exposed to the Unisys Stealth system five years ago, when it was in use at a government agency I’ve been known to frequent. I’ve always been a fan of the unique way that the Stealth product approached protection, by cryptographically hiding key assets from advanced malware, instead of trying to play whack-a-mole with every new variant that pops up. In talking with some of the Unisys security brain-trust, I learned that the company has a treasure trove of other security solutions in development that bring that same great combination of innovation and trust. In my new role at Unisys, I plan to take the best of Silicon Valley’s innovative style, combined with the Unisys global core of great people, products, and delivery, and focus on bringing a new suite of security solutions to a market that is in desperate need of advanced, holistic security solutions.

While Unisys doesn’t have in a big ‘name’ in the security business, I think you’ll see that changing starting now. In the meantime, I’m betting that boards, CEOs, and CISOs are more focused on finding solutions that completely meet their needs, than airport billboards and pre-IPO valuations.

Please join me in the Unisys Global Security Solutions journey, whether as an active participant or an industry observer. We’re going to work hard, leverage a lot of great talent and technology, listen to our customers and partners, work collaboratively with everyone, and have some fun along the way. You can follow along at www.Unisys.com/security or www.twitter.com/TomTalks

Thursday, August 28, 2014

Wednesday, August 13, 2014

Buckle Up! The Threats to our Newest Connected Cars.


Please take a look at my latest article in CSO Magazine that details the different risks to the newest cars.

Thursday, July 17, 2014


Security has become a front burner topic for the boards and executives that I spend my days conferring with, and that can only help in the defense of their companies and the worlds critical infrastructure. As part of my commitment to educate and empower (and occasionally entertain) the worlds most critical of companies, I'm pleased to let you know that these blogs have now been picked up as regular articles in CSO Magazine (an IDG Publication), plus a regular 15 minute interview each week on CBS radio (Wednesday's at 11:45am US Pacific Time) to focus on the current topic. Please read my first two articles here:

Competing on Trust

Leading Life Sciences Security

I look forward to continuing to engage with your here, on the new CSO Magazine site, via Twitter , in one of my keynote speaking events, and of course old fashioned voice and email. Stay safe my friends.

Thursday, March 27, 2014

Trust but…

Is the Chief Trust Officer becoming the key hire in today’s best companies?



The acquisition of social media scoring company Klout by social media enterprise company Lithium for $200 million dollars today (3/27/2014) raises a security question in my mind that has implications much broader than how this particular deal turns out.

I‘ve been invited to join Klout over the past couple of years, first by my friends (who didn’t realize they were inviting me), and later directly by Klout with come on’s like “Your Klout Score has Risen.” I’ve never clicked on them, or joined the Klout community, as I didn’t have a good appreciation of their security or privacy direction and commitment. That’s not to say it’s either good or bad, but just that it wasn’t conveyed as good, and the absence of good is bad. So when I saw the acquisition announcement this morning, I flipped over to the Lithium page, and checked out their corporate officers. They’ve got Chief Executive, Operations, Community, Customer, Scientist, & Product officers, but no Chief Trust Officer.

Looking further on their site, they list a solid group of security measures they take, which is admirable. But as I’ve experienced throughout my career, the bad guys will find six ways from Sunday to drive in between pockets of good countermeasures and rob you blind. Having a corporate officer that is committed to the security and privacy of clients is fast becoming a key differentiator in consumer-centric companies.

Cloud company CipherCloud recently named Bob West as their Chief Trust Officer. This is a great move both for CipherCloud as a company, but more importantly for their current and future customers. Customers want to be ensured that someone they trust is looking out for them. Customers don’t want to read your privacy policies, or evaluate if your application security controls are sufficient to meet your threats, or decide if the ever popular 256 bit encryption is the best choice (or even meaningful). They want to trust a person. And a Chief Trust Officer is that person.

Chief Trust Officers have un-impeachable security credentials, are well versed and current on the who/what/why/how of threats, have strong ties to law enforcement for event mitigation, understand the balance between protection and recovery, and the difference between compliance and security, are well versed on the emerging security technologies now available to solve previously difficult issues, and do their best work directly with customers under the bright lights of public scrutiny, not in the shadows of security. Your Chief Trust Officer should speak 'customer' as well as they do security, privacy, technology, and compliance.

In my book Mapping Security, I wrote a few years ago about the evolution from Chief Security Officer to Chief Risk Officer, and how industries like Energy and countries like Israel were early adopters. But ‘Risk’ still focuses on the negative aspects of security, where as ‘Trust’ embodies what good security has become today. Security is an enabler for business, and Trust is it’s engine. When consumers read about governments, criminals, hackers, advertisers, and hactivists trying to invade their privacy, and big name brands like Target and Niemans and Google not able to protect them, having a tangible trust link will make the business difference between success and failure.

As companies evolve and are looking to maximize every nuance of their social media, viral marketing, advanced advertising, and positive branding for their growth, they would be well advised to broaden their boardroom to include a Chief Trust Officer. Compliance and security are no longer enough to attract today’s consumer—they need to trust you.

Sunday, March 23, 2014

Making 'Least Privilege' Cool




Somehow, as executives got promoted, CEO's got hired, and board members got selected, they all got confused. So confused that their security world is turned upside down, and it's their fault. And it's not just corporate executives confused about the security of their enterprise, it's everyone that owns a computer or smartphone that is confused about the security of their own personal enterprise. They somehow got the impression that the higher you are in your enterprise, the MORE computer and network access you should have. In fact, the polar opposite is true. Everyone has forgotten the tried and true security tenet of 'least privilege.'

Least Privilege is a fundamental security concept (who remembers the 'Rainbow Series?'), whereby you only grant the user (human or program) just enough access to perform their tasks. This used to be done all the time in programming, and is often done at the rank and file levels of enterprises today. For instance, the guy in the cube next to you can't access the HR system and look up your salary, because he doesn't have the need for that access. While the HR exec can see your salary, they usually cannot read sensitive company financials. But the CEO can see it all.

In a work setting, it's unfortunately common for senior executives (and therefore their assistants) to be given total access to their digital enterprise, like a master key for every computer, network, and file in their domain. Makes for a juicy target if you're a thief, and the thieves know it and are thriving on this simple lapse of good corporate governance. And that target becomes even juicier when said executives insist on taking their laptops and smartphones with them when they travel abroad (where governments have been known to snoop and share with state owned competitors), insist on downloading the latest privilege-grabbing apps, and insist on blithely connecting from any coffeehouse or other free wifi they happen along.



The key to fixing this rampant problem costs nothing but a little bruise to the ego. Executives should NOT be given keys to their kingdoms. Instead, they should be given just enough privilege to do the routine aspects of their job. While not the complete solution, this simple step will stop the vast number of adversaries that are looking for keys to subvert companies.

Before you condemn your company's execs, think about you and your own computers, tablets, smartphones, and home networks. Almost everyone gives themselves 'root' or 'Admin' access to their devices. When installing new programs, this high level of access is usually required, so that's what you take. This is exactly what today's thieves are counting on. At some point, they are going to trick you into clicking on a link that will take over your account. If your account has Admin privileges, then they have successfully taken over your enterprise. But what if your account only had just enough rights to run your apps, but not enough to make any substantive changes to your device? Then you will still have had your account compromised, but your systems will remain secure. If you don't have Admin rights to begin with, then you can't be the cause of them getting stolen.

What's the cost to implementing least privilege in your home and office? Zero dollars. A few more clicks for the few times you actually do need to load new software. And a hit to your ego because you're not given all the keys. So help me make 'least privilege cool. Brag about how little access your company gives you. Get excited when the malware you stumbled upon fails to execute and gives you an error message instead. Tell your friends and co-workers-- It's cool not to have the keys!


It’s not just retailers -- Feds warn another whole sector of cyber attacks

Following on the heels of both the Secret Service and the FBI sending out warning advisories to retailers about the ongoing cyber attacks, now the Securities and Exchange Commission (SEC) has publicly stated that it will be looking at what "policies are in place to prevent, detect, and respond to cyber attacks"1 at the nation's financial asset management companies.



Having just this month (3/14) briefed hundreds of financial executives through their SIFMA annual education program at Wharton, and hundreds more financial fraud investigators through their Association of Certified Financial Crime Specialists (ACFCS), I can say with certainty that these are all the right questions to be asking asset managers, who not only manage huge multibillion-dollar portfolios, but also access and store extensive personally identifiable information (PII), which in itself is valuable to thieves today. Until recently, asset manager companies felt secure by their very obscurity, since they do not typically project a large profile to the media or population at large. But assuming the thieves won’t find you won’t work as a defense any longer, as our Global Threat Intelligence teams regularly track highly advanced and organized thieves that focus only on two things -- finding things of value, and determining how hard they will be to steal. So if you’re in business today and have anything of value (in the case of asset managers that have both money and PII), the only variable you can control is how hard you make it to steal. The security paradigm has to shift towards an inward focus. Securing the virtual supply chain is paramount when attempting to manage modern-day operational and reputational risk," reminds Tom Kellerman, managing director for cyber protection at Alvarez & Marsal.

Unlike the retail sector, which got some forewarning but some bad advice and no threat of regulation to improve, the financial asset management companies are getting forewarning and better advice, but also a hammer of SEC investigations to ensure compliance.

The SEC is right to focus companies on their ability to “prevent, detect, and respond to cyber attacks,” rather than attempt to tell each of them specifically which malware signatures to look for (these new ones change or "morph" constantly, so signature-based defenses won't find them).

--Prevention takes on a number of layers, including security education, roadmaps, architecture, monitoring, and management.
--Detection requires highly advanced and current techniques, technology, and talent, and trying it yourself or with standard commercial tools will generally lead to a false sense of security.
--Response has two critical success factors -- advance expert planning and access to the right team of integrated experts when and where you need them.


One of the key lessons that the asset managers can learn from the ongoing retail attacks is that they need to address the security not only of their enterprise, but also all of their supply chain partners that have access to their networks. In the case of Target, entry was gained by first breaking into a trusted supplier, and then using their access to get into Target's systems. At the end of the day, it's still Target that takes the hit. By flowing top-level security policies down to vendors and partners, you greatly reduce the chance that you’ll be successfully attacked from the bottom up. This can be done through a combination of security policy changes, purchasing contract changes, and more rigorous testing of your third parties. While these changes may cause some short-term consternation with your supply chain folks, the small efforts here could be the difference between continued operations and a total loss of trust to your client base.

While it may seem like the cyber sky is falling with the weekly headlines of new breaches, in reality the story for asset management companies is very bright. While these threats are real, and most certainly now active in asset management environments, security firms that have years of hands-on experience with these specific advanced threats (in defending Government and Defense clients) on top of decades of overall experience in the cyber defense business, not only have the tools to quickly detect what malware is inside your networks today, but also partner with you to protect and respond.

1 Jane Jarcho, National associate director for the Securities and Exchange Commission's investment adviser exam program, to Reuters on 27 January, 2014