Ira Winkler on ISSA's FutureAssociation's New President Discusses Awareness, Healthcare Initiatives
Cybersecurity thought-leader Ira Winkler has just been named ISSA's new international president. One of his first tasks is overseeing the start of two new special interest groups, with the hopes of more to come.
As the security profession continues to evolve, Winkler sees ISSA stepping up to develop special initiatives to provide continuing education for its members. So far, two special interest groups have been formed to meet that education demand: one dedicated to security awareness, the other to healthcare security.
"The mission is for like-minded professionals to get together and learn from each other," Winkler says in an interview with Information Security Media Group's Tom Field [transcript below].
The security awareness group, which is growing out of ISSA's Minnesota chapter, is fostering a community where members can get together, share their experiences and offer insight. "That's a great basis for moving the special interest group internationally, so that we can expand that out [to] encourage more people to share information and get together on security awareness," Winkler says.
The healthcare security group was created with the objective of addressing all the different user populations, from large organizations to small practices, as well as the strict regulations on the industry, including HIPAA.
As the special interest groups develop, training materials will be made available, Winkler says. "There will be sample plans, policies and documents that people can share among each other," he says.
In an interview about ISSA and its 2013-2014 mission, Winkler discusses:
- Today's top information security threats;
- Details of ISSA's new awareness and healthcare security special interest groups;
- How to cultivate the next generation of information security pros.
Winkler, CISSP, is author of four books, including the recently published "Spies Among Us." He is also frequently featured in major national business publications and on TV as an expert source; is a presenter at conferences including RSA, Black Hat and CSO Perspectives as well as various technical user groups and academic programs; and is the recipient of numerous industry awards. He began his career at the National Security Agency, where he served as an intelligence and computer systems analyst and moved on to support other U.S. and overseas government military and intelligence agencies. After leaving government service, he served as president of the Internet Security Advisors Group, chief security strategist for Codenomicon, chief security strategist at HP Consulting and global security strategist for CSC Consulting.
New ISSA President
TOM FIELD: You've been elected the ISSA's international president for 2012-2014. How do you see this role?
IRA WINKLER: As far as how I see the role, primarily what I'm trying to do now is reinvigorate ISSA. ISSA has pretty much had stagnant growth over countless years now, and that's not a bad thing because we do have about 10,000 members, so that's a substantial part of the population. But again, given the growth of the profession, we really should have more people, attracting younger people and attracting a wider variety of professionals. That's going to be my primary goal moving forward.
FIELD: You say the profession is evolving. What do you see as the role of ISSA as the profession grows and evolves?
WINKLER: I look at ISSA, and frankly I don't want it to be anything special compared to the other professional associations that are out there. For example, the ACM and the IEEE are all great organizations and what they do is promote fellowship among the professionals. It promotes continuing education. It promotes networking opportunities. It promotes professional growth. Likewise, ISSA should be doing similar types of things. That's kind of how I look at it.
With ACM and IEEE, clearly they attract people when they're in the college level, and that's one of their primary methods for growth, keeping a fresh supply of people coming in, and they also tend to have special interest groups. Because while getting together locally is nice, in the current environment with the Internet and everything else, I've stayed closer with people 10,000 miles away because we have common professional interests, not necessarily because I'm physically located within 30 miles of them, for example. That's kind of what I see the ISSA's role doing, not just promoting and networking locally, but also promoting and networking internationally as well.
Top Security Threats
FIELD: Let's take a step back and talk about the security landscape. We're talking now at a time when U.S. banking institutions are besieged by distributed denial-of-service attacks. What do you see as the top security threats to organizations today?
WINKLER: Frankly, I think the top security threat is what I would call naivety. I think that a lot of people really don't have an understanding of it. Yes, we're hearing about denial-of-service attacks that most people are saying are coming from Iran, for example, in retaliation for a variety of different perceived wrongs. That's one issue.
But the reality is, when we look at losses on a day-to-day basis, these losses on a day-to-day basis aren't from nation states. Frankly, to a certain extent, they're from organized cyber gangs. The way these people tend to be successful is because they take advantage of fundamental vulnerabilities that should be easily prevented, or easily preventable, like updating the operating systems, not allowing services on the computer that are unnecessary, running proper anti-virus software, better user awareness and a variety of other things.
Yes, there are some advanced attacks out there, but frankly those attacks are very few and far between. We really need to get the general population, not just the security professional, but computer professionals as a whole, more attuned to what I would call information and computer security basics, very fundamental things because with most attacks you don't need to be a nation state when somebody doesn't have a password on their account, as an example.
Challenges for Security Professionals
FIELD: We talked about basic protections and basic fundamentals of security, and you talked the naÃ¯vetÃ©. What do you find to be the top challenges for security professionals attempting to step up into these roles and improve the situation we discussed?
WINKLER: I'm not trying to be hyper-critical about professionals, but there's no necessarily proper career path for a security professional per se. A lot of people are just put into the security role without proper training, without proper guidance and things like that. For example, if you're a normal computer professional out of college, you get hired to be a database administrator or something like that in a large organization, and you have somebody sitting next to you. That person has been administering a database for an unknown period of time. They have a lot of maturity. They have a lot of experience, so they work with you because your college degree really doesn't prove anything significant, except for the fact that you have gone through a fundamental level of training, and that's important, but that's what it is, a fundamental level of training.
Beyond that, administrating a database that's fairly large and complicated takes mentoring skill, and that's not the type of thing you get in the classroom. That's the type of thing you get from experience and on-the-job training. Unfortunately, when people enter the security profession, very rarely do they get guided, on-the-job training. It's primarily trial by fire. That's the type of problem that we have because most people are learning from other people or have to learn from themselves, and the other people that they're trying to learn from really have the experience needed to mentor somebody properly.
FIELD: Is this the opportunity then of the ISSA to help provide that mentoring example for people entering the profession?
WINKLER: I would say yes and no, because frankly the ISSA, much like the ACM and IEEE, cannot reach into organizations. It's not the place of the ISSA to necessarily reach inside commercial or government organizations, although we would like to help develop standards and highlight training and certifications. The job of the ISSA at this point is to allow people who are interested in learning more by providing them the opportunity to find us.
For example, I can find a mentor out there for anyone who wants to be in the security profession. However, that mentor is not going to be sitting with them holding their hand to teach them how to administer that firewall. That mentor will not be there to help them write step-by-step a security awareness plan, for example. That's the job of the organization and frankly the ISSA should help people find mentors who can help people find better support, and also to try to help industry as a whole promote better on-the-job training and better guidance to promote the people being sent to proper security-focused training.
Awareness Special Interest Group
FIELD: A few moments ago you mentioned special interest groups, and I know you have a couple of them in the works with the ISSA. Tell me a little bit more about your awareness special interest group?
WINKLER: The security awareness special interest group is growing out of the Minnesota chapter formally. The Minnesota ISSA chapter a while ago decided that there's a group of people who are interested in a variety of subtopics within the security profession. It's just like if you're in the computer profession to say you're a computer professional. There's a difference between database administrators. There's a difference between programmers. And there's a difference between an auditor and a whole bunch of other things. The Minnesota chapter said, "We recognize that there are independent sub-cultures within the security community," and one of them was the security awareness group. One of their members started the security awareness special interest group for them and they got together the people from the Twin Cities region to help foster a community where they can get together, share their experiences, help each other and provide support for each other. That's a great basis for moving the special interest group internationally so that we can expand that out so that we can encourage more people to share information and get together on security awareness, both at the upcoming international conference as well as via a variety of different web-based tools.
FIELD: Awareness is becoming much like the weather. It's something that many people talk about but few actually do something about it. What would you say the objectives of this group are when it comes to raising awareness and creating standards for awareness? What's the mission?
WINKLER: Right now, the mission is for like-minded professionals to get together and learn from each other. That's the purpose of a special interest group out there. In the longer term, hopefully there will be training materials made available. There will be sample security-awareness plans and policies and sample documents that people can share among each other. Frankly, if you're a member of the special interest group, you can go ahead and put out a message and say, "Does anybody have an example policy that I can make a copy of, like an example mobile device security policy? I might need to get a hold of it." That's something that they could do now once they're a member of this group, as an example.
FIELD: The other special interest group you have in the works is healthcare security. What can you tell me about that?
WINKLER: The healthcare security group is an outgrowth of something that came out of the Minnesota chapter and that's solely for healthcare security practitioners and they do have people from outside the Minneapolis area or the Twin City region, and they have had a variety of call-in tools and things like that, so currently I'm working with them to determine their motivation for growth and then at the same time try to work out the appropriate policies and plans, because one thing about healthcare security professionals is that they like to get together in an environment that could be considered non-attributional and in a non-vendor environment. They primarily want to keep it to actual practitioners, not people who are just interested in selling to the practitioners, but there's a fine line because the ISSA as a community wants to serve both. We're determining the appropriate rules of engagement and then allowing and providing them more resources to grow within the United States and internationally.
FIELD: What do you see as unique concerns within healthcare as compared to other industry verticals?
WINKLER: Healthcare has a lot of concerns especially regarding the user populations. Healthcare has everything from very advanced organizations, for example, like insurance companies that have very stringent policies, procedures and everything like that. Then you're talking about some of the larger healthcare institutions like hospital systems and they have to deal with, for lack of a better term, a hierarchy of egos in many cases where you have doctors, for example, who don't like to be told that they have to log on to a computer system, and every time they walk away from it, it will be automatically logged out. They have to deal with people who are dealing with a variety of things, both an office environment likewise into trauma situations where you might have blood splattering on the computer systems, emergency scenarios where access to information is critical.
It's also a heavily regulated industry now, especially with HIPAA security regulations, and then you also have it down to medical offices, where you might have a single doctor and a team of two nurses and then three office workers, and those people have to figure out a way to interact with each other and everything else. The healthcare security profession has to address all those different user categories, which is highly unique.
Cultivating Next-Gen Security Pros
FIELD: We find ourselves internationally at a time when there are far more information security positions than there are professionals. What do you see that needs to be done to cultivate this next generation of security professionals to fill these positions and others that we're going to develop?
WINKLER: I don't necessarily think that's true, that there are more openings than there are jobs, because I know a lot of incredible security professionals who are frankly out of work at the moment. That's something where ISSA has helped security professionals get together and share information. That's a good thing. For example, sharing job openings and things to that effect; however, in the general population there are still a significant number of information security practitioners who are out of work and that has to be addressed. That's issue number one.
Issue number two is just because a job involves security, just the person filling that role doesn't necessarily mean that person is qualified, and that person should be qualified. Because it's not necessarily that they have a proper educational background, but because that person should have received on-the-job training from other related positions. One of the fallacies is that it's the job of the security professional to handle security. I like automobile analogies. It would be like, for example, saying, whenever somebody drives a car they need a driving safety specialist to ride in the car with them. Every driver is responsible for the safe operation of their vehicle. Every driver is responsible, and I know this sounds stupid, for remembering to close their door before they start driving. They're responsible for putting their seatbelts on. They're responsible before they pull out of a parking space to look around. They're responsible for driving safely as they drive themselves.
The problem is security should be the same way. When software developers write code, they should know how to write the codes securely. When administrators add users to a network, they should know how to add the user securely. When people administer a database, they should know how to protect the data as part of their database administration. That's embedding a security culture into the job of everyone, which is really what it should be. We shouldn't have to have somebody sitting next to us telling us how to drive safely. Likewise, the computer profession shouldn't have a safety professional sitting next to everyone. It should be the job of everyone in the computer profession to know how to incorporate security into their day-to-day activities.
That doesn't mean that there's not a place for people who are doing special security-specific jobs, and that's a critical factor that should be addressed as well. I think that's one of the fallacies. Too many people think we need a security position instead of looking to expand the roles of other practitioners who should be learning about security as part of their job. Those people are also potential ISSA members as well.
FIELD: If we talk a year from now, what do you hope to have accomplished by that time?
WINKLER: Frankly, I would like to see the security awareness and healthcare SIGs be fruitful and multiply, for lack of a better term. I would also like to see at least three other SIGs, five total, be up and running and substantially going by that point in time. I would like to see some invigoration of where we're reaching out to other, I'm not going to say professional societies, but certification organizations like EC Council, like CompTIA, who have professional certifications in the security space, and seeing what we could do to attract many of their members to become ISSA members, so that we promote more diversity into ISSA. Frankly, if I could accomplish those two goals in a year, that would be an awesome accomplishment.