A: Out of the many things that are affecting the industry one that catches the attention instantly is the convergence. Everything has gone the P way. It is not over yet. For the first time in the US, there are two very important types of commercials which I talk about. One is, TV as a computer and an IP computer. It is important to understand because if someone is going to sell you a TV (that is a computer), the network on that ground should be able to deal with it. The second one is moving to the IP-based 100 m/sec capacity for mobility. Mobility without constraints and 4g are enabling the smart devices extremely powerful. The last point is Cloud. In the past we had to depend on physical isolation of the data center. But we see the developments of today the layer which was used to gain access to the network is slowly withering away.

These things are leading to a complete transformation of how IT is deployed and used. But unfortunately the security considerations have not kept pace with these developments. It still remains an afterthought for a vast majority of organisations. ‘We’ll think about that later’ is still the syndrome. The biggest question that arises here is how we design the security architecture in a corporate. The practitioners have to understand security at the protocol level and then design security architecture intended for ‘service’ and not just a ‘box’. From the past where we had separate infrastructures to the present where we have mobility with 4g, and the cloud, you’ll see a complete transformation of the infrastructure, the modalities of how we do information security.

So, the main concerns are whether we have designed the security according to the modalities or we have forced ourselves to design it. At CSC (Computer Sciences Corporation), we talk about security and the role that it plays in the enterprises of today. CSC also works as a managed service providers to many large, prestigious organisations across the world. We’re looking forward to work with good partners and OEMs to make security a key component of the overall IT architecture and also
deploy security in the cloud.

A: If more security managers start testing and validating before they deploy anything, the industry, consisting of the developers and product makers, is going to start paying attention. That is going to do something bigger than other things. So far there has been little or no change in the industry’s behaviour. I strongly believe that the change in industry’s behaviour by being a good gatekeeper will be a great first step.

A: It is a fact that enterprises can’t be the invader because they don’t have enough resources. They can’t afford to operate information security as they don’t have enough people who know about the technology. When I was the CIO at the White house, we actually took the services of Bruce Schneier who is the most coveted name in information security industry today and also runs Counterpane internet Security, which does end-to-end security management for organisations. We actually decided to outsource our security services to a commercial service organisation to look at it on a 24*7 basis. Any incident that took place on our network was informed to us instantaneously. That little model served us well on many occasions. As we look into the future, we can think of many things that can be done by a managed security service provider (MSSP) to integrate all those technologies and deliver a service to help detect the problems. I believe that a lot of things that MSSPs have done traditionally in the past can be utilised to integrate everything together and provide as a service at different levels like bronze, silver gold, platinum. For example, if someone asks for platinum level service that would mean security on a 24*7 basis. I think that’s one of the solutions we at CSC are also going to provide extensively. Going forward, the important thing for us is creating a good mark for ourselves.

A: I think we’ll have to look at converging logical and physical security functions. The days for separate physical and logical security functions are over. I strongly believe that we have to hook the wagon to that horse because it is the horse that has to do the running for us. This market has got lot of potential but there are a lot of complexities too. It is still evolving.

A: Yes, I did use this term but at the same time I caution it can be misunderstood and not correctly used. “Intrinsically Secure” - we try to convey this term as a process where you think about security at the point of design. So, in an enterprise you need to identify your assets, risks and then develop network architecture accordingly. In the past we have been doing the opposite to it. For example, in many cases a system administrator has almost the same level of access controls as the end users. So, we would require more of those who have greater access to much stricter configuration controls, limitations on what they can do, monitoring on what they can do etc. That will bring in the right kind of security design and framework. We will have to look at different kinds of things that would go into the intrinsic design of the security so that the firewalls, intrusion detection systems are more effective.

Everyone is aware that cyber attacks seem to be growing faster than the sophistication of cyber security, which is still in a nascent stage. What could possibly be the new forms of cyber attacks? How should we be thinking of safeguarding ourselves?

It is a fact that today the attacks and malware is more generalised – like attack operating systems, commercial applications etc. The notion that you can design ‘zero-day’ threats for things that run, we’ll see more of that. It takes a lot of sophistication so we’ll know that a threshold has been breached. That threshold is a ‘wake-up’ call. And now that it’s proven that it can be done, it should make the countries remindful of that it can be done and it will be done. The other one is the core question of ‘privacy with social networking’. What have we given up? It’s an interesting topic. Because some argue that we never really had it in the past. In the future it’s all about reputation which is represented by your job and by the money you have in your account. Figuring out a way how we deal with reputation and protecting privacy is going to be a transformation that we have to make it happen.

A: I have always emphasized on the fact that awareness is a very important tool. But let’s depend less on awareness and more on intelligent systems. So, we need to get better at figuring out how we approve a security without thinking about educating our end users. The attackers have to figure out how to trick people so I would say that our money is better spent on developing smarter systems than on educating people on how to see the attacks.