It only took Malcolm Harkins about 20 minutes to realize the investments he had made in Intel Corp.’s IT security strategy were paying off.
About five years ago, the world’s largest chipmaker was trying to conduct an employee survey with a sample size of about five or six per cent of its overall staff. The HR group worked with an outside supplier to issue the Web-based survey to employees through an e-mail. Then all hell broke loose.
“Within minutes of people getting that, we had admin assistants contacting us who said, ‘We think this is a targeted attack, don’t click on the link, delete it,’” said Harkins, who is Intel’s chief information security officer (CISO) and general manager, Enterprise Capabilities. The tech support team was flooded with calls, and Harkins soon received an extremely angry phone call from an HR executive who assured him the survey was legitimate and wondered why the URL was being blocked at the firewall. Harkins and his team soon resolved the situation, but it was a revealing incident.
“I was so elated that for the first time I had statistical proof that the money I had spent on making people aware allowed people to act as a part of our technical perimeter,” he said. “They saw it, and they acted as if it was an antibody. It was a foreign object, and they were going to protect the company.”
Harkins recently spoke to CIO Canada by telephone to discuss Intel’s strategy and emerging IT security trends.
CIO Canada: What’s keeping you up at night?
Malcolm Harkins: The biggest vulnerability we face today and the future is not the thing that the technical security person would think of, like a botnet or technical flaw, but the misperception of risk. That’s because of a couple of different factors. Some of it is economic, but if you think of the psychological components to it, the greater somebody perceives a benefit from something, the greater their tolerance of risk. With the ease of use of certain things – whether it be an end-user, a consumer, or whatever, they may not fully appreciate what they’re doing. They may share information and post it online because they don’t feel any impact to it or they don’t perceive there are any issues with it. Or they get an e-mail, which they think looks kind of cool, and they click on the link. If you go back even a few years ago, a user would feel the pain of it. Your system would crash, the network might get saturated with it. Today, those threat vectors are so subtle, you don’t know that something’s gotten installed on your computer. Because the incentive for the intruder is to not make you aware of it. Because they don’t feel the pain, they only perceive the benefit.
CIO Canada: How much of it has to do with liability, though? In many cases a security breach won’t lead to dire consequences for the employee but the IT department.
MH: That’s exactly right, which gets to the economic factors. You could say some of it is budget, but it’s also the economic principle of moral hazards, where, a third party – and in this case it could be an employee, an outsourced provider, or a number of different people – is not responsible or who have to deal with the issue. Even things with malicious code, where somebody’s system is compromised and has attacked somebody else’s: It’s not necessarily stealing from the host, it’s owning the host to go launch on attack on somebody. Well, what incentive do I have to protect somebody else?
CIO Canada: It seems like a lot of users perceive the benefit of security as moot. If you have a keylogger on your system, for example, it doesn’t matter how secure your password is. Or if an unpatched Windows PC can be infected in 12 minutes, what’s the point in even basic desktop security? How do you deal with that?
MH: Those examples I don’t necessarily agree with, but there are cases where you do have to go, “Is the control actually reducing the risk?” And that’s the challenge that I think security teams have to think about as well, thinking more broadly. What is the payback on the control in terms of real risk reduction? Or, which ones are what I would call the marquee controls? Yes, from an industry perspective there are these 15 controls you have to have, but which three will give you the most risk reduction, so that way you can concentrate on making sure it’s deployed. And you can actually continue to operate, and operate effectively. A lot of time people will put these controls in place and policies or whatever and there’s no oversight to make sure the control is operating in the way it’s supposed to.
CIO Canada: So many of the people we surveyed in our annual security research study said they don’t know if they have had a security breach and, if they did, they didn’t know what happened. How can CIOs start turning that around?
MH: Sometimes the CIOs might not know. I think in many cases the security team knows. What I’ve seen in talking to my peers, and even at Intel, if you go back seven years ago, there was knowledge in the security team about things but this over-paranoia. “We can’t say that this happened.” Why? Sometimes they could be perceived that something happen and the security team didn’t protect against it. Other times, it could be PR or legal reasons around what you share and how you share it. In some case I think it becomes how the security team should share the information, not whether or not they should. They’ve got to get past that communications barrier. And other times, you don’t know what you don’t know. As I said before, with the subtlety of intrusion attacks, it’s hard to be aware of them. And if you need good reporting information, where you might have a policy to report when a PC or laptop is lost or stolen. Unless you build in that control, coupled with the point of wanting a new one, you don’t create the forcing function to potentially recognize all the lost devices.
CIO Canada: How do ensure good security when it’s the employee that is primarily purchasing their basic IT equipment like laptops, smart phones and so on?
MH: I think there are some companies that are very aggressive on it, because of they don’t have to buy the system, their employees are happier and so on. I think you’ve got others who honestly have their head in the sand and say, “It’s not going to happen here.” Maybe culturally in that company or organization that will be acceptable for a time, but there are others in the middle of all that who are kidding themselves, who go, “We don’t allow personal devices.” But I would bet you most of their employees have a personal device in their pocket, a smart phone, that may cradle on and off their corporate desktop, and they’re exchanging information that way. They just don’t recognize the fact they’ve already got consumerization occurring. Some block a lot of the external application. At Intel, we allow for reasonable personal use. Unless it’s something known to be malicious or in the category of porn or something like that, we allow for the freedoms to the Web sites, download the applications and so on. Does it create some support challenges sometimes if someone downloads an application and it starts creating some idiosyncrasies on the system? Yeah, but we feel we get a lot of broader benefits in innovation and use of systems that benefit the company. Things will probably be polarized for a while, but we will continue to see more consumer devices and consumer applications in the enterprise.
CIO Canada: I’d read somewhere that you’ve done some interesting work on integrating social media into your security strategy. Can you tell us a little more about that?
MH: Yeah, I think a lot of people are afraid of social media. But I have a view that with some things you’ve got to run the risk to shape the risk. And I had a discussion earlier this year with a peer of mine about social media in a setting of about 40 people, and he said, “Our philosophy is, ‘In God we trust, everything else we block.’” Literally their view was, we’ll block this off, and we’ll block it forever. And I was like, you know, you’re being blind to the fact it’s still occurring. It can occur off-network. Maybe your organization has issued handhelds; you might have blocked it on your corporate network, but on those handhelds they can go to Facebook, Twitter, Yammer, you name it. Or, when if you block it there, they’ll do it from their home system, and they’ll do it anonymously. It will happen, because it’s just the way in which the world is going. Much like years ago when people were worried about the transition to e-mail from snail mail. Letting a browser on a client and connecting to the Internet – I think at any point of major connectivity and commnuciation means that have evolved, people have been afraid of it. And I think the people who have put their head in the sand to try and stop it, have made it a great risk for themselves, because it’s happening in a way they can’t shape it. A lot of these things involve people and behaviours. How do you shape people and behaviours, other than through training and awareness and adoption and learning through the mistakes? You’re better off doing those things in the early stages, rather than keep your fingers in the dyke as it’s leaking through and having it burst. We focused a lot on training and awareness, and a lot on enabling it internally. By having a social computing platform within the company, I have a lot less risk than someone feeling a need to blast something out to share confidential information or a negative opinion of something on an internal forum? Because we allow for the reasonable use of that internally, people will sometimes share relatively negative, pointed views on stuff. Better to do that internally, within the family, than outside where it gets picked up by the press and twisted in some forum or creating more negative churn? Internally, we can go, “Maybe that’s person’s right,” and have a constructive dialogue internally.
CIO Canada: You won an award from RSA for making security a priority internally at Intel. What have you done?
MH: We’ve got kind of a vanity URL internally around security. We started back in 2005, kind of recognizing where things were going to go with computing, and even with social, even though it wasn’t called social computing at that time. We changed our security strategy to be, “people are the new perimeter,” and really focused on the people and behavioural aspects of certain things. So we have that portal which has all the policies and things on it, we do a lot of end-user awareness and training, which we try to make pertinent. We also have, across the company for probably at least four or five years now, generated getting the company to 100 per cent completion of that awareness training. We’ve got a tops-down tone that this is important from our CEO, we’ve revised the training courses and call out key messages annually. They’re online, they’ve video, they’re interactive. One covers privacy, one covers security. We do awareness articles on our main company portal. We’ve done stuff on how to protect your children on the Internet. You might wonder why you would want to do that in your corporation, but we want their behaviours to translate into work, travel and home. If they have good practices for protection of information in their home it’s going to translate to work. It also makes it a bit of an employee benefit, because we have a lot of folks with children, and hopefully they’re creating a generation of folks that are more savvy with this stuff.