Former NSA CIO slams Fortune 100 companies' security

Prescott Winter: Enterprises should be identifying what assets most need protection

Prescott Winter, the former CIO and CTO of the USA's National Security Agency, has said that most big companies, including those in the Fortune 100, have "no idea what they are doing" when it comes to risk management and security.

Winter now works for security consultants The Chertoff Group and was speaking at Splunk's annual user conference in Las Vegas this week.

"As we look at the security situation at the moment, we see an awful lot of big companies, Fortune 100 companies, with appallingly weak security. They have no idea what they are doing," said Winter.

"But it is possible to protect your enterprise, it involves a risk management approach, which is then enhanced by big data. I think security can be a business enabler, it can really allow your senior officers to exercise what they want to do with confidence and the assurance that information is well protected."

Identifying critical assets

Winter argues that companies need to develop an approach that looks to protect the most critical business assets, supported by an architecture that collects a wide variety of data and works to identify any suspicious activity.

He said: "Point solutions and single systems are inadequate. You take data from all kinds of things, all kinds of sources, even for things that aren't intended as security sources, and you turn that wonderful rich stew of information into useful answers."

"The real threat is the lack of understanding what is important to the enterprise and the ability to identify the assets that matter and begin to watch those in a structured, architectured way."

Winter states that once companies have identified the assets that are the most important to the business, the ones that make the most money, CIOs need to establish how they are going to use identity and access management, encryption, and other security measures, to protect them.

"The whole point of architecture is essentially to be able to design an outcome that you want - what are the security objectives that we want to define? That's the architecture layer, you really want to design visibility and agility to be able to see the assets and to know who is in your network and to be able to support the business goals," he said.

"It's about looking at all the types of data you have got, assembling pictures and understanding what is happening and what has to stop."

Using big data to deliver secure assets

According to Winter, companies need to continuously monitor how effectively these critical assets are being protected. This is going to be delivered by collecting as much data as possible from the assets and checking for discrepancies in order to check that no vulnerabilities are being created.

"There are ways that big data can substantially enhance this," said Winter.

"If you can get enterprises to think about this risk management approach, then give them the tools to do it right by giving them all the rich data sources. Which business lines are the most important? Identify the assets that support those business lines, put markers on them, tag them, and say wherever that asset is, whether its a system or a set of data objects, those are the assets that support our most important outcomes and you need to make those category number one for protection."

He added: "You need to start with: what is the consequence if this group of assets is compromised? Then make sure that these taxonomies of assets are used consistently across the entire enterprise, every place you go in your network, every access control, has to reflect the fact that these are your corporate gems."

Firms must also then audit their work, to make sure that people are following the rules, Winter said.

"People make mistakes and things that ought to be done in a particular way often aren't and the result is a set of vulnerabilities that will leave your enterprise open," said Winter.

"Inspect don't just expect. Gather enough data to begin automating all these processes, don't just do these things on an ad-hoc basis. Actually put processes in place so that you are in effect auditing yourself continuously."

Getting business buy-in

Finally, Winter revealed that he has worked with companies and CIOs that have been given huge budgets by the CEO to implement these processes, as the strategy is completely aligned with identifying what is important to the business.

"The lesson that I draw from this is that this is a message that your senior officers understand. We are going to build a set of structures and processes that manage risk to the key assets," he said.

"We can define exactly what those assets are because we have actually aligned them with the business processes that the CEO says matter most. This is a conversation you can have with the CEO and CFO, because they live in the world of risk management."

Join the CSO newsletter!

Error: Please check your email address.

Tags The Chertoff GroupNational Security AgencysecuritysplunkCIO

More about National Security AgencySplunk

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Derek du Preez

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts