Former NSA CIO slams Fortune 100 companies' security

Prescott Winter: Enterprises should be identifying what assets most need protection

Prescott Winter, the former CIO and CTO of the USA's National Security Agency, has said that most big companies, including those in the Fortune 100, have "no idea what they are doing" when it comes to risk management and security.

Winter now works for security consultants The Chertoff Group and was speaking at Splunk's annual user conference in Las Vegas this week.

"As we look at the security situation at the moment, we see an awful lot of big companies, Fortune 100 companies, with appallingly weak security. They have no idea what they are doing," said Winter.

"But it is possible to protect your enterprise, it involves a risk management approach, which is then enhanced by big data. I think security can be a business enabler, it can really allow your senior officers to exercise what they want to do with confidence and the assurance that information is well protected."

Identifying critical assets

Winter argues that companies need to develop an approach that looks to protect the most critical business assets, supported by an architecture that collects a wide variety of data and works to identify any suspicious activity.

He said: "Point solutions and single systems are inadequate. You take data from all kinds of things, all kinds of sources, even for things that aren't intended as security sources, and you turn that wonderful rich stew of information into useful answers."

"The real threat is the lack of understanding what is important to the enterprise and the ability to identify the assets that matter and begin to watch those in a structured, architectured way."

Winter states that once companies have identified the assets that are the most important to the business, the ones that make the most money, CIOs need to establish how they are going to use identity and access management, encryption, and other security measures, to protect them.

"The whole point of architecture is essentially to be able to design an outcome that you want - what are the security objectives that we want to define? That's the architecture layer, you really want to design visibility and agility to be able to see the assets and to know who is in your network and to be able to support the business goals," he said.

"It's about looking at all the types of data you have got, assembling pictures and understanding what is happening and what has to stop."

Using big data to deliver secure assets

According to Winter, companies need to continuously monitor how effectively these critical assets are being protected. This is going to be delivered by collecting as much data as possible from the assets and checking for discrepancies in order to check that no vulnerabilities are being created.

"There are ways that big data can substantially enhance this," said Winter.

"If you can get enterprises to think about this risk management approach, then give them the tools to do it right by giving them all the rich data sources. Which business lines are the most important? Identify the assets that support those business lines, put markers on them, tag them, and say wherever that asset is, whether its a system or a set of data objects, those are the assets that support our most important outcomes and you need to make those category number one for protection."

He added: "You need to start with: what is the consequence if this group of assets is compromised? Then make sure that these taxonomies of assets are used consistently across the entire enterprise, every place you go in your network, every access control, has to reflect the fact that these are your corporate gems."

Firms must also then audit their work, to make sure that people are following the rules, Winter said.

"People make mistakes and things that ought to be done in a particular way often aren't and the result is a set of vulnerabilities that will leave your enterprise open," said Winter.

"Inspect don't just expect. Gather enough data to begin automating all these processes, don't just do these things on an ad-hoc basis. Actually put processes in place so that you are in effect auditing yourself continuously."

Getting business buy-in

Finally, Winter revealed that he has worked with companies and CIOs that have been given huge budgets by the CEO to implement these processes, as the strategy is completely aligned with identifying what is important to the business.

"The lesson that I draw from this is that this is a message that your senior officers understand. We are going to build a set of structures and processes that manage risk to the key assets," he said.

"We can define exactly what those assets are because we have actually aligned them with the business processes that the CEO says matter most. This is a conversation you can have with the CEO and CFO, because they live in the world of risk management."

Tags: The Chertoff Group, National Security Agency, security, splunk, CIO

Today's Approach to Security is Broken

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Sophos SafeGuard Enterprise

Your central key for data protection

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.