Ira Winkler: The Awareness Crusader

With a resume that includes certifications, several books, and frequent speaking and guest columnist gigs, Ira Winkler is a recognized leader in the security industry today. Currently president of the 10,000-plus member Information Systems Security Association, Winkler is also president of consultancy Secure Mentem. Not bad for a guy who majored in psychology and says he wanted nothing to do with computers in his college days.

How did he get from there to here? "No one else would hire me but the U.S. government," says Winkler jokingly. In truth, he took an aptitude test on a lark while considering career paths senior year and discovered to his surprise he had a flair for the technical.

After gaining the requisite clearance, he took a job as an intelligence analyst with the National Security Agency. Winkler quickly realized that jobs working with computers paid better than those that did not, so he grudgingly took a position as a computer science intern, taking computer classes and having rotating assignments that included programming support for cryptanalysis, system development, and field operations, where he spent three years. His background in intelligence taught him one thing: No one cares how you get the data, it's the data itself that's important.

This lesson served Winkler well in subsequent years, during which he hacked corporate information through unconventional means such as bugging the office of the Fortune 10 CEO, who hired him to do penetration testing. His goal was to get to the heart of the business value of a security breach, which is a much more relevant description to a business executive than the typical security terms, he believes.

With data gathered through social engineering, computer hacking, and the bugging, Winkler walked into the executive's office and reeled off detailed information about the company's mergers and acquisitions and products under development.

"I said, 'I have here everything you hold valuable to your whole company.' That put a business value on it. He bumped up the security budget by $10 million and hired security officers."

"Executives don't care if you get on their network," Winkler says. They figure other outsiders are probably on there already and it hasn't hurt their business any. What's relevant: the cost to the business-in dollars-of any past or imminent loss due to that security breach. Of course, proving your cost estimate is accurate is easier said than done.

In business, every decision requires a balancing act. In a perfect world, everyone would ensure that their networks were free from intrusions from foreign governments such as China, which is the main offender of late. But of course, that's not always how it works out.

"They want to do business with China, so they're willing to accept that some of their data will be lost in exchange for a larger portion of the Chinese market. It comes down to understanding the business risk: Here's what we are preventing and here's what it's going to cost to prevent," Winkler says.

It is critical, in his view, for security professionals to identify risks to the business and find cost-justified security measures to mitigate those risks. No CEO wants to hear he should spend tens or hundreds of millions of dollars to rebuild his computer network. After all, hackers will come right back the day you turn it on. What security pros must do instead is focus on securing the environment in a way that's aligned with business value.

Equally important is to instill the entire organization with security awareness that goes far beyond simple training and aims to change individuals' behavior. Secure Mentem, Winkler's current company, offers a security awareness methodology that takes culture into account.

"Awareness is a continual process," wrote Winkler in a recent column. "It is not a program to tell people to be afraid to check their email."

"Security is all about the human, from start to finish," he says. "There will always be a malicious entity out there trying to get on your network." But what Winkler calls the "malignant" security issues-employees clicking on unverified attachments, for example, or that old standby, writing -passwords on sticky notes-can cause even more damage.

For those issues, there is little to be done but raise awareness. Winkler has made that cause his lifework.

Read more about security leadership in CSOonline's Security Leadership section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Compass AwardsNational Security AgencysecuritynsaInformation Systems Security AssocationSecure MentemSecurity LeadershipIra Winkler

More about National Security Agency

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lauren Gibbons Paul

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts