[ISN] Q&A: ChoicePoint CISO on data breach

Mon Jun 27 05:24:55 EDT 2005

http://www.networkworld.com/news/2005/062405-choicepoint-qa.html

By Jaikumar Vijayan
Computerworld
06/24/05

The massive data compromise at ChoicePoint earlier this year has made
the Alpharetta, Ga.-based data aggregator something of a target for
those calling for tougher data protection laws. In an interview with
Computerworld, Rich Baich, ChoicePoint's chief information security
officer, talked about the breach, the measures that have been put in
place since then and the lessons inherent for other CISOs.

You have in the past said that what happened at ChoicePoint was not
really a security breach. Then what was it?

It all comes down to how you define a breach and how you define an
incident. This was fraud. Someone fraudulently provided authentication
to the system. It's no different than credit card theft and credit
card fraud. Those are never referenced as IT-related issues though
they happen millions of times every year. In fraud terms, it's called
an account takeover. And that's what occurred. All I was trying to do
was educate the press more than anything else that this was not what
everyone would call a traditional hack.

So has the press got it now?

I see it's much better now because we're at 65-plus incidents
(reported) so far this year, I believe. There are a couple that are
being referenced as hacks that are truly hacks and the rest are fraud
or lost tapes. There was one time people were screaming, "Rich, you're
a victim of social engineering" and that "you're in charge of all the
information because you're the information security officer." Well, am
I in charge of the mailroom when someone loses mail? Because that's
information as well. And that's all I am trying to say. People are
trying to point to a person when we really need to be looking at
things as an industry.

But wouldn't better IT controls have helped?

Sure. As an industry I think we have gotten better with our fraud
analytics tools. There's technology that can do geographic IP
locations. (Such tools) can help mitigate the risk. Then again, a very
intelligent adversary can figure out a way around that by bouncing off
proxy servers and different things. But there is some technology that
can help mitigate the risk -- not stop it.

So are you doing anything differently now?

Yes, we absolutely are. We are looking at our entire credentialing
process, the entire business process and how it's being done. We are
looking at putting additional technologies in place and the way we do
business with others. We actually went down to an even better level by
looking at the type of data they need. Do they need stuff that relates
to PII (personally identifiable information), or do they not? If your
job function doesn't require that, then you don't get it.

What's the take-away from that whole incident? What's your advice for
CISOs?

If you are going to have this role at a time when there is really no
firm guidance, make sure you have selected a model to implement. ... I
think today when people ask, "Are you providing adequate security?"  
that is such a big, open question and it may be interpreted by so many
different people in so many different ways. I think if you have
selected a model and you are implementing a program around that model
I think you can be successful, regardless of what happens.

Why are we hearing about so many major data compromises these days?  
What's happening?

I think in general more organizations are reporting it. But I also
think the processes and the technologies have matured so that they are
now realizing it. You have to remember an incident is an incident only
if it's reported. So, as frightening as it is, there is also a
positive end to it because at least the people are catching it.

Will the concern generated by the recent spate of data compromises
inevitably result in more mandated controls?

When people say they want to put controls in place, it may be
difficult because what controls do you put for what kind information?  
Every good security practitioner knows you have to understand the
assets and then you build protection profiles around it. So this
particular asset may be a Type 1, and its protection profile may have
five components to it. Type 2 may have 15 components and a Type 3 may
have 26. The government may have a tough time labeling that. But I
think something has to be done. Intervention is good. Education is
better, and technology and processes make it more so. I think the
incidents have caused a new focus within many organizations, and I
think in the long run that itself will also help mitigate future risk.

Are companies looking at compliance requirements more as a baseline
set of controls they have to meet from a security standpoint, or as
the ceiling?

I think every company is always evolving to be stronger in their own
maturity model when it comes to security. Our own focus more and more
has been on data protection. We had a data destruction policy before
this recent (Fair Credit Reporting Act) came along. We already had a
destruction policy in place and software in place to erase hard drives
and to make sure media could not be accessed when destroyed or sold.  
We have tried to stay ahead of the curve. But the toughest part about
legislation right now is you don't know where it's coming from and you
don't know to what to expect.

There's a lot of legislation being done at the state level right now
based on when you have to respond to customers. It can be difficult if
there are 50 different requirements. So, hopefully we'll see some sort
of federal guidance around that.

You just released a book on what it takes to win as a CISO. So what
does it take to win?

Winning as a CISO is really about getting a seat at the boardroom
table and becoming a true member of the senior executive team. It's
when you are able to intertwine security into every business aspect.  
It's about leaning more toward risk rather than talking about
security. If you ask every CISO what they do and what they are
responsible for, I think you'll get a scattergram of responses. How
can you win if you haven't decided what your responsibilities are?

Salespeople know when they win because they bust out their quota. CEOs
know when they win because they meet their earnings. Security officers
win when there are no incidents.