RSA's chief technology officer thinks security should be left to experts. He tells Paul Fisher why he's no fan of employee awareness training.
Bret Hartman is one of those rare industry representatives who have an understanding of security that has an impact on people's everyday lives.
Now chief technology officer at RSA, he began his career as a US Air Force pilot assigned to the National Security Agency. This obviously involved far more than tooling around in expensive flying machines as, while there, he is credited with helping to create the Trusted Computer System Evaluation Criteria for the US Department of Defense - also known, rather intriguingly, as the "Orange Book".
Twenty-five years after leaving the US Air Force and with a raft of senior technical roles behind him, Hartman moved to RSA following its acquisition by EMC, where he held exactly the same job title.
Relaxing in the sun-drenched lobby of the Kensington Marriott, Hartman explains how his life has changed since joining EMC two years ago. "As far as I know, I was the first-ever security CTO at EMC," he says. "Before, the company was really trying to figure out what its security strategy should be. Historically, EMC has focused on information management and the data centre.
"It was all about: 'how do we embed security within the EMC product line? How do we actually make security a core component of what it means to manage information?'"
In his current role, the challenge is kind of a variation on a theme. RSA is traditionally known as a provider of effective security products, but their integration was left to the customer or another partner.
"RSA was never really focused on the solutions component, but now it is providing security technologies to solve problems within the EMC product base and with our partners, such as Microsoft and Cisco," Hartman says. "Security has really becomes a feature, a core component of player platforms, as opposed to a stand-alone or add-on. That's a huge change."
This is all good marketing speak, but the best product integration in the world doesn't add up to much when people can do things like burn a couple of CDs with hugely sensitive data, pop them in the post and lose them.
Hartman's answer to these more human problems is less clear-cut and, ultimately, something of a blow to those who believe in the power of education.
"Less and less information is actually under the control of central IT these days. Information is created everywhere, it's out on everybody's laptops, it's outsourced, it's developed all over the world," he points out. "So how do you impose control on that information when so little of it is under your direct physical control? You have to have the right technologies in place to maintain that control.
"Maybe it's because I'm a technologist, but I'm much more sceptical of the training discussion. Of course training's crucial, but what we see in companies everywhere is that the chief security officer or chief compliance officer will define a corporate policy. And, sure, everybody who goes for training will read it." But then, Hartman claims, they will ignore it, happily sending out data on USB sticks and web-based email, because they are under pressure to get things done and achieve results.
"The world is too complicated and, frankly, it's too difficult to be able to follow those policies under strain. I'm a believer that the right technologies have to be in place to be able to control and enforce that," he states.
This is certainly different from a seam in information security thinking that "security buy-in" is all it takes to turn careless employees into model ones. The Hartman philosophy is that only applied technology can prevent inevitable human error.
To him then, no matter how much training people have or how often you remind them of the importance of security, they will go on making mistakes. "Unless you're a security professional, that's not your job," he continues. "At the end of the day your job is whatever it is - to make the company money, sell the product and deliver your service. Security is typically down the list in terms of priorities. Most people view barriers as an impediment.
"The challenge is to provide security as part of the fabric, to build it in and have security embedded and non-intrusive, so you let people get on with their job every day, and let the technology handle clever people doing stupid things," he says.
A nice turn of phrase: clever people doing stupid things - it could be the title of a self-help book for information security professionals. Hartman believes that all the technology needed already exists, but that the real problem is a failure of application.
"This is the issue," Hartman muses. "Are staff trustworthy? In most organisations there's very little in place to prevent an employee from accessing almost any corporate data. You have to have the [technological] approaches in place to be able to control that information wherever it exists."
So when the next major data breach occurs, and we all know it will, should the UK and the European Union start thinking about punitive legislation? Unsurprisingly, those charged with looking after data are less keen on potential career-ending moves. Meanwhile, some sections of the press couldn't care less about technology or CISOs being publicly caned - it's about ethics. And public protection.
"Absolutely, it's ethical, but balancing ethical requirements with business drivers is tricky," admits Hartman. "We have to be careful, but that's part of the challenge. When you regulate technologies, sometimes strange things happen that don't make technical sense." He uses encryption as an example, where it's possible to obey the letter of the law without necessarily protecting the keys.
We move on from the ethics of business and onto something rather different - the alleged practice of cyber warfare by governments against governments, the recent spat between Estonia and Russia being a good example. Given his NSA background, I'm assuming Hartman has some good things to say on the subject, but he prefers to talk about the practicalities rather than the politics - although he admits it's a threat.
"The real issue is that you are vulnerable, and national infrastructure is not just about the military. It's about telecommunications and power," he says. "Those are typically far easier targets than the military command-and-probe system, and have a huge impact on a national economy. The US has just launched a new cyber command within the air force, which is all about viewing cyberspace as a new front."
He's more expansive on the commercial war. Fighting the criminal gangs that hide within the borders of Russia and China, will result in an unavoidable (and probably unwinnable) arms race between attackers and defenders. However he is optimistic that the forces of globalisation will eventually force those countries governments to take action. "EMC has several international software development centres, including in St. Petersburg and Shanghai. These are great places to go for security expertise.
"It's in a nation's best interest to cooperate than to try to territorially dominate. I think that's far more likely to succeed," he says of the criminals.
The growing presence of such criminals means that, for all the right reasons, information security is not a bad business to be in right now - something not lost on bigger players in the IT pool. The past two years have seen a frenetic round of M&A activity - which was bruising for some. Hartman is well placed to comment on the RSA/EMC experience having worked in both camps.
"It's not easy to have a successful integration, to take two companies and create something where the sum is more than the parts separately," he says, seemingly unaware of the understatement. "I feel like we've done very well with RSA. It's very positive. It's viewed internally as being a great success. The challenge for other businesses is not to get too far ahead of themselves in terms of acquisition, to allow time for integration," is his advice.
As for Hartman himself, he has moved around a lot in his career. but insists that this, now, is a work in progress.
"This is the beginning of quite a long journey in terms of continuing to integrate and drive the security management forward, it's been so much fun, but we've got a long, long way to go."