The man at the helm of PGP Corporation talks to Paul Fisher about key choreography, strategy and saving Bletchley Park.
There are precious few real characters in the IT security sector. That's not a criticism, it's just a fact. So when you meet one they do tend to stand out, such as the CEO of PGP Corporation.
Phil Dunkelberger is imposing, opinionated and tends to make sure his thoughts are heard. Those that work closely with him will testify that he can be demanding. They might well refer to him as “Dunk” but not, you feel, to his face.
The company that Dunkelberger now heads up has its roots in a piece of email encryption software known as Pretty Good Privacy, that was written in the early 1990s by industry veteran and all-round good guy Phil Zimmermann.
After a three-year legal battle with the US government over PGP's use around the world which, it said, violated Federal restrictions over the export of cryptographic tools, Zimmermann created PGP Inc with Dunkelberger enjoying his first turn at the helm. This ended with the acquisition of PGP Inc by Network Associates (which was to become McAfee) in 1997.
Then it all changed again when, in 2002, a group of investors bought the rights back from McAfee and the second PGP Corporation came into being – with Dunkelberger in charge once more.
In global terms, and even within the security sector itself, PGP is not a major player but Dunkelberger has the ability to make you believe it is. Everyone knows PGP and everyone knows Dunk – he makes sure of that.
Now a well-preserved 50, Dunkelberger does not give the impression that he is about to move anytime soon. Unlike some of his younger rivals in the industry, one feels he's not looking to prove anything on a bigger stage, especially as the world is looking to encryption as the magic bullet for the data loss epidemic flooding the Western world.
“Oh, there's significantly more to it than that. One of the serious things facing the security business as a whole is this idea that there is a really easy solution to really complex problems.”
The explanation as to why it's not so simple also allows Dunkelberger to revisit a concept that PGP announced last year: key choreography. Sounds fancy, but it's really about wrapping encryption into the movement of data, applications and the entire architecture.
“If you start out by saying we're going to encrypt all the data then you need key choreography worked out, you have data classification worked out from the beginning, and you have an infrastructure that you can easily adapt encrypting data into applications and work flow.
“If you've got the ability to not only manage keys but choreograph them in where they're part of your work flow, if you've got the decisions made about the stuff that sits within your firewalls, and the things that you're going to put outside the firewalls, if you've got all that worked out, it's an easy solution. Unfortunately most people haven't,” he says.
He restates the pressures that any IS professional would recognise – pressure from a newly data-aware C-suite, legacy issues, brand damage – and highlights a conversation he had with the CSO of one of the UK's leading banks. Part of the problem was that security is designed by the chief system architects and then passed on for implementation by the operations people, he says. “They think: ‘we've checked that security box on that particular area'. Then users come along with new devices and all these new toys that the industry invents and they're suddenly plugging back into the network, new endpoint things, new software, and the cycle begins again. Yet, most companies don't understand in a broad sense that security is an ongoing, evolving threat-based, risk-based environment.”
So is it PGP's time? “It's always been encryption's time. But have we had to make it easier to use, more viable, broader based, cover more applications?” he asks.
“Absolutely. Does it have to be a part of an overall security strategy that takes your people, your processes, your products and ultimately what objective you're trying to achieve with the data into effect?” he says.
So, it is encryption's time and what's more they have been saying it for years, he says. “I think we were right six years ago but being right doesn't make it go away. It's just where the hard work begins. You have to think differently,” he says.
“Reaching the point where you realise that the data is what's important is only the beginning. IT people are going to have to take more of a modern platform approach, much as they have taken to network staff for the last 15 years.
“You're going to do the same thing with data protection. The endpoint is evolving and changing faster than any other part of the environment, yet the network gets reconfigured. Unless you've mastered where your threats and risks are, and you have a corporate view of that and there's been a partnership developed between the lines of business and yourself, whatever technologies you buy, well they aren't going to work long term.”
He adds a radical idea into the datacentric mix, saying that understanding security should be compulsory for any IT tyro. Unless you do a stint in the security group, don't expect a management or leadership role in IT, he says.
“Several financial institutions are doing it. Somebody that might have been in IT admin, might have been a systems analyst doing things for finance, they're going to spin through a six-month cycle of being a security analyst and learning, following and shadowing people, because that broadens and deepens their knowledgebase. I'm told all the time that when people think of encryption, they think it is hard. Well, it's pretty easy; it's the decryption and return to a stasis state that becomes difficult because of data flows. The same data is used multiple times in multiple applications, in an enterprise environment, and you have to have a plan if that data is valuable for how that's going to be secured,” he says. “It's all about being smarter, realising what you don't know and understanding the potential of protecting the data but also the limitations in doing so.
“It's changing the way you think. It's not deploying and redeploying four times in a four-year period.”
Throughout our conversation, Dunkelberger mentions meetings with customers and senior CSOs. I wonder how he picks up so much knowledge.
“I spend 75 per cent of my time on the road. I can't be effective as CEO leading both the technical side of the business and the customer side without being out there seeing what they're really doing. The best source of information today is the customers.”
Dunkelberger has nearly 30 years in and around the IT business. He's seen history made at Xerox PARC in terms of what we now take for granted as mainstream computing. Are we on a new computing paradigm – the cloud, SaaS, the end of Microsoft dominance?
“I don't think we're at the start of a big change. Interestingly enough though, for the last 15 years, we've heard this is going to be the year of the network and cloud computing. There's a definitive split between uses of technology in the enterprise versus consumer technology. But you are going to have data pipes everywhere and the ability to tap into the internet anywhere you go with any device. I think that's great vision.”
He heard the term ‘cloud computing' at a meeting with Symantec Telco customers in 1993. They were asking even then how they were going to protect data.
“And I was thinking: ‘Wow, that's a really interesting concept'. Well, fast forward to today and I think the SaaS people need to start explaining to people how they're going to keep the data safe. And the lawyers are going to have to start explaining chain of custody of data around the world. Who's really responsible – the people who collected it, the people who sent it out or the people processing it? Who owns the data when it gets breached?”
Dunkelberger settles back, pauses and draws on his day out at Bletchley Park where he announced PGP's contribution to the fund to save and restore Bletchley Park and honour its part in defeating Nazi Germany.
“I watched a computer that's 60 years old do basic functions that a Pentium II is chugging along, trying to keep up with. I think we need to get some perspective on these things. I think there's a lot of things ripe with promise but it took 15 years to lay all the fibre optics in the ground and get high speed internet connections.
“Many people yesterday were asking me, what do you think the next big thing is? I said the next big thing is going to be people starting to protect their data.” he says. Now there's a compelling vision of the future.
Dunkelberger's battle to save Bletchley Park
In September this year Dunkelberger headed up an event at Bletchley Park aimed at highlighting the plight of the one-time nerve centre of Britain's technical operations against Nazi Germany.
Bletchley Park was where the Enigma code was cracked, where Allied cryptographers including Alan Turing, the ‘father of modern computing' , worked. It was also home to the world's first digital, programmable computer, Colossus.
Sadly, many of the buildings are falling into disrepair, but the impetus to recognise this place as a vital part of Britain's heritage has come from American tech companies.
Alongside co-sponsor IBM, PGP launched an appeal for funds to preserve Bletchley Park and turn it into a world-class technology museum.
“It's a worthwhile thing to do. Of course we got involved because of the work they did on ciphers and public cryptography. But we also believe that there is really a debt owed to Bletchley by anybody that's in the IT industry today. Many of the issues that are affecting us in the security world today, they were in the midst of back in the 30s and 40s,” says Dunkelberger.
“It's also very valuable if we're going to spur on entrepreneurs in the future. Bletchley could be one of those kick-starts in the UK and for Europe, a destination place where school children would go,” he adds.