Q&A with Linda Lynch
What's special about what you do?
In this age of the network, network IT services is the place to be. Everything is gravitating towards the fascinating layer on and just above the network, and with the coming wave of increasingly extended enterprise business models and IPV6, life is about to get very interesting.
You worked at BT, a UK company, and you now work in a US company. What is the difference in culture between the two?
British companies appear to be highly organised, with some very English protocols. With US companies, the key distinction is that while also organised, they are compliance-focused, having a competitive edge, somehow managing to retain their passion and commitment despite their size.
Based on your links with the UK Government (such as the former DTI), do you think the Government has improved its IT security game following that rash of data breaches in 2007/2008?
The Government compares itself unfavourably to the private sector. I currently have 164 live projects of all sizes, some public and some private sector, so I feel reasonably well equipped to compare. In general, the only difference is that the private sector has the luxury of making mistakes out of the public gaze.
The Government employs bright people and despite a lack of “executive sponsorship” for some themes, it has recently raised its game. This is partly because the Information Assurance (IA) agenda is guided by commonsense, which will always “stick” in practice.
The recently released Verizon Business' 2009 Data Breach Investigation Report* found that of 90 breaches it examined, 79 per cent were compromised via web applications. Has the main hacking threat moved from email-delivered viruses and malware to malicious code embedded into websites?
We handle around 25 per cent of the world's published forensics cases, and the report is also fuelled by significant other sources of intelligence, but we hesitate to make too many generalisations.
What is clear is that the biggest sources of breach are the “unknown unknowns”; unknown data accessed on unknown applications on unknown equipment through unknown network connections using unknown credentials.
When we talk about the “sophistication” of the threats, we should acknowledge how cannily the fraudsters capitalise on “low-hanging fruit”, as well as the more common use of the term to imply increasingly sophisticated, self-adapting, self-evolving malware.
Do you bring your kids up with a strong awareness of potential security issues online? What advice do you have for parents?
Children are quite sophisticated at spotting suspicious activities, for example in online role-playing games, but it is still very tempting to click on shiny websites with lots of interesting bouncy things, so I ensure their anti-virus is up to date.
Never lose sight of the fact that a moment of natural childish curiosity can transport them into a war zone or red light area where they could grow up rather too quickly. Parental control tools, now integral with most anti-virus desktop offerings, are vital.
What will the security industry be talking about most as we move towards the next decade?
There will be a lot of noise about computing as a service and the associated themes which we call the “extended enterprise”. Maybe because our business is pervasive global IP networks, we see more of it than most, but a significant amount of what my team is working on is closely associated with the flight from legacy towards more agile and cost-effective web models.
The conversation will continue to revolve around the need to deal with the associated security problems, going wider, deeper and being smarter in our approach. To deliver on the additional intelligence and layering, we will also gravitate towards the three key and interconnected architectural themes of tomorrow. These are: users, data and increasingly intelligent networks that will achieve hardware independence and high assurance agility.
* The Verizon Business 2009 Data Breach Investigations Report is on http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf