Karen Worstell, former CISO at Microsoft and AT&T
Wireless, recently joined the advisory board of Neupart A/S, a
five-year-old European security risk management and awareness firm
that just launched a North American office in the Seattle area. The
company's specialty is promoting industry awareness of ISO 27001, a
standard that defines the components of a security management plan
to monitor, measure and control information security. As American
businesses emerge from their Sarbanes-Oxley, HIPAA and
Gramm-Leach-Bliley compliance projects, Neupart is hoping security
pros are ready to take a fresh look at ISO 27001. In this Q&A,
Worstell explains how ISO 27001 can be used to help companies
comply with a variety of regulations and standards, and where her
former employer, Microsoft, fits in.
You spent time as CISO at Microsoft. How are they doing on
security today?
Karen Worstell: I have an outsider's view these days since I
haven't been there for awhile. I know they have made substantial
progress over the last six to seven years and I think the world
sees that. If you look at things like the privacy rankings watchdog
groups put in place, Microsoft is moving up and working hard on
issues like identity theft. They have some of the most talented
people in the business. They do have some work to do in breaking
down some silos and working together across the company, and then
they can really achieve incredible things in the security space. I
have a lot of confidence in my colleagues who still work there.
Talk about how ISO 27001 could benefit IT pros
in the U.S.
Worstell: The ISO 27001 standard is very successful because it is a
holistic and integrated approach that breaks down silos that can be
a barrier to security and quality. It's based on management systems
and gets into how you build and operate things.
A lot of IT pros have been immersed in other regulations and
standards and many have regulation fatigue at this point. Could
that make Neupart's U.S. mission difficult?
Worstell: The complaint is that people are being regulated out of
their profit margins. We have to deal with HIPAA, Sarbanes-Oxley,
we have to deal with Safe Harbor if we deal with European
companies, we have PCI DSS, and people say this is just onerous.
They're right, but if you go about dealing with all this in silos,
you will fail. You will never be truly compliant and be subject to
legal liabilities down the road for representing controls that
really aren't in place as being in place. ISO 27001 has a way of
satisfying compliance requirements on all these various statures
and regulations with just minor adjustments. It can help you comply
with Safe Harbor, PCI DSS, SOX, and GLB. You build it once and
comply many times and it can save millions of dollars and improve
the security and control environment around your business. Art
Coviello [president of EMC Corp.'s RSA Security division] said at
the RSA conference a couple years ago that everyone thinks we put
breaks on cars to go slow. But we put fancy breaks on really hot
cars so they can go really fast. That's the control environment. To
do business at the speed of light you need controls that let you
know you are doing it safely and managing risk for the enterprise.
The [controls outlined in ISO 27001] let you do things in a way
that is streamlined and nimble.
Art Coviello also says
the security industry as we know
it will disappear in three years as big IT companies acquire
security vendors and build the breaks into the infrastructure, so
to speak. Is that the way to go?
Worstell: I like the idea that security isn't a bolt on,
integration is good, but I want to be able to integrate with
choice. We can write a one-size-fits-all checklist and think every
company can follow it, and that's where we can run into trouble
with the built-in approach. Every company is different. So I'd love
to see an integrated framework for the easy plug and play of
technologies that best fit a certain niche. The difficulty
providers have is that we as consumers aren't good at explaining
what we want and need. One thing ISO 27001 can do is force us to be
clearer and say, 'I need these kinds of features and I need them to
be a certain way.' I was disappointed with the rollout of Vista to
see the challenges they had delivering on the promise of two-factor
authentication integrated across the infrastructure.
Do you think the problem there is that Microsoft has its own
silos that need to be broken down?
Worstell: To successfully integrate two-factor authentication
across the infrastructure, it has to work across all Microsoft's
components -- Windows, Office, Exchange -- and for that to work all
the different groups with competing priorities will have to work
together to get this done. I see no threat on the horizon of people
being able to deliver on this successfully. Even companies with the
ability to make it happen are having difficulty. But they're
trying.