In 100 years, the airline industry has integrated policy and process that includes international agreements and safety standards for aircraft, he says.
“If you think about the airline industry, it is clear there is a whole set of principles that state very clearly what governments expect from the air industry and beyond, and those policies are then reflected in law and regulations in technical and operational standards.
“The airlines understand what they have to do to pass safety inspections for their crews, for their aircraft, for their ground facilities and for the operation of the planes when off the ground. There are standards that are driven by the policies. Basically, we say we want the air environment [to be] reliable, safe and available for people to use.
“We need to do the same kind of thing for the internet,” says Winter, who worked in the US government defence sector before joining ArcSight (soon to be part of HP) in March this year. He worked for more than 25 years at the US National Security Agency, including positions as CIO and CTO.
In a sense, he says, the internet is available to use but is not necessarily reliable or safe.
Different governments, he says, need to sit down and think about it and come up with their descriptions of what they want to see. The next major hurdle is for governments to establish standards for protecting information in their own agencies and in large enterprises that deal with the public.
“There is now a well-financed, technically-astute underground under the belly of the internet taking it into a black area and doing very well [in] taking stuff from enterprises around the world,” says Winter.
He stresses their target does not have to be financial data. He cites an article by US Deputy Defence Secretary William J. Lynn III in a recent issue of Foreign Affairs magazine, on the department’s new cyber-defence policy.
“He talks about the fact that the loss of intellectual property (IP) is in the long run the single biggest threat here. That is not the issue most people are focusing on. There is a lot of talk about cybercrime and there is a lot of talk about loss of credit cards and public records."
Winter says there should be a more extensive focus on “sensitive intellectual property”. The military does, he says, because when it talks about IP, it means weapons technology, strategic plans and documents.
“But the same is equally true for a high-tech company,” he says. “If you have strategically important information or your company is in the technology [industry] and you have market data and customer data [like] patient records, security is important.
“I look sometimes with absolute amazement at these high tech companies and they spend enormous amounts of money to develop new technologies to figure where the market goes, develop a product, develop the manufacturing process to make highly specialised and complex products, and they don’t always protect all that stuff very well.
“And you think about the fact that competitors in the international environment who want those markets would like to know about those products [and] would love to have the technology,” he says.
Winter presents a set of recommendations that include developing risk and threat models to reflect corporate concerns. Identify the high-threat users and high-value information, he says. “Prioritise, assess what your organisations care about and the business risks you are trying to deal with,” he says. Have a big picture of what your enterprise is facing.
He stresses the need to establish control through people, policy and processes. Winter is amazed at how many organisations do not have a list of authorised hardware and software. “There is no way you can protect what you can’t count.”
He also calls deployment of cross-system correlation. This refers to an integrated product platform for collecting processes and assessing security and risk event information. This way, he says, “you are comparing oranges to oranges in real-time, it gives you answers right now”.
He also recommends working with government and industry to establish enterprise security standards. He advises the development of a “threat exchange” among trusted peers.” You can share enough valuable information without giving away sensitive detail."
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.