Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


CSO Counsels Restraint

Security chief says too much encryption may be overkill, and offers other career advice at Interop

LAS VEGAS -- Encrypting every piece of data at rest within an organization could be expensive overkill.

According to Al Kirkpatrick, chief security officer at information services firm First American Corp., many users may not need as much encryption as some industry sources are advocating.

Kirkpatrick, whose firm provides services such as document processing to the real estate industry, explained that he is responsible for "billions of records stored on terabytes of data," during his Interop keynote Tuesday. According to the exec, this includes the world's largest Microsoft SQL Server database.

But the security chief warned other IT managers not to buy into the "soundbite du jour" of encrypting all this information. "The jive that bothers me is that you have got to drop everything and encrypt all data at rest at the moment," he explained. "You have got to look at the whole puzzle -- you're not going to have enough money to do it all."

A number of vendors, including Decru, EMC, StorageTek, and IBM, are targeting this space, and a slew of offerings are available to encrypt data. (See Quantum, Decru Hook Up, IBM Certifies Decru, Decru Joins StorageTek Program, and Analysis: Storage Security .)

"I am not saying that it's not important," notes Kirkpatrick. "For some people [encrypting data at rest] will be very important, depending on what the data is, what type of database they have, and the protection around it."

But the exec says that data being moved from site to site on tapes worries him much more than information sitting on his back-end servers: "It's data in movement that scares me to death right now."

An IT manager from a Midwest financial services firm, who asked not to be named, agrees with Kirkpatrick's assessment. "Within the organization there needs to be some consideration of encryption for some types of data, but it's not critical. I think that encryption where you have data leaving your facility, however, is key," he says.

Even some storage vendors have identified encryption as an area where there are no quick fixes. (See Storage CTOs Debate Security and Insider: Encryption Means Planning.)

Kirkpatrick also used his keynote as a pep talk for IT managers with an eye on a career in security. "You have got to fundamentally understand all the domains of the technology," he explains. But he warns against getting too hands-on. "Once you have got to the chief security officer level, you have to trust the people around you to take care of the bits and bytes."

But the job is about much more than firewalls and intrusion detection systems, and Kirkpatrick warns that security chiefs need to think on their feet, fielding calls from the media one minute and "outraged" users the next. "It takes a lot of communication skills, and you have got to keep your cool throughout all of that."

A typical CSO, according to Kirkpatrick, is going to be pulled in a number of directions. "You have so many different constituents that are competing for your time and attention," he says, ranging from vendors to board members and auditors. "If you're not one to juggle this and handle it, it will drive you crazy."

IT managers looking to become successful security execs should also be extremely conscious of their firm's funding climate, according to Kirkpatrick, and make realistic demands for money. But conversely, they should not cave in to boardroom financial pressure. "Don't be backed into a corner. Don't let them con you into promising [security] for zero dollars."

Ultimately, however Kirkpatrick, warns prospective CSOs to brace themselves for tough times. "Bad things are going to happen unless you are an incredibly gifted, lucky, person," he says. "And, if so, I want to hire you so that your aura can follow me around."

— James Rogers, Senior Editor, Byte and Switch

Organizations mentioned in this article:

  • Decru Inc.
  • EMC Corp. (NYSE: EMC)
  • IBM Corp. (NYSE: IBM)
  • Microsoft Corp. (Nasdaq: MSFT)
  • Storage Technology Corp. (StorageTek)

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Oldest First  |  Newest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 10/27/2020
    Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
    Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    Special Report: Computing's New Normal
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    How IT Security Organizations are Attacking the Cybersecurity Problem
    How IT Security Organizations are Attacking the Cybersecurity Problem
    The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-10-28
    An XSS vulnerability in the auto-complete function of the description field (for new or edited transactions) in Firefly III before 5.4.5 allows the user to execute JavaScript via suggested transaction titles. NOTE: this is exploitable only in a non-default configuration where Content Security Policy...
    PUBLISHED: 2020-10-28
    Gophish before 0.11.0 allows the creation of CSV sheets that contain malicious content.
    PUBLISHED: 2020-10-28
    Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the Host field on the send profile form.
    PUBLISHED: 2020-10-28
    Cross Site Scripting (XSS) vulnerability in Gophish through 0.10.1 via a crafted landing page or email template.
    PUBLISHED: 2020-10-28
    Gophish before 0.11.0 allows SSRF attacks.