Heading the company with perhaps the most recognized acronym in the information security field and following in the footsteps of lightning-rod figure Phil Zimmerman must have both its charms and its challenges. PGP President and CEO Phil Dunkelberger, however, ranges far and wide in his reflections on how data — and keeping it safe — affects our lives and our thinking.
I had the good fortune to talk with Dunkelberger on a summer morning as we both worked from our home offices (complete with my dogs contributing their two cents in the background). We marveled at how technology has improved our lives and our productivity, and wondered at the same time what our children will think about growing up with parents melding work and home life and always peering into glowing screens big and small.
Dunkelberger pointed out that the very nature of our conversation demonstrated the exponential expansion of security issues raised by current facts of life such as remote workers and ever-smaller devices carrying ever-increasing amounts of corporate data.
E-Commerce Times: What are the most pressing information security threats to enterprises today?
The issue is two-fold. First, there are what companies view as internal threats. They were less concerned when they saw a hard perimeter between them and the outside world. But smaller devices like thumb drives and intelligent phones are showing us that people are not really ready for the effect of nanotechnology on data security.
While these cycles of innovation have led to big productivity gains and the freedom to work anywhere, we’re seeing a real convergence of personal and professional life. Security sometimes is an afterthought, but these workers are leaving the building, even if they’re just going home at night with a laptop, with a lot of data, requiring enterprises to rethink security.
Then, there’s the fact that data has become a currency on the Internet. It’s not as clear as the black hats and the white hats anymore. External threats have gone from waging asymmetrical warfare to symmetrical warfare, even taking steps like going to schools and recruiting students to become hackers. Identity fraud has gotten lots of attention, but what will happen when they steal billions of dollars worth of R&D data from a company or the medical information of all of its employees? Data is running like water through Internet pipes, and none of this existed 10 years ago.
ECT: Your most recent blog entry outlines your interest in the work of [pioneering U.S. military researcher] Vannevar Bush and the importance of public/private partnerships in technology research. An oft-noted concern of PGP founder Phil Zimmerman, however, was anti-nuclear proliferation. Although your company was founded by a person with what seem to be anti-military sentiment, you see a beneficial relationship between government and private research?
Both sides of that story are interesting ones. Zimmerman was indeed concerned about personal privacy and the effects of government intrusion, and he also looked forward to a time when businesses and individuals could keep their privacy intact. The zenith of those concerns coming together was perhaps when PGP worked with the German government to develop an open source version of PGP — GGP — for use in Germany. The German people really value privacy, and here we had a U.S. corporation putting its proprietary intellectual property in the public domain and then the German government sponsoring an open source standard for it.
ECT: Identity theft seems to have hit its apex of the security problem du jour. What’s the next one?
There’s a learning theory that people first are unconsciously incompetent; we don’t know what we don’t know. Then we become consciously incompetent; we know that we don’t know. Then we progress to unconsciously competent, on to consciously competent, and then back to the beginning.
We can apply this theory to the knowledge that companies have about the information security threats facing them: We don’t know what we don’t know. There are all kinds of new threats; for instance, a good way to find out what knowledge workers are doing is by hacking a company’s search engine. You can find out all sorts of competitive information that way: What are the company’s M&A targets, for example?
In fact, companies are starting to find morale problems when there are information breaches. I talked with one CSO (chief security officer) recently who said she hears from employees that they think the company doesn’t care about them when information gets out. So, people are going to have to make security systems work, even in these tough economic times. We have to get more clever about how to get more done and also keep information more secure.
I spoke recently to a group of enterprise executives and told them they need to follow [author of the Don Juan series of books on mysticism] Carlos Castaneda’s advice on becoming a man or woman of knowledge. “You’ve got to forget what you know.” That is, we have to start talking about throwing out the conventional wisdom and take a fresh look at security strategy and training. Technology is just one part of that.