Interview with Kevin Day, author of “Inside the Security Mind: Making the Tough Decisions”

Who is Kevin Day? Introduce yourself to our readers.

I grew up in Northern California, as the son of an early programmer I held a pacifier in one hand and a keyboard in the other. I came into Information Security Consulting about 9 years ago, and was hired by a New York based consulting company in 1999. Beginning as a lead security engineer, I eventually became a security practice manager developing new concepts and methodologies, and working high-profile projects for Fortune 500 companies and government organizations. Most recently, I was amongst the founders of Relational Security Corporation, an organization that focuses on new tools and methodologies for Information Security Assessment and Risk Management.

How did you gain interest in computer security?

Because my father was an early programmer, I lived and breathed computers and coding throughout my childhood. As I got older I realized it was not my desire to spend days and nights battling coding logic. My time was balanced between computers, the arts, and philosophy. It all started when I was hired by a hospital on the West Coast. Daily, I had information security projects thrown my way. It didn’t take long to realize that Information Security was the perfect balance between logical and creative. As it says in Inside the Security Mind, “security is not a battle of a human’s creativity vs a computer’s predictable logic-¦ it is an unpredictable battle between two equally creative and dynamic forces: Creativity vs. Creativity.” This experience inspired my journey onto the Information Security path and I have never lost my passion for it.

What operating system(s) do you use and why?

Personally I have a mix of everything in my house and office. Professionally, there is no single OS I use or recommend. Each has its calling, each has its purpose, and each has its place. The battle of the operating systems all-to-often transcends security or technology and lands in the world of politics. However, I will say that the convenience of a Windows desktop proves necessary in many practical-life instances. As such, Windows 2000 is my primary laptop OS with a Linux Duel-boot.

How long did it take you to write “Inside the Security Mind: Making the Tough Decisions” and what was it like? Any major difficulties?

The ideas for Inside the Security Mind had been evolving for many years, inspired by working with my clients to solve security issues. The actual book took about 8 months to write and 18 months for the entire publishing process.

The book itself was quite difficult to write in the beginning. It was not similar to anything available, and honing in on the right balance of philosophy and practical example to achieve maximum impact, proved challenging. Additionally, knowing what you want to say is easy, but relating it to the world is not. Because the book is focused on “all audiences,” not just technical gurus or security professionals, great editorial care had to be taken to make the book easy-to-read, with minimal technical acronyms.

What kind of response did you get from the security community to your book? Are you satisfied with the results?

The feedback has been tremendous. When exploring a new approach you can never be sure how readers will respond. In the short time since its publication, Inside the Security Mind has received Kudos from several infosec publications and security leaders (like Stephen Northcutt of SANS). I am also pleased to hear the enthusiastic feedback on the “philosophy and concepts”, which are the core focus of the book.

What do you see as the major problems in online security today?

Thankfully we have evolved beyond the question “Is information security a problem,” which was the first major hurdle. Now we are stuck on the concept that information security is a person that comes in to fix our security issues when we need help. All to often, the need for security is triggered by a limited set of circumstances. “Adding a new WAN link? Giving access to remove users? Suring the net? Let’s call in the Security Experts first”. So the problem is such:

Security cannot be isolated to such simplistic triggering events as is commonly recognized by executive and management staff. But how do we train the Executives, Managers, and Technical staff to see beyond this and to know when and where security issues need attention.

The primary goal of my book is to train people how to “think” in terms of security and how to be better equipped to recognize security issues. Security will continue to be a problem if only “security professionals” recognize and address security issues. To truly be secure, every manager, director, and technician in an organization needs to have some understanding of basic security principles.

What do you think about the full disclosure of vulnerabilities?

As the arguments rage back and forth with the pros and cons of disclosing information on vulnerabilities, a few ideas have been widely accepted.

1. Vendors are more incensed to write, “Bug free code” and to respond to exposures and exploits if they are publicly known.

Conversely

2. Making the exposure publicly known opens a window of opportunity for every script-kiddy in the world to use it to their advantage.

I agree that the best solutions may involve a time-delayed response where exposures / exploits are reported to a central agency. I also agree that that agency should be responsible for contacting the related parties (usually vendors), who are then given X days to develop a patch or make their disclosure before it becomes public knowledge. This is in accordance with the chapter on “Secretless Security” and the idea that nothing can be assumed secret or unknown to the “bad-guys”, and pretending it is a secret can only work against us. This is also highly incenting to vendors, since those who have not responded in this type of scenario, will have greatly magnified the proverbial “egg on their face.”

I see a lot of arguments for against this type of approach and I would certainly not be so fixed as to say the solution is this simple. It is far too big of a topic to provide a simple “Yes I agree” or “no I don’t” answer.

What is, in your opinion, the biggest challenge in protecting information at the enterprise level?

The biggest challenge in Information Security Risk Management is at the Enterprise Scale. Organizations are finding it difficult to get their hands around security when it has so many dimensions and possibilities. Medium and large companies have spent the past few years building an arsenal of tools and technologies to solve point-in-time-problems (one series of problem = one tool/solution). But now organizations have to consider so many vulnerabilities & exposures, so many tools & technologies, and so many regulations & standards, that such tunnel vision is no longer possible. Organizations are challenged to adopt information security risk management practices that span from the business requirements, to the governing regulations, to the technical details. And all this needs to be accomplished in the midst of shrinking budgets and increasing threats from the outside world.

What are your future plans? Any exciting new projects?

I am extremely excited about a new technology we have developed at RelSec. Over the past several years we have been working to develop RSAM (Relational Security Assessment Manager), which provides clients and consulting companies with an open and adaptable framework for assessing/managing risks and safeguards in a large-scale manner. The capabilities of this technology are tremendous, far beyond my expectations from the security world. I imagine this will be the standard security tool for assessment and risk management in the years to come, and I am excited to be involved with it from the start.