Q&A: Information assurance

Ravinderpal “Ravi” Sandhu is The University of Texas at San Antonio (UTSA)’s Lutcher Brown distinguished chair in cyber security and the executive director of UTSA’s Institute for Cyber Security. He holds thirteen U.S. patents for security technology and has received more than 30 sponsored research grants. In this interview, he discusses information assurance.

Generally speaking, how important is information assurance for an organization?
The answer will depend to some degree on the nature of the organization. Financial, health and educational organizations, amongst others, have regulatory and legal requirements with respect to information assurance. For military and intelligence agencies mission success can critically depend on information assurance. For most organizations information assurance is probably something that should be of concern at the top levels of management. Somebody at the C level should be charged with looking after this issue. Cyber space of the future will be much richer than most of us can imagine today and will enable innovative applications that the best companies will embrace to their advantage. This will require continual attention to information assurance by top management.

With the current recession and shrinking budgets, what are the most challenging aspects of managing information-related risks in the enterprise? Are there any corners practitioners are allowed to cut?
The pressure to cut costs is immense and I don’t think will completely go away when the economy recovers. Rather than “cutting corners” the key is to do “more with less.” Much of information security practice relates to compliance and internal policy rather than effectiveness. We could probably improve effectiveness and reduce costs by focusing on measures that are effective rather than mandated by so-called best practice. Unfortunately the attackers are getting more sophisticated each month so we have a moving target, where the attackers seem to have all the initiative. Nevertheless I think we can do better with the money we spend on security by spending wiser.

In view of the many data breaches, are companies generally paying attention to information assurance? Can they beat the insider threat?
One thing that data breaches have demonstrated is that simple compliance standards like PCI (for the credit-card industry) provide no guarantee against breaches. While having a industry standard such as PCI is better than nothing, it remains a far cry from actually making our systems safe. Regarding the insider threat I think it can be “contained” rather than “beaten.”

Which information assurance tools can you recommend to our readers?
I will stay away from naming specific tools or products. Suffice it to say that never buy anything that promises absolute security and make your vendors explain the limits of their security products and how to break them. If a security vendor cannot break their own product why would you trust them?

What certifications and events would you recommend for those interested in getting deep knowledge related to information assurance?
There is no substitute for a solid education. Without understanding of basic principles we cannot have an effective discipline. I am skeptical of the value of currently popular certifications other than this may be the best we have to work with. Certifications based on rote memorization of sometimes incorrect “facts” are damaging to the profession. Information assurance, or cyber security as I prefer to call it, is a young and immature field. Deep knowledge comes only with specialized education in it. Unfortunately our higher education system is failing us by not providing such specialized education, since it itself evolves at glacial pace. Industry events give us a good pulse of the industry and overall ecosystem but are hardly a source of objective information and deep knowledge.