eBay, the notable online auction and shopping mammoth website and the company that runs it, has taken the fraud threat seriously and has managed to cut it by 90 percent in the last three years, the company’s former Chief Information Security Officer Dave Cullinane recently shared at a meeting.
According to CSO Online, this increased interest in shutting down malicious individuals that were trying to take advantage of the site and its users has led to the arrest of some 3,000 around the world, mostly outside the US.
Cullinane, who has left eBay in May this year and joined California-based Security Starfish as CEO, has successfully managed to convince eBay executives to up the budget allocated for IT security from $10 million annually in 2006 to $48 million annually in 2011.
He accomplished this by showing to them the costs of breaches and other security incidents that are likely to befall the company if they didn’t invest in security. He also managed to make them agree to physically move five major company data centers from their then position on a major fault line in California.
Given the sheer size of the site and its popularity as a target for cyber crooks of all kinds – scammers, those interested in harvesting customer information, or those trying to bring the site to its knees via DDoS attacks – he realized that in order to keep the site’s positive reputation going, he will need to cover a lot of ground.
So during his six-year tenure as CISO, the company has begun investing heavily into IT security by setting up new programs, educating staff, investing in botnet detection and cyber intelligence software, and cooperating heavily with law enforcement agencies by providing the information needed to track down and prosecute scammers and attackers. The company also began disposing of legacy code and made security a priority.
Cullinane pointed out that a good relationship with company executives is crucial to doing a good job as CISO. “The CEO and CFO are your greatest allies,” he said to the information security professionals present at the Information Systems Security Association’s gathering. “But they shouldn’t be hearing about a breach at your company from the press. They should be hearing it from you.”
He encouraged them to be paranoid about security and to be always aware that a breach can happen to their companies, too, and urged those working for bigger companies to share their knowledge with security professionals working for small ones, as they are currently heavily targeted, but often don’t have the technology, man power and expertise to keep safe.