Dr. Herbert (Hugh) Thompson is Program Chair for RSA Conferences and a world-renowned expert on IT security. He has co-authored several books on the topic and has written more than 80 academic and industrial publications on security. He has been an adjunct professor at Columbia University in New York and is Advisory Board member for the Anti-Malware Testing Standards Organization.
In this interview he talks about innovation in the information security industry, the job landscape, privacy solutions, and more.
If we look at the information security industry as a whole, what drives innovation besides the fast-paced threat landscape?
If you went back in time, 2 or 3 years ago there were two big drivers in innovation. One was compliance, and you rarely associate compliance with innovation, but in fact it did drive innovation in fields like cryptography and tokenization. There was real economic benefit in solving those problems.
The 2nd driver was the threat landscape, it was the attacks that were coming in, and those attacks were very high profile. Both of those drivers still exist today, but there is also another one, which is interesting and fairly new to security. The idea of security actually providing value by enabling the business to use consumer technology safely like BYOD, and allowing people to use both consumer and commercial cloud services. Is there a way we can safely let people use Google Docs for example, because they are using Google Docs anyway? The rapid adoption of personal devices and rapid adoption of public cloud services is definitely driving innovation in security today.
Looking beyond the buzzword, how important is big data for the future of information security? Can small companies really take advantage of it?
I think one of the biggest things working against us in IT security since the beginning of the field is the lack of good metrics. Many times we have had to work based on precedent, in some cases based on superstition around what makes us more secure or less secure. Big data and data analytics offers the promise of making security actually measurable. It may give us a ground truth around security. So when you look at analytics in that way, analytics then you would argue is perhaps the most important element in information security today. So I think that it’s going to effect not just big enterprises who will be early adopters of those metrics but it will give us very actionable insight for small and medium size companies too.
Privacy issues have been in the spotlight quite a bit lately. Should we expect an emergence of creative privacy-enhancing solutions or are we merely at the mercy of dubious privacy laws?
Privacy is definitely driving the creation of innovate solutions right now. From an RSA Conference perspective, the Innovation Sandbox competition that we run in the US for innovative start-up companies had many innovative new solutions around privacy. Some of it was corporate privacy, some of it was personal privacy.
As an example, I am a bit hesitant to mention or promote any companies, but these folks were in the top 10 of Innovation Sandbox, a company called Wickr is a very interesting company. If you heard of Snapchat, one of those chat applications where messages self-destruct after a while, so they no longer exist in the system. Wickr is sort of a corporate version of that. three years ago this was only curiosity but given the recent discussions around government inspection of data flows I think you are going to see companies turn to more creative, more non-traditional mechanisms for data privacy particularly in Europe and particularly in Germany and France.
I think you will see a lot of discussions both formal and informal at RSA Conference Europe on the topics of data sovereignty and around privacy asking very important questions around supply chain in a different way. Particularly because this is a European Conference and Europe has one of the most strict privacy regulations in the world.
If someone interested in computer security that still hasn’t chosen a path within the industry comes to you for guidance, what type of job would you recommend nowadays?
In the short-term: forensics. There is a massive lack of skills there, and a massive demand for people. In the longer term, I would say it’s real security architecture. So the ability to go in and understand how a system is constructed from a big picture perspective. What happened was that we built systems that were based on threats of 10 years ago. There are going to be a lot of companies in the next 10 years that are going to have to completely redesign and rethink their big picture strategy around security and then there is going to be demand then for people who have the skills of infrastructure architecture combined with the skills of information security.