Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


CSO Counsels Restraint

Security chief says too much encryption may be overkill, and offers other career advice at Interop

LAS VEGAS -- Encrypting every piece of data at rest within an organization could be expensive overkill.

According to Al Kirkpatrick, chief security officer at information services firm First American Corp., many users may not need as much encryption as some industry sources are advocating.

Kirkpatrick, whose firm provides services such as document processing to the real estate industry, explained that he is responsible for "billions of records stored on terabytes of data," during his Interop keynote Tuesday. According to the exec, this includes the world's largest Microsoft SQL Server database.

But the security chief warned other IT managers not to buy into the "soundbite du jour" of encrypting all this information. "The jive that bothers me is that you have got to drop everything and encrypt all data at rest at the moment," he explained. "You have got to look at the whole puzzle -- you're not going to have enough money to do it all."

A number of vendors, including Decru, EMC, StorageTek, and IBM, are targeting this space, and a slew of offerings are available to encrypt data. (See Quantum, Decru Hook Up, IBM Certifies Decru, Decru Joins StorageTek Program, and Analysis: Storage Security .)

"I am not saying that it's not important," notes Kirkpatrick. "For some people [encrypting data at rest] will be very important, depending on what the data is, what type of database they have, and the protection around it."

But the exec says that data being moved from site to site on tapes worries him much more than information sitting on his back-end servers: "It's data in movement that scares me to death right now."

An IT manager from a Midwest financial services firm, who asked not to be named, agrees with Kirkpatrick's assessment. "Within the organization there needs to be some consideration of encryption for some types of data, but it's not critical. I think that encryption where you have data leaving your facility, however, is key," he says.

Even some storage vendors have identified encryption as an area where there are no quick fixes. (See Storage CTOs Debate Security and Insider: Encryption Means Planning.)

Kirkpatrick also used his keynote as a pep talk for IT managers with an eye on a career in security. "You have got to fundamentally understand all the domains of the technology," he explains. But he warns against getting too hands-on. "Once you have got to the chief security officer level, you have to trust the people around you to take care of the bits and bytes."

But the job is about much more than firewalls and intrusion detection systems, and Kirkpatrick warns that security chiefs need to think on their feet, fielding calls from the media one minute and "outraged" users the next. "It takes a lot of communication skills, and you have got to keep your cool throughout all of that."

A typical CSO, according to Kirkpatrick, is going to be pulled in a number of directions. "You have so many different constituents that are competing for your time and attention," he says, ranging from vendors to board members and auditors. "If you're not one to juggle this and handle it, it will drive you crazy."

IT managers looking to become successful security execs should also be extremely conscious of their firm's funding climate, according to Kirkpatrick, and make realistic demands for money. But conversely, they should not cave in to boardroom financial pressure. "Don't be backed into a corner. Don't let them con you into promising [security] for zero dollars."

Ultimately, however Kirkpatrick, warns prospective CSOs to brace themselves for tough times. "Bad things are going to happen unless you are an incredibly gifted, lucky, person," he says. "And, if so, I want to hire you so that your aura can follow me around."

— James Rogers, Senior Editor, Byte and Switch

Organizations mentioned in this article:

  • Decru Inc.
  • EMC Corp. (NYSE: EMC)
  • IBM Corp. (NYSE: IBM)
  • Microsoft Corp. (Nasdaq: MSFT)
  • Storage Technology Corp. (StorageTek)


    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 7/14/2020
    Omdia Research Launches Page on Dark Reading
    Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
    Why Cybersecurity's Silence Matters to Black Lives
    Tiffany Ricks, CEO, HacWare,  7/8/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Threat from the Internetand What Your Organization Can Do About It
    The Threat from the Internetand What Your Organization Can Do About It
    This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-07-14
    In October from version 1.0.319 and before version 1.0.466, a user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field. This has been fixed in 1.0.466. For users of...
    PUBLISHED: 2020-07-14
    Traccar GPS Tracking System before version 4.9 has a LDAP injection vulnerability. It occurs when user input is being used in LDAP search filter. By providing specially crafted input, an attacker can modify the logic of the LDAP query and get admin privileges. The issue only impacts instances with L...
    PUBLISHED: 2020-07-14
    An issue was discovered in Verint Impact 360 15.1. At wfo/help/help_popup.jsp, the helpURL parameter can be changed to embed arbitrary content inside of an iFrame. Attackers may use this in conjunction with social engineering to embed malicious scripts or phishing pages on a site where this product ...
    PUBLISHED: 2020-07-14
    An issue was discovered in Verint Impact 360 15.1. At wfo/control/signin, the rd parameter can accept a URL, to which users will be redirected after a successful login. In conjunction with CVE-2019-12784, this can be used by attackers to "crowdsource" bruteforce login attempts on the targe...
    PUBLISHED: 2020-07-14
    An issue was discovered in Verint Impact 360 15.1. At wfo/control/signin, the login form can accept submissions from external websites. In conjunction with CVE-2019-12783, this can be used by attackers to "crowdsource" bruteforce login attempts on the target site, allowing them to guess an...