Up Close and Personal with...

Larry Ponemon is iterviewd by Ray Smyth, editor of Network Computing Magazine.

Ray Smyth - Characterise recent IT history?
Larry Ponemon - It has produced rapid change. The biggest changes concern security and the crumbling IT security perimeter; also there has been a culture shift from central command and control to end-user empowerment e.g. BYOD. And not to forget the increasing complexity that disruptive technologies such as mobility, cloud, virtualisation, social media and big data bring.

RS - And IT security?
LP - It has come a long way in recent decades, especially in the quality and effectiveness of enabling technologies. Despite these improvements, the IT security ecosystem is in flux - partially because of the changing threat landscape, emerging regulatory requirements, the stealth and sophistication of cyber criminals and organisational complexity.

RS - Where is security heading?
LP - Mainly it will change from defensive (keeping the bad guys out) to an offensive orientation (destroy them before they attack). Whilst a good idea, it will potentially unleash a plethora of privacy concerns because of the use of high-tech surveillance in general populations.

RS - How has the IT/Business relationship changed?
LP - I recall the great divide between the IT practitioner (experts) and end-users (novices). In the old days, end-users were not able or trusted to do basic things like determining screen settings on a terminal or desktop computer. In today's organisation, end-users do much of the heavy lifting without the aid of the IT department.

RS - Should IT and business get more aligned?
LP - Yes. Aligning their objectives is essential. Its best done through C-level oversight and strict metrics that force the alignment through accountability.

RS - Is there conflict with sponsored research?
LP - I believe research on how organisations respond to security, data protection and privacy challenges is very important, regardless of its funding source. While we appreciate receiving compensation for our studies, our Institute's researchers maintain ruthless independence. Sponsors never design, administer or analyse the research. Further, we publish the entire survey record - whether or not it favours a particular sponsor's product or position in the marketplace. Over the past 11 years, we have lost sponsors who thought we were too rigid and inflexible on this independence issue.

RS - Can end-user organisations be involved?
LP - We gladly share copies of our research with anyone interested in reading it. We also appreciate and encourage constructive feedback. I enjoy receiving favourable comments but appreciate all kinds of feedback, including those that are negative or critical in tone. RS - What is currently missing from the IT equation? LP - In my experience, the largest security gaps often involve negligent personnel, business process glitches and poor governance practices. Recent studies found that the biggest holes in IT security occur because of the so-called human factor, wherein good people do stupid things - this needs attention.

RS - How do you relax?
LP - I'm an instrument rated pilot and fly my small airplane, mostly for business, throughout North America. Flying for an old guy like me is pretty intense, so I'm not sure it is relaxation. I also enjoy playing guitar and I am a troubadour at heart with a really neat collection of old Fender telecasters.

RS - Is big data a bit scary?
LP - It causes enormous, unanticipated privacy challenges. In my opinion, it is impossible to advance the privacy rights of citizens when commercial and government organisations have access to amazing details that define an individual's every step. Even worse, this detailed data can be wrong or inaccurate with no way to correct it. This is a very scary issue, but very few people appear to be concerned.

RS - Isn't the current piecemeal approach to the legal stuff of the cloud a mess?
LP - Yes. Attempting to comply with a patchwork quilt of laws and regulations is a very messy process. However, tools like eGRC (enterprise Governance, Risk Management & Compliance) make it easier to manage this burden. NC