Last month, I wrote a post about Stan Black, chief security officer at Citrix Systems, who argued that just treating the symptoms of your cybersecurity ills won’t cure them, and that instead, you need to address the cause. What’s worth elaborating upon in this follow-up is what Black had to say about how he addressed Citrix’s own IT security issues.
I opened this portion of my interview with Black by asking him what he has had to fix at Citrix since joining the company as CSO a little over three years ago. His response:
A lot of things. Well, I don’t know that fixing is the right term. I’m Citrix’s first CSO, and what we have implemented is a more consistent and uniform approach to how every function at Citrix consistently protects the business. Many businesses, whether they’re a technology company or a heavily regulated institution, have varying levels of protection. It’s my opinion that we are part of our customer’s supply chain, and therefore every facet of our business needs to be consistently protected. Now, some items are far more sensitive than others, so you need levels. But I wouldn’t say it’s what I have fixed — it’s consistency that we have established, whether it’s product security, operational security or cloud security. We also do geopolitical and threat risk modeling; we make sure our people around the globe are safe, and that we have the ability to reach out to them in the event of an incident. So it’s a fairly broad spectrum. I’m responsible for product security, operational security, and the safety of our people.
In his keynote at the 2016 Citrix Security Summit for Government last June, Black said he had removed 30 percent of the security technologies in Citrix’s infrastructure since he got there. I asked him to elaborate on that, and he said it was an exercise in virtualization:
Essentially, our own technologies eliminated the need to add on security layers. Virtualized data doesn’t leave the building; I don’t have to protect it. If inside a container, you’re only allowed to go to authorized locations and communicate with authorized people — in other words, whitelist — then I don’t have to worry about blacklist, do I? So the 30 percent — actually 30-plus percent now — is simplification. There are technologies that do detection, but I prefer prevention. So the detection type of technology, I have greatly reduced.
In January, Black wrote a blog post in response to media reports that a Russian hacker had compromised Citrix’s content management system, noting that the content management server that was accessed contained no customer, employee or other sensitive or confidential information. I asked Black what he learned from that experience, and he indicated that he learned a lesson about fake news:
Make sure that we keep all systems at Citrix protected in a consistent fashion — it goes back to simplification. But do you want to know what I really learned from that? That truth in some media forms is not necessarily important to what they print or communicate. Because that event was about as benign as they come, but those reports significantly increased the amount of cyber-attention I received globally, to the tune of over 330 percent.
Black shared some additional insights stemming from the findings of a newly released IT security survey, commissioned by Citrix and conducted by the Ponemon Institute. For one thing, he spoke to how the concerns of respondents in the United States differed from those of respondents in other parts of the world:
Especially throughout Europe, how security is looked at is actually tied more consistently to privacy. Many of my counterparts throughout Europe look at security and privacy hand-in-hand. So really, it’s not that they are different, but the perception is a little bit different in how they are measured, and what is critical — privacy being top of mind throughout much of Europe. My view on that is, it’s my opinion that the world “privacy” incorporates security, it incorporates compliance. So it protects the business, it protects the technology, and it protects identities and accounts and things of that nature. So I don’t see how they can be bifurcated.
The survey found that 80 percent of the respondents cited attacks from nation-states as what they consider to be the No. 1 security risk. I asked Black if he believes that nation-states are indeed the No. 1 risk, or if that was just top of mind with the respondents because there’s been so much in the press about it recently. He indicated that what’s important is that the focus on nation-states doesn’t blind anyone to the harm generated by the criminal element:
Nation-states have the most resources; organized crime has the highest aptitude for highly targeted activities. So they’re in it for profit; nation-states are in it not necessarily for profit, but for disruption, and for intelligence-gathering, whether it’s an aircraft design or highly cleared people in the government, or whatever the data may be. So that’s why if you look at the 56 billion unauthorized probes that hit my perimeter every quarter, much of the traffic comes from sources that would be put into the category of nation-state — probably 75 percent is a rough estimate. But I would also say that another significant percentage is a mix that goes across the nation-states, that is a mix of government-driven and criminal entity-driven.
A contributing writer on IT management and career topics with IT Business Edge since 2009, Don Tennant began his technology journalism career in 1990 in Hong Kong, where he served as editor of the Hong Kong edition of Computerworld. After returning to the U.S. in 2000, he became Editor in Chief of the U.S. edition of Computerworld, and later assumed the editorial directorship of Computerworld and InfoWorld. Don was presented with the 2007 Timothy White Award for Editorial Integrity by American Business Media, and he is a recipient of the Jesse H. Neal National Business Journalism Award for editorial excellence in news coverage. Follow him on Twitter @dontennant.