Stephen Northcutt Interview

Posted April 7, 2009
Filed under: blogging, Social Media |

I am very excited to announce that I was recently invited to blog for Computerworld! My blog is titled “Cautiously Cutting the Cord”. In my first post, I spoke with Stephen Northcutt (CEO of the SANS Institute). We spoke about wireless networking & security, social media, and other topics. While I posted the wireless portion of the interview at Computerworld, the rest of the interview follows:

DH: Another topic that I know we are both interested in is Social Media. I want to know your thoughts on where social media is headed, what the security risks are, and how you plan to either use or not use social media to expand and protect your brand with SANS.

SN: My first observation with regards to social media is that we may go through some transitions, but on the longer haul it’s going to definitely be a change in the way we think, the way we work, and the way we process information. Just this morning, I was watching a video of some research that they’ve done where you wear a camera and projector around your neck and when you run into information, the system helps you process it in context. So if you run into another person, the system might display word tags about the other person on their chest to help guide your conversation. Another example of that system is if you’re going to the airport you might just hold your ticket in front of the camera and it will begin to give you information about your flight status and gate and that sort of thing. So these things have very bona fide, obvious uses.

DH: What about the security risks of social media?

SN: Well, the biggest security risk for social media is the OPSEC (operational security) kind of stuff. We are going to be giving out more information about ourselves than ever before. Bad people will use that to craft attacks against us pretending to be someone else or pretending to give us some sort of opportunity. But we will get through this – we will be wise. Speaking only for myself, I’m not terribly worried about someone being able to fool me by the information that’s out on social media in the same way that I can look at in an inbox, and if the subject line is fishy, I can usually tell without opening the message. I see the subject line and I know that it’s not for me.

DH: Do you think that social media and its threat will legitimize the need for more security awareness training?

SN: I certainly hope so. One of the experiments that we are trying on Twitter with SANS is to tweet a security tip of the day, every single day. If we are fortunate enough that this works and people follow us, then more and more people will be exposed to these tips. Furthermore, if security people encourage others to follow us, then we are reaching the right audience, which is a really cool thing. The investment is so low. With 140 characters, how much time does it take to read? I guess 4 or 5 seconds. You can read a tweet in almost no time.

DH: How do you see social media as an opportunity to expand your brand? How do you see social media as a potential threat to your intellectual property or your brand?

SN: Well I don’t see social media as a threat to our intellectual property. We sort of have a fixed problem of people trying to steal our intellectual property, with a fixed solution (the legal system) and I don’t think social media changes that. In terms of a threat to our brand, obviously if anyone that we would view as a competitor does a better job of using social media – get more followers or get more press – then obviously that could take some shine off our brand. On the positive side of things, with LinkedIn, I’m approaching 600 connections at this point and they’re all business. Wherever those people go, they remain linked to me unless they choose not to. I’m not linked to Stephen Northcutt, I’m linked to SANS Institute so I’m building connections for the business. There’s a guy who has already written an application already that ties Twitter to Salesforce and so there is some serious opportunities to leverage the technology if we can believe in it. My one concern is that if too many people from SANS go chasing too much social media it will dilute the brand message and also churn up some time that could’ve been spent doing other things. So while I do get on Twitter, I am a bad Twitterer. I’m on there once every three or four days because I know there is a SANS Institute account and I know they’re going to do something every day, and I don’t feel the pressure.

DH: The Internet Storm Center also has a Twitter account that they update a few times a day with different threats as well.

SN: That’s great! I didn’t even know that – I try to follow them.

DH: That’s really all I wanted to cover but I figured you are gracious enough to talk to me about two things I am passionate about, was there anything you wanted to communicate, either about your organization or something that you think needs more coverage?

SN: I think that we have two exciting opportunities right now as a community. Neither one of these are SANS specific and I want to be VERY clear about that. The NSA blue team has wanted to put their methodology into the hands of the public for some time (maybe not all the secret sauce you understand) but to try to begin to turn around the absolute devastation that American corporations and US government are facing under the persistent technical threat of other countries infiltrating our information for their purposes. The project is called the Consensus Audit Guidelines. SANS does host them, there found at http://www.sans.org/cag but they’re not ours and we’re not claiming they are ours. We’re not the sole arbiters of them. The person in charge of the project is the former CIO of the Air Force, John Gilmore -somebody who is definitely his own man. We’re just excited that we get to participate and make suggestions. I would love to see more attention to the CAG, more of the community contributing to the CAG effort of people trying to implement some of the controls in their organization and then reaching back into the community with their experiences. I think this is potentially one of the most important things we are doing.

SN: The other is that the government is about to announce a scholarship program for younger people that show talent in science and technology area, who have an interest in information security. Apparently something along those lines has been happening in China, and is a big part of how the Chinese developed their ability to extract information from both the US and other part of the world assets. They found a few good hackers who were willing to train others and so forth. We’re less interested in the United States in hacking, but we certainly do need to be interested in configuring well, and so I’m hoping this program is a success. You know, the government starts many, many, many programs (and not all of them succeed), but I hope this one succeeds. I hope that SANS can have some part in that success. Additionally, I hope that anyone who ever hears this recording or reads the transcript will be interested in doing what they can to mentor some promising young person. For one thing, some of these folks who have an interest in security are going to end up in organized crime or hacking, and so trying to give them an chance to do something exciting and challenging as well as being part of the community is too important of an opportunity to pass up.