Gus Hunt, former CTO of the CIA and keynote at upcoming Cyber Forum discusses the use of big data, cloud computing and cyber security
November 5, 2014

++ Action Item: Mr. Hunt joins a group of Global Leaders who are Converging on Ottawa (November 12-13) to discuss Cyber Security and impact to Canadian organizations: Interested in Cyber Security? then please review the details of the Cyber Security Forum, Roadmap for the future and Peer Network at: http://www.cata.ca/Media_and_Events/cybersecurityforum/

1. You've spoken about the growing interest in Big Data and the cloud with organizations like the CIA, what do you see as the potential benefits and pitfalls?

First off, let talk about Cloud Computing. Commercial Cloud is an inexorable trend in computing. Running infrastructure is not a business differentiator and few companies do as efficiently, effectively, or securely as the commercial cloud providers. If you design and implement your workloads properly to take advantage of things such as elasticity and multi-zone availability you can get performance and reliability that is otherwise not available or affordable on enterprise clouds in corporate data centers. By using a commercial cloud provider you can focus "up stack" on services and capabilities that sharpen your competitive edge and provide unprecedented capabilities for your business. Imagine what you could do with instantaneous access to "unlimited" computing capacity that you only pay for what you consumed. Leveraging the commercial cloud takes friction out of corporate IT processes and dramatically increases your business' competitive velocity and agility.

Yet, not everything can or should go to the cloud. Some workloads are not well designed to efficiently take advantage of the cloud. Other workloads, such as non-varying, steady state computing loads may not be cost effective (yet). And, you really need to think through your cyber-security posture. Although I believe that commercial cloud computing environments are inherently more secure than nearly all corporate managed data centers, you are only as safe as the workloads you run. A poorly secured workload is equally vulnerable whether in the cloud or in your data center.

IHS forecasts that by 2017, only 10% of US IT spend will be in the cloud-IaaS and SaaS. That's $250 billion of $2.5 trillion. I think this represents the knee in the curve and commercial cloud adoption will dramatically accelerate because cloud solutions will continue to mature and many of the corporate concerns-security, lock-in, and cost-will be resolved or have solutions through 3rd party vendors.

Big Data is not a new phenomenon, many industries and businesses have been "doing" big data for a long time. However, as the cost of computing has fallen, the performance has risen, and the cloud has made large scale computation accessible and affordable, the ability for anyone to take advantage of their data is becoming ubiquitous. That said, we are only in the nascent phases of the Big Data world. The true value of big data can only be fully realized when it is productively in the hands of the average user. Today Big Data requires scarce specialists-Data Scientists-to effectively leverage the tools and deliver value and insight from the data itself. Tomorrow, much as the spreadsheet enabled people to easily manipulate numerical data, equivalent tools will and are emerging that enable the average person to easily manipulate other corporate data resources to solve their specific problems.

A caution. Ease of manipulation does not equate to ease of insight. It will take education and training to enable people to know whether or not the results they got from their big data analytics are relevant and meaningful, or simply random correlations that have no validity. To that end, it will be critically important to train your employees in the effective use and understanding of data, big data tools, and the importance of validating the conclusions they draw from their big data tools.

2. What key lessons can the private sector learn from how government organizations approach cyber security?

I believe there are three critical lessons that apply to the commercial sector and government alike. First, security must be built-in to IT systems from the beginning. If cybersecurity is not considered and involved from the onset, then IT systems will be fundamentally flawed and security becomes a bolt-on and therefore less effective.

Second, governments and the private sector alike need to focus Data-Centric security, because that's usually what the insider threats, hacktivist, cyber criminals and nation states are after, your data-intellectual property, PII, access credentials, credit card numbers, bank accounts... The traditional approach to cyber-security has been network centric protections--the process of building higher walls and deeper moats around the enterprise computing environment, adding layer upon layer of additional security solutions to protect against each new threat as they appear. We need to invert this model and focus on protecting and securing the data. We need to think about how to design our systems to make it hard to steal useful data, even in the event of a breach. Data centric security needs to become the center piece of a defense in depth strategy that is designed under the assumption that you will be breached, that is inevitable, but no/minimal loss occurs. If the data taken is fundamentally useless, ie encrypted or tokenized, then you still want to address the source of the breach, but you haven't suffered any reportable loss.

Third, we live in a "perimeterless" world and in this world you are only as secure as your least secure connection. Due to the ubiquitously connected wireless world, boundaries have evaporated and your least secure connection may be outside of your control. Just look at the attack vector against Target. Companies must think about how to protect themselves in an environment that is not under their control, and if you can't control the end points, you must control and protect your data.

3. Do you see any advancements and innovations on the horizon that could change the way in which organizations approach and manage online security?

I'm going to answer this question tangentially, at first. Cyber security is simply too hard for most companies to do well. The nature and sophistication of the threats is continuously advancing, skilled people are in short supply, the solution space is complex, and the half-life of solutions is decreasing rapidly. Worse, there is no business differentiating value in doing it well, only the down-side effects of a breach or compromise. Because you are most vulnerable through your weakest link, which may be a business partner who cannot keep up with the threats, an effective cyber security strategy demands a different model and a different approach. Thus the emergence of "Security as a Service" (SECaaS) companies such as eSentire. Much as ADT provides security services to instrument, monitor, protect, and respond for the security of your physical home or business, SECaaS companies do so for your cyber protections needs. They provide the skilled people; they keep up with the threats and the technology; and they provide 24x7 monitoring and response services.

4. Do you see opportunities for the public and private sector to work together to manage and advance the effectiveness of online security?

Absolutely, I believe it is essential that we forge an effective public private partnership to share data and solutions about the threats. We live in a globally interconnected world and we must take globally interconnected view to increase our visibility of the threat dynamics and act more quickly to mitigate new threats as they emerge. To do this requires that government and business work together, each leveraging their complementary skills, to create a real-time threat intelligence fabric that enhances the cyber-security posture and mitigation response of everyone.

5. Since retiring from the CIA, you have taken on the role of advisor to organizations looking to expand and grow their presence in the defence and security world. What have you found most exciting about this new challenge?

The most exciting part of my new role is meeting and working with all of the smart people and innovative companies that are out there. We have entered an amazing time in technology. Thanks to the cloud and mobile technology, the barriers to entry are lower and the cost of building and trying out a new idea have been dramatically reduced. New funding models have emerged and talent can be accessed globally. There has never been a better time for individuals or companies with a good idea to drive innovation and create value. These ideas are fundamentally reinventing government, business, services, education, and society in ways we couldn't begin to imagine just a few years ago.