INTERVIEW: Christopher A.R. Darby, Net security strategist
Govt., industry share security link
Christopher A.R. Darby is chief executive officer of @stake Inc., an Internet security consulting company in Cambridge, Mass. The company supplies strategy, architecture and operational security for organizations that want to use the Net for business.
Christopher A.R. Darby
As a Canadian citizen living in the United States, Darby said, he feels an obligation to contribute to U.S. national security. Although his client base primarily is corporate, Darby said his work has a direct impact on government security. The government cannot be secure if the private sector's infrastructures are not, he said.
Before coming to @stake, Darby was president and CEO of application service provider Interpath Communications Inc. of Research Triangle Park, N.C. He also previously worked at Digital Equipment Corp. and Northern Telecom Inc. He has a bachelor's degree in economics from the University of Western Ontario.
GCN senior editor William Jackson talked with Darby about security at the recent RSA Conference 2001 in San Francisco.GCN: How old is @stake Inc.?DARBY:
Just over a year old. We serve two vertical markets, the financial services sector and the telecommunications sector, primarily Fortune 500 and global 1,000 companies. Forty percent of our business comes from Europe, and the remaining 60 percent is in North America.
We're a pure-play consulting shop. We sell only our knowledge and expertise in digital security. We start with planning and strategy and get into architecture and design. We're involved in the implementation mostly from the project management perspective.
We follow up with operational services on an ongoing basis, things like posted audit services where we can show a client how to harden an application from a security perspective.GCN: What about your government work?DARBY:
Most of it is virtually pro bono. We lecture at the Army War College, we sit on a number of government advisory panels, and we involve ourselves with the people who are leading the thought processes on digital security.GCN: Why pro bono?DARBY:
I said virtually pro bono. Government is not one of our target markets, but we feel we have an obligation to give back to the industry and to the country as best we can. We do core research that we want to share with the government because it impacts national security.GCN: People in the last and the current administration have said the line between national and corporate security is blurring. Do you agree?DARBY:
I'd go a step further. I don't think there is a line anymore. The infrastructure of the United States actually supports the government to the extent that you can't uncouple them.
If you look at things like the power grid and the telecommunications networks and the financial infrastructure, that is really the foundation on which the country is built. So work on the commercial side will directly affect national security at some point.
There is a critical need at the corporate level for digital security. What's at risk for financial institutions is money, as well as reputation. In the telecommunications market it's everything from the back office to billing and trouble ticketing.GCN: Chronic poor security is a constant topic in Congress, whether it's government systems, hacked Web sites or operating systems. How would you assess overall security?DARBY:
The overall level is improving but still unsatisfactory. We saw a period in the late 1990s when the audit committees responsible for publicly traded companies were totally focused on year 2000 issues.
As we got through the millennium, we saw the people who are leading corporations shift their attention to digital security because there is enough knowledge at the senior executive level to know that there is no silver bullet.
Family: Wife, Kimberly
Pets: Chocolate labrador, Henry, and English bulldog, Maggie
Car currently driven: Toyota Land Cruiser
Last book read: The Tipping Point: How Little Things Can Make a Big Difference by Malcolm Gladwell
Last movie seen: 'Chocolat'
Favorite Web site: www.CNNfn.com
Leisure activities: Skiing and mountain biking
Dream job: Coach of the Toronto Maple Leafs
Any chief executive officer who tells his audit committee that he is secure because he just updated the firewall is probably not securing his own job for the long term.
There's an understanding that this is a complex issue and requires a number of things to happen at the product level and the process level and the people level.GCN: Is there adequate support at the top for achieving effective security?DARBY:
I don't think it's universal, but the trend now is to become more enlightened as to the complexities.
One thing we've seen within the current economic climate, which can only be characterized as challenging, is that security budgets haven't decreased. In some cases, we've seen spending on security and security planning increase.
I believe security is getting better. It's going to take a while, but the intent of the senior executives is that they will put the resources they need in place over time. The government could be giving them more incentives to do so, but over time they have to do it or they won't survive.GCN: What kinds of incentives are needed?DARBY:
I don't think they have provided the necessary incentives yet, fundamentally because the government, like industry, sometimes confuses policy with security. Security requires substantial architecture and hard dollars on capital assets. Policy can be done more quickly.
I would like to see the government find a way to give incentives for the hard-dollar expenditures, and the only way I can see to do that would be through some sort of tax incentive for corporations'to make it a better economic proposition.
I don't think regulation will really do the trick because a regulation becomes dated almost as soon as it's printed. The knowledge base changes, the threat models change, technologies change, and regulation doesn't give an incentive for a long-term organic view of designing in security.GCN: Presidential Decision Directive 63 said the government should become a computer security role model for industry. Has it achieved that yet? DARBY:
I think the government is improving. To measure now would be unfair. Are they where they need to be? No. And I'm not the only one saying that. I think the government is saying that. The effort has to be ongoing and continuous. There really is no end state.
Is corporate America looking at the government as best of breed? I don't think so. The government is not spending the time and money to be characterized as best of breed, and until it does so, corporate America will look inward.GCN: You incorporated the staff of Boston's L0pht Heavy Industries hacker cooperative into your company. Has that created any negative attitudes? And how do you ensure that the people working for you are the people that your clients want to have working for them?DARBY
: L0pht was a strong addition. They are viewed as thought leaders in this space. They represent less than 3 percent of our staff, so they are not statistically significant.
We have people who used to work for the National Security Agency, FBI and White House working for us. We do background checks on everyone that comes in, and we don't hire criminals.GCN: Can you point out any good examples of security?DARBY:
I'm limited in the responses I can give, not because I can't think of any but because most clients don't want you publicly talking about them.
I can tell you that companies such as Bertelsmann mediaSystems, a multinational media company in Germany, have the philosophy of designing security in at the front end. Before they roll something out, they start thinking about security.GCN: What common traits do organizations that are doing a good security job share?DARBY:
They recognize that it is not just about a network and that the applications layer is becoming more important than even the network layer.
They recognize that security can't be looked at as an afterthought, that it has to begin with the selection of toolsets. Different toolsets have different levels of risk associated.
They also don't rush products to market.