Condition Zebra's CEO on IT security risk management

Condition Zebra?s CEO Drew Williams on BYOD, keeping businesses secure and its ZebraCON conference arriving later this month

Social Media Portal (SMP): What name and what do you do there at Condition Zebra?

Drew Williams (DW): I?m the President and CEO at Condition Zebra, Inc.

SMP: Briefly, tell us about Condition Zebra (for those that don?t know), what is it and what does the company do?

DW: Condition Zebra (ConZebra) is an international risk management consulting firm that helps clients address IT risk in three areas: Policy Development, Internal Controls and External Exposure.

The company offers consulting services, educational services, risk mitigation and web application security services - including governance, risk management and compliance (GRC) policy development services.

SMP: Who are your target audience and why?

DW: Condition Zebra?s target audience includes organizations that are concerned about their risk of exposure to IT vulnerabilities and attacks, who might have a strong IT infrastructure but might still want to validate their system integrity, and also those organizations that need to address GRC-related compliance mandate issues - or are preparing to achieve some level of ?compliance? for an international standard.

SMP: Why is there a need for businesses to address security and what is the best way that they can do this?

DW: Security issues, especially those pertaining to IT infrastructures, are becoming more prevalent, due to the rapidly growing dependency on business computing and information technology as a means of developing new business opportunities and growing existing business infrastructures.

The best possible solution is for organizations to first review their respective policies internally, ensuring the scope of their operational policies map to their overall business objectives, while also adhering to some manageable level of pre-emptive risk management parameters.

Following this core tenet, organizations should consider their internal backbone, that is to say, their internal computing infrastructure, how their systems are configured, and how those systems are maintained and trouble-checked.

Finally, organizations need to consider their level of external exposure, and the consequences they may face of being compromised - and what precautions they have in place to ensure a level of reduction/prevention to impact a compromise might bring.

SMP: What has changed over the last 30 years, in more recent times, what are the main challenges that business face now and why?

DW: Since the 1980s, in the days when all the business worlds were abuzz about information management, little thought was given to the idea of the consequences associated with ready-now information being transmitted from one end point to another. Focus back then was on how to reduce the cost of a computing environment (from a space perspective), while maximizing efficiency of the data being accessed and stored.

During the 1990s, we saw a growing trend of systems coming under fire from people trying to acquire or manipulate metadata for marketing and profiteering purposes, which led to access-point security, such as firewalls and router development.

In the 1990s, Intrusion Detection Systems were all the rage, as were new developments in encryption and access authentication. The idea that information was a protected commodity also became the point of focus for many US and UK-led operational mandates, such as SOX, BS7799, HIPAA and others. The idea of selling protected personal information moved from the good idea category, to the bad thing to do category and is now out there in the it?s against the law (so to speak) category.

Now, all things computing focus on real-time access to anything, and how to maintain a virtual infrastructure cloud-based, which costs a great deal less in the way of hardware expenses, but also opens new categories of problems associated with risk management. Why? Because risk management was never solved in the first place.

SMP: Tell us more about ZebraCON, is it the first event for Condition Zebra and why are you hosting the event?

DW: ZebraCON is an international conference on risk management, compliance and critical infrastructure security. This event is designed to be an annual event for Southeast Asia, and is focused to provide a forum for discussion on the topics relevant to the title?s three areas of focus.

Condition Zebra believes ZebraCON will become a de facto benchmark in events that draw organizations (private and government) together to discuss and actually address the management of risk, as risk relates to the IT infrastructure of a business and as a nation and region.

SMP: What will be the highlights and what do you envisage attendees will take away?

DW: Condition Zebra?s position is that this event will afford business leaders and organizational leaders the opportunity to actually discuss what the real risks are that they are most concerned with, and the forum in which they present and share this information, will be conducive to open discussion and possibly even a vehicle through which resolution to how these risks are managed.

Condition Zebra CEO Drew Williams interviewed on tv2 Live about ZebraCON




SMP: What are the low moments of what you have been doing so far (and in relation to ZebraCON)?

DW: Perhaps the most frustrating of all is the fact that we know what we are doing is right for this region of the world, but people just don?t seem to care about risk management in general, despite this fact, this region is alive and kicking with IT infrastructure problems, and it?s screaming out for help, but refuses to listen when that help is placed before them. I don?t know whether it?s a cultural thing or what, but I have never seen anything like it anywhere else in the world.

SMP: What are the high moments of what you have been doing so far (and in relation to ZebraCON)?

DW: People respond favourably to my presentations, and the media is genuinely interested (concerned?) about risk management as a relevant topic on the current business scene in Malaysia and the APAC region.

We are seeing a lot of interest in our BYOD services, and services relating to helping organizations harden their web presence, and that is promising for the region.

SMP: What are the major errors that businesses make enforcing their security?

DW: They are often overconfident and under-budgeted. Also, organizations think that buying another device and throwing it into the network will solve their problems, or (in the case of one multi-billion-dollar financial institution in the region), spending monthly fees of between $3 and $50 to maintain its external infrastructure is good enough.

Another problem is slow-to-respond. In the case of MYNiC, for example, their system was compromised by a 14-year-old attack that depended on archaic technology to be successful. In this case, the victim not only knew about the problem well before the attack, they chose not to do anything to fix it.

SMP: Is anything 100% safe (what ensure damage limitation)?

DW: Sure. Stay off the Internet and don?t let anyone bring anything into the system. Closed systems have strict entry-exit procedures, and work as honeycombs in computing environments. They?re not very efficient but they?re very secure. Good for keeping the crown jewels of secrecy in-tact, but then again, they?re also only as secure as those individuals who guard them.

SMP: What issues does BYOD for example bring?

DW: Bring Your Own Device/Data/Disaster (BYOD) ?depending on whom you talk to), is a coined phrase that merely represents the trend for organizations to allow mobile computing. That said, BYOD is an efficient process as long as it is managed properly, and that the notion of mobile computing is governed and monitored by the IT team within the organization.

BYOD is a great and efficient way for organizations to work in a decentralized computing infrastructure, which maximizes employee efficiency while also potentially extending the sphere of influence an organization has in its market.


The best approach is to ensure a level of mobile device check-in, checkout procedures for how the assets of an organization are accessed, and how those assets are kept secure. Issues like authentication, encryption, data partitioning, etc., are essential aspects of a good BYOD initiative. Condition Zebra has launched the industry?s first-ever Secure BYOD Infrastructure certification, which covers the details behind implementing a comprehensive BYOD strategy.

SMP: How important is education and investment regarding security and other services the business and sign up to?

DW: If you?re asking about education on matters of need in the area of IT security, I?d say it?s becoming mission-critical to all organizations. Even if every employee understands the basics of a good secure computing environment, it?s a good place to start.

The farther up the ladder of responsibility, however, requires even greater education about the matter, and eventually, IT security education becomes very specific, depending on roles and responsibilities within an organization. That?s why Condition Zebra has been co-developing both an undergraduate as well as post-graduate educational outreach program on infrastructure security management with several institutions of higher learning in the US.

SMP: How do you stay ahead of individuals that want to crack security measures?

DW: This is a very poignant question because the answer is so simple: We stay ahead of the bad guys by staying focused on the core tenets of a solid information security infrastructure: Policy, controls, exposure. Those elements are the three categories Condition Zebra focuses all of its energy?regardless of designing a custom service, teaching a course, or providing a risk mitigation solution. Why? Because 100 percent of all attacks occur by exploiting one of those three elements, and 90 percent of those exploits are already known to us (and are preventable, or at least, addressable).

SMP: Is there anything else we should know, or is there anything that you?d like to share?

DW: If organizations really want to get ahead in the risk management game, then the place to be is ZebraCON in late August, when our field agents and experts from across the globe will be present to discuss and lead discussions surrounding these key elements. If anyone has any further questions about what has been discussed here, I urge them to get in contact with us. We can save them a lot of time and financial resources on the matter of risk management.

SMP: Best way to contact you and Condition Zebra?

Facebook
Twitter @conzebra
YouTube
LinkedIn


SMP: What did you have for breakfast / lunch?

DW: Raisin bran with dried cranberries and water with lemon.

SMP: What?s the last good thing that you did for someone?

DW: I offered to fly 20 people from Malaysia to the Philippines to conduct a special Church service in behalf of their respective families.

SMP: If you weren?t running Condition Zebra what would you be doing?

DW: I own a production company as well, and we produce documentaries around the world. I?d be working on those projects.

SMP: What is the worst security breach you have witnessed and what could have been done better to manage it?

DW: The worst security breach ?recently? was actually in February 2000, when Global Crossing was devastated by a DDoS attack. It cost hundreds of millions of dollars to recover, and eventually, Global Crossing never recovered and went out of business.

Another was when our team was in support of the US Army?s Defence Information System during the Bosnian/Serb crisis. We were working on hacking into targeted war criminal accounts and had a DDoS take out some of our servers (but got them restored in time to shut down the bad guys).

Our efforts, I like to think, helped stop the whole ethnic cleansing atrocities of that region.

SMP: When and where did you go on your last holiday?

DW: Here in this region, I went on a golf holiday to Cambodia in April, but in the US, my daughters and I spend a lot of time up in the Rocky Mountains (where I live)?and every day spent with them is a holiday for me.

SMP: What?s the first thing you do when you get into the office of a morning?

DW: Check my e-mail (which I only do in the morning), and then I check my ?WarBoard? (which is a whiteboard in my office that charts day-to-day activities in ConZebra).

SMP: If you had a superpower what would it be and why?

DW: I?d have the power to fly! Can you imagine the places we could go if we could fly there independently? And it would be a lot cheaper for upgrades!

As a photographer, I?d also get some really great angles that way!

The @smponline interview with Wilson Wong, managing director at Condition Zebra is available in the SMP profiled section.

If you're interested in doing a Social Media Portal (SMP) interview, get in touch.