Very recently you left TNT Express, where you were the head of IT security, and before that Yell, where you were its global security and compliance director. Now you are heading up the security practice for Company85. How has it been so far to be back into consulting?
I’m so new that I have not really met with many clients yet, but they [Company85] are a refreshing little outfit. I am happy to be there so far, for sure. But I do like being the end user – there’s something to be said for being defender of the realm.
What are the most significant technology transformations have you seen over the last five years?
There are two, and in my experience they have not always been approached in an effective manner. First is BYOD, and the other the push toward cloud services.
How did you approach BYOD at TNT?
I was always cynical of BYO from the outset as another Emperor’s New Clothes. My business thought it was a priority because of the potential cost savings. I originally thought BYO would not exist in five years, when people see the true cost – that there was a myth around allowing users to choose their own device.
The way this was not fully thought through was typified by what I saw at TNT. Questions about device replacement, various platforms and operating systems, all coming to the organization’s support desk. The hidden costs in BYO were deep in support and then we needed to bolster the teams we just cut back.
Did limiting device choice achieve reasonable costs?
It was ‘old thinking’ to believe you could limit choice forever. Before we even implemented BYO, we were doing it involuntarily, with more than 2000 personal devices on our network – mostly from senior executives. First we had to clean up the Wild West of BYO, and bring them under our control. They [TNT] didn’t have pin enforcement, they didn’t have remote wipe capabilities. We had to do a network sweep, and then close the network. You had to have a NAC address before we would give you an IP address.
BYO is everywhere. I challenge anyone who says they have no BYO on their network. The cost savings goal was not achieved when I left TNT. They are still working towards it, and will be for many, many months – if not longer.
What is this myth around BYOD? Are there potential cost savings?
Companies will realize that, years from now, BYOD was not worth it and didn’t realize the cost savings they expected. Explaining that reality and management expectations are not in lockstep. We can do BYO safely and securely, but senior execs and CIOs have unreasonable expectations about what it can achieve.
The market has shifted. It used to be that your work phone was the coolest one available. Now that is hardly the case.
You mentioned the shift towards cloud as another transformation. What are some of the obstacles you faced in this area?
TNT just wanted to do it, but they didn’t know why. Before I left, they were looking to save on data center costs.
Years ago, at Yell, they wanted to go to the private cloud, based in the US, for their data center. They tried to pull everything from all regions into one, and it was like trying to turn a tanker in the ocean. There are some things that are suited to the cloud environment, and you will recognize them immediately. So go with them. Instead they were like “we must go cloud.” [Cracknell, amusingly, mimics a zombie walk]
People are just looking to participate in new trends and initiatives regardless of their true benefits to a business – I’ve not seen something like this for a few years. In the old days, a vast swath of CIOs would recognize that certain technology trends are entirely applicable to their business.
What is your take on the Edward Snowden’s NSA surveillance revelations, and its effects?
Snowden just gave us a taste, now we are examining the issues in depth. It was brilliant the way it unfolded.
My view on how the cloud has been impacted by all of this? We need some level of intelligence-level surveillance. It needs to be moderated, managed, and policed, and I have no ideas how this can be done. We need to monitor context, not content.
What does it mean for organizations if governments are allowed to monitor context, but not specific content?
In a commercial sense, commercial entities should be able to protect their content, but they should concede to where the data flows to. From that context, if needed, and with the proper legal access, governments can then determine if certain data needs to be examined.
The cloud is like a shared office. You lock your stuff in your desk when you leave it, unlike you would if you shared an office with just your mate. Organizations that store data in the cloud need to take this approach when their data resides there, and protect it accordingly.
What are some of the issues you are consulting your clients on within your new position?
They come mostly from finance and telecommunications, both in the UK and across Europe. We’re advising clients on government surveillance issues. We are telling them to classify and appropriately label data. Everything tends to get protected with a one-size-fits-all approach, which is not desirable. Identify the crown jewels and give it its requisite attention. Protect the integrity of important data. Make sure the less important stuff is available to those who need it, and that you spend the requisite amount of money on doing it, not more than you need to. Issues around classification of data have been talked about for more than a decade, and it’s still not receiving its due attention.
I also advise them to look at access control and old-fashioned event management. We capture so much data and analytics, but we don’t look at it until we have a reason to. It would be relatively simple to build a routine or trigger that would inform us when we need to look at it. I’m talking about basic checks; reverse engineer an attack – so we can look for triggers about when bad things are happening. Then you receive absolute cast-iron examples from past incidents to let you know when a similar incident is happening again.
Another piece of advice: security is still all relative. Security is an enabler.
What about evaluating risk? Aren’t all successful businesses based on taking risks?
They are built on taking risks, but only after evaluating all of the facts first. When all the information is provided about risk, and then choices are made, then I can live with that.