Life as a Security Guru
Jim Craft is on a quest to secure information.
Jim Craft is a man with a security mission, and he says so frequently. Words like "security champion" and "cyber-security evangelist" get tossed around alot in his conversations. It's not unusual for him to say, quite seriously, "I want to change how people think about security." Or, "It means creating a positive security culture in private industry."
- By Linda Briggs
Craft is the information systems security officer for the U.S. Agency for International Development, otherwise known as USAID. It's an independent agency within the vast federal government that's charged with helping foster development in other countries in a variety of areas, not just technology. It has about 7,500 employees and an operational IT budget of just under $73 million; $3 million of that is spent on the agency's computer security program. In his three and a half years there, Craft and his team have made a big difference in the way IT security is viewed and handled. In fact, he proudly points out that the Department of Defense recently adopted his Best Security Practices methodology and approach—no small feat when a relatively tiny government agency influences a significantly larger one.
Enterprise Systems' Editor in Chief Linda Briggs recently talked with Craft in USAID's Washington, D.C. offices. Topics ranged from the challenges of making government IT secure, to lessons he believes translate to private enterprise, to his quest to extend good IT security throughout the land.
We started with a discussion of Craft's role on the Federal CIO Council, where he chairs a subcommittee on security practices.
Enterprise Systems: What's the purpose of the Federal CIO Council, and what's your role within that organization? In the classic tradition of the federal bureaucracy, I chair the subcommittee of a subcommittee of a committee of the Federal Chief Information Officer's Council.
The Federal CIO Council was established in 1996 by executive order to improve information technology practices in the federal government. It works in areas like security, e-government, federal IT workforce issues and national IT strategy. There are 28 member organizations and some additional representatives, put together to create a culture of [governmental] CIOs.
What's interesting is that the Federal CIO Council also has a critical role in building a partnership with and among the private sector, which is essential. Collaboration between government, industry and academia is critical, but it's sometimes difficult to achieve. But I strongly believe industry needs to work together rather than compete in the area of security if we're to be successful.
ES: In your current position as IS security officer for USAID, how have you influenced that organization? I lead the agency's information assurance, computer security and critical infrastructure protection programs, along with portions of other related programs. I'm also an advisor to other USAID managers in the areas of information assurance, privacy, and other information technology issues. I lead investigations of computer security incidents.
I suppose I try to keep the bad guys out, the good guys happy and the price tag low. To do that, I'm an evangelist, cheerleader, leader and manager, futurist, change agent, bureaucrat, and on a really good day, a security engineer.
ES: You have an obvious passion for security. Why did you choose to work in government? I think that leaders have to be willing to go against the trend at the right time for the right reason. Also, I like to think that there's more to me than just money. There's a value to public service that I—and many others in government—believe in. Public service gives real rewards. I feel good about what I do. Government offers an opportunity to make positive changes that have national importance. At the core, I suppose I'm still a businessman, I just serve the interests of three hundred million shareholders.
USAID isn't your average organization. It has an innovative and collaborative culture that is probably rare among federal agencies. USAID also has a great mission: We help people around the world.
Finally, there's a critical need to secure our nation's information systems now. If the United States's information systems and critical infrastructures go down the tube, then all the stock options and retirement plans in the world won't do anyone any good. I think my work on best security practices for the Federal CIO Council is making a difference.
ES: When you talk about best security practices, can you give some specific examples? First, it's a practice, meaning that somebody is really doing it. It's not just a theory or a set of high-level ideas. Also, it's important that the practice be open to a continual process of improvement. What you don't want is a practice that hangs around your neck like a dead albatross. You have to have some mechanism for improvement. There's a learning element to this. Also, the goal is to capture something that has worked somewhere and put it out there so that it's easy for another organization to adopt any part of that practice.
That's the only way an organization like ours, which has an incredibly austere IT budget, can make this work. By the way, the Web site (http://www.cio.gov) of our initiative has some frequently asked questions.
Specific areas where Jim Craft thinks industry could collaborate to serve the public interest and increase public confidence in information systems security include:
- Certifications: Support broadly accepted certifications of people, products and services-with easily understood rating systems.
- Standards: Help create and implement industry-based, national and international security standards.
- Shared plans: Work to develop or expand national and international cyber-security plans that include frameworks for coordination of incident response.
- Common policies: Expand use of common security and privacy protection policies.
- Shared terms: Help build a common taxonomy for cyber-security.
- Shared information: Share vulnerability information and mitigation techniques with other corporations.
- Joint response: Build collaborative efforts to respond to incidents and deal with cyber-criminals.
- Legal efforts: Support efforts to add cyber-security and privacy, and associated product liability and consumer protection, into the existing sets of the Uniform Commercial Codes (such as the Uniform Computer Information Transactions Act), regulations and laws. Craft also pointed to a need to create a legal protection from releasing computer vulnerability information.
ES: How can your best security practices translate over to private industry? People have to realize that those who seek to bring down or exploit our systems collaborate. Hackers collaborate to break us. We have to collaborate to survive. In most cases, industry and government are using the same technology and processes to solve the same problems. So industry can look at the best security practices posted on the Federal Best Security Practices Web site and adopt them directly and perhaps also gain the 40 [percent] to 60 percent savings that we have seen at USAID.
We're wasting billions of dollars reinventing the wheel. More importantly, I believe that industry can adopt the approach and methodology we have used for both internal and sector collaboration. More than a few companies, large and small, have a situation where the right hand doesn't know what the left hand is doing. Collaboration is the key.
I'm not saying that there isn't a need to compete. [But] in a knowledge age, enterprises will increasingly have to compete as learning organizations. Part of being a competitive learning organization is knowing when and how to collaborate without losing your competitive edge. Effective collaboration means developing mechanisms that allow trust relationships. One of the key issues in security is managing your trust relationships.
There are some areas in which it's in the public interest and the interest of industry to freely share knowledge. A good example is safety. A car manufacturer wouldn't gain any real, long-term advantage by keeping secret information on how to make seat belts or air bags better. It's better for the public to see the entire automobile industry working together to increase levels of safety. A company that's a leader in working to spread safety information will reap dividends in dealing with the public.
I believe that the same potential exists in cyber-security. A company that works in the larger industry context will be perceived as a leader—and perception is power. A true knowledge-based enterprise gains from the exchange of knowledge that happens with collaboration.
ES: In that same theme of cooperation over competition, which you seem to espouse, how can private companies, especially large enterprises, work together in combating cyber-crime? Organizations that don't know how to collaborate are increasingly going to fall behind in innovation and growth… Collaboration is a skill, external and internal, that companies are going to have to foster in order to be competitive. In any organization I'm in, government or industry, I want to create a collaboration culture. When I came to USAID, there were big areas where collaboration wasn't going to happen, especially in security. And I think that's turned around; USAID has gained immensely in being a collaborator with others
Cyber-security can give a discipline to collaboration that allows [companies] to collaborate and still remain competitive. The true competitive edge for most companies is their people… The question is, can you gain more technical edge than you give away?
ES: What's the No. 1 thing any large company can do to make itself safer from electronic crime? "Number one thing" questions are always tough, but I'd have to say, "people, people, people." Focus first on people. Create a pragmatic, enterprisewide security culture that focuses on supporting the strategic objectives of the organization. Culture means people—a company has to create a cyber-security culture that helps everyone see the vision, understand the plan to implement that vision, have the skills and resources to work the plan, collaborate, and have the support to risk and learn.
I believe there's a way that computer security can be an enabler for better IT services, not an obstacle. The common old-school computer security approach is, "just say no." Whatever people want to do with our network, just say no. We're not going to connect people at will, we're not going to let insiders get on our networks and look at our information unless we absolutely have to. But that doesn't necessarily support the strategic goals of an organization.
A better way of looking at it is to understand that cyber-security is a form of information management. Availability can be as much or more of a security requirement as confidentiality. If it's done well, cybersecurity can contribute to the strategic objectives of an organization. That's been one of the reasons that things have gone well at USAID. People throughout the organization are starting to see that security is something they have to do, but it's also something that will help them do their job better—if they do it right.
ES: How do you get people to realize how important security is? I think you have to do a multimedia campaign [in which you] bring up many reasons. People are different, so you can't have one approach reach everyone in your organization and expect it to succeed. Different individuals have different needs and drivers. What our program and our team try to do is reach different people and different levels, ask what they want, then look at computer security and ask, "How does that interact with what they want to do?"
You can have a strict but positive culture. You can have discipline. But it's a culture that's still people-friendly. How do you make the rest of your enterprise a partner of the security team, rather than having an adversarial relationship? You've got to remember that security is a means to an end, not an end in itself.
You also have to show them the value of what they're doing. Get them to imagine for a minute what happens if they lose IT. Say e-mail is out for a week. Will that affect them? What's the cost? Get them to truly value IT services. Everything isn't money—sometimes it's time or reputation. Sometimes it's a competitive edge. Getting people to see the true cost of [a security] failure—that's the essential part.
Fundamentally, people are people, and if you can appeal to a loyalty to the strategic goals of the organization, then couple security to those strategic goals, it works. When you're talking about security, people are both the problem and the solution.