INTERVIEW: Christopher A.R. Darby, Net security strategist

 

Connecting state and local government leaders

Christopher A.R. Darby is chief executive officer of @stake Inc., an Internet security consulting company in Cambridge, Mass.

Just over a year old. We serve two vertical markets, the financial services sector and the telecommunications sector, primarily Fortune 500 and global 1,000 companies. Forty percent of our business comes from Europe, and the remaining 60 percent is in North America.We're a pure-play consulting shop. We sell only our knowledge and expertise in digital security. We start with planning and strategy and get into architecture and design. We're involved in the implementation mostly from the project management perspective.We follow up with operational services on an ongoing basis, things like posted audit services where we can show a client how to harden an application from a security perspective. Most of it is virtually pro bono. We lecture at the Army War College, we sit on a number of government advisory panels, and we involve ourselves with the people who are leading the thought processes on digital security. I said virtually pro bono. Government is not one of our target markets, but we feel we have an obligation to give back to the industry and to the country as best we can. We do core research that we want to share with the government because it impacts national security. I'd go a step further. I don't think there is a line anymore. The infrastructure of the United States actually supports the government to the extent that you can't uncouple them.If you look at things like the power grid and the telecommunications networks and the financial infrastructure, that is really the foundation on which the country is built. So work on the commercial side will directly affect national security at some point.There is a critical need at the corporate level for digital security. What's at risk for financial institutions is money, as well as reputation. In the telecommunications market it's everything from the back office to billing and trouble ticketing. The overall level is improving but still unsatisfactory. We saw a period in the late 1990s when the audit committees responsible for publicly traded companies were totally focused on year 2000 issues.As we got through the millennium, we saw the people who are leading corporations shift their attention to digital security because there is enough knowledge at the senior executive level to know that there is no silver bullet.Any chief executive officer who tells his audit committee that he is secure because he just updated the firewall is probably not securing his own job for the long term.There's an understanding that this is a complex issue and requires a number of things to happen at the product level and the process level and the people level. I don't think it's universal, but the trend now is to become more enlightened as to the complexities.One thing we've seen within the current economic climate, which can only be characterized as challenging, is that security budgets haven't decreased. In some cases, we've seen spending on security and security planning increase.I believe security is getting better. It's going to take a while, but the intent of the senior executives is that they will put the resources they need in place over time. The government could be giving them more incentives to do so, but over time they have to do it or they won't survive. I don't think they have provided the necessary incentives yet, fundamentally because the government, like industry, sometimes confuses policy with security. Security requires substantial architecture and hard dollars on capital assets. Policy can be done more quickly.I would like to see the government find a way to give incentives for the hard-dollar expenditures, and the only way I can see to do that would be through some sort of tax incentive for corporations'to make it a better economic proposition.I don't think regulation will really do the trick because a regulation becomes dated almost as soon as it's printed. The knowledge base changes, the threat models change, technologies change, and regulation doesn't give an incentive for a long-term organic view of designing in security. I think the government is improving. To measure now would be unfair. Are they where they need to be? No. And I'm not the only one saying that. I think the government is saying that. The effort has to be ongoing and continuous. There really is no end state.Is corporate America looking at the government as best of breed? I don't think so. The government is not spending the time and money to be characterized as best of breed, and until it does so, corporate America will look inward. : L0pht was a strong addition. They are viewed as thought leaders in this space. They represent less than 3 percent of our staff, so they are not statistically significant.We have people who used to work for the National Security Agency, FBI and White House working for us. We do background checks on everyone that comes in, and we don't hire criminals. I'm limited in the responses I can give, not because I can't think of any but because most clients don't want you publicly talking about them.I can tell you that companies such as Bertelsmann mediaSystems, a multinational media company in Germany, have the philosophy of designing security in at the front end. Before they roll something out, they start thinking about security. They recognize that it is not just about a network and that the applications layer is becoming more important than even the network layer.They recognize that security can't be looked at as an afterthought, that it has to begin with the selection of toolsets. Different toolsets have different levels of risk associated.They also don't rush products to market.

Christopher A.R. Darby

Christopher A.R. Darby is chief executive officer of @stake Inc., an Internet security consulting company in Cambridge, Mass. The company supplies strategy, architecture and operational security for organizations that want to use the Net for business.

As a Canadian citizen living in the United States, Darby said, he feels an obligation to contribute to U.S. national security. Although his client base primarily is corporate, Darby said his work has a direct impact on government security. The government cannot be secure if the private sector's infrastructures are not, he said.

Before coming to @stake, Darby was president and CEO of application service provider Interpath Communications Inc. of Research Triangle Park, N.C. He also previously worked at Digital Equipment Corp. and Northern Telecom Inc. He has a bachelor's degree in economics from the University of Western Ontario.

GCN senior editor William Jackson talked with Darby about security at the recent RSA Conference 2001 in San Francisco.


GCN:How old is @stake Inc.?

DARBY:





GCN:What about your government work?

DARBY:

GCN:Why pro bono?

DARBY:

GCN:People in the last and the current administration have said the line between national and corporate security is blurring. Do you agree?

DARBY:





GCN:Chronic poor security is a constant topic in Congress, whether it's government systems, hacked Web sites or operating systems. How would you assess overall security?

DARBY:







WHAT'S MORE




  • Age: 41


  • Family: Wife, Kimberly


  • Pets: Chocolate labrador, Henry, and English bulldog, Maggie


  • Car currently driven: Toyota Land Cruiser


  • Last book read: The Tipping Point: How Little Things Can Make a Big Difference by Malcolm Gladwell


  • Last movie seen: 'Chocolat'


  • Favorite Web site: www.CNNfn.com


  • Leisure activities: Skiing and mountain biking


  • Dream job: Coach of the Toronto Maple Leafs






  • GCN:Is there adequate support at the top for achieving effective security?

    DARBY:





    GCN:What kinds of incentives are needed?

    DARBY:





    GCN:Presidential Decision Directive 63 said the government should become a computer security role model for industry. Has it achieved that yet?

    DARBY:



    GCN:You incorporated the staff of Boston's L0pht Heavy Industries hacker cooperative into your company. Has that created any negative attitudes? And how do you ensure that the people working for you are the people that your clients want to have working for them?

    DARBY



    GCN:Can you point out any good examples of security?

    DARBY:



    GCN:What common traits do organizations that are doing a good security job share?

    DARBY:


    X
    This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
    Accept Cookies
    X
    Cookie Preferences Cookie List

    Do Not Sell My Personal Information

    When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

    Allow All Cookies

    Manage Consent Preferences

    Strictly Necessary Cookies - Always Active

    We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

    Sale of Personal Data, Targeting & Social Media Cookies

    Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

    If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

    Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

    Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

    If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

    Save Settings
    Cookie Preferences Cookie List

    Cookie List

    A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

    Strictly Necessary Cookies

    We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

    Functional Cookies

    We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

    Performance Cookies

    We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

    Sale of Personal Data

    We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

    Social Media Cookies

    We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

    Targeting Cookies

    We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.