The state of the industry
Jerry Archer, SVP & CSO, Sallie Mae, was recognized as the recipient of the first SINET Impact Award. He discussed the state of the industry with SINET CEO Robert Rodriguez, but he began, at Rodriguez's invitation, with some personal history.
Personal history: the origins of the CISO, the beginnings of intranets, and thoughts on mentors.
Archer got involved with cybersecurity while he was working for MITRE. After the Berlin Wall fell, Director of Central Intelligence Woolsey asked MITRE to build a homogeneous information engine. This was needed, Woolsey believed, because after the Cold War ended it would no longer be possible to align against verticals, against a peer competitor like the Soviet Union. We needed a new, holistic picture, that would enable the Intelligence Community to respond to a new, fragmented, disparate set of threats.
This was really the beginning of the role of the information security officer: the need to integrate a vast amount of disparate information. Archer had, he said, a further "a-ha moment" when he had the opportunity to brief Director NSA McConnell. The result of that briefing was what became Intelink, an intelligence-sharing system that would distribute intelligence within twenty-four hours of development. And that thinking served to develop what would become commercial intranets.
Rodriguez digressed to ask Archer about his mentors: did he have them? Archer said he had two: his (single) mother, a child of the Depression, who taught him persistence and tenacity. His second mentor has been his wife, who taught him "how to dream."
From clouds to mist.
Turning to larger industry trends, Rodriguez prompted Archer to talk about MIST. We're all going to go to the cloud, Archer explained. And we will develop from the cloud by re-factoring, microsegmentation, and specialized clouds. We'll do so by going to rain. Massively integrated systems of transducers (MIST) will come next.
Systems are beginning not only to collect data, but to act upon it. "Why don't we disaggregate data? Why don't we push data back to the endpoint? We have the technology, the encryption, and the power to do it." Cars, Archer said, can now talk to each other. The newest Mercedes is an example. Increasingly, machines are acting on our behalf. "That's MIST. And we as security professionals are the governance model for MIST." Governance at its base is security, Archer argued.
Rodriguez asked, if Archer is correct and MIST will be the next evolution of information security, what would he like to see us focus on? Archer's answer was simple: behavior. Behavioral analysis, risk-based authentication, will become the important thing, and end-user behavioral analysis will replace passwords.