An Innovative Approach to Identity Management Seen

In the future, more keys may be the answer to protecting your personal data. We need to separate a person’s persona from their online profile information. What is needed is a second key, a data key, to ensure the privacy and control of your online data. Banking online, LinkedIn and Facebook would all require this data key.

The US federal initiatives on stronger identities—the National Strategy for Trusted Identities in Cyberspace (NSTIC)—are helping individuals and organizations to develop secure and easy-to-use identity credentials to access online services in a manner that supports an innovative approach in protecting information and greater privacy. I support the notion of a federated identity that has been evolving from the idea of a user-centric “identity ecosystem.” The mechanism to create a method to obtain and authenticate digital identities is necessary to create an online environment where there is a trust between individuals and organizations.

Biometrics
Biometrics will probably play a part and that will certainly have a privacy impact. Part of it will be a demographic issue with those over age 65 having nothing to hide and those younger not necessarily caring that much and having little concern about accountability. It is the middle group, those between late 20s and 60 who view their privacy as valuable. Mobile applications are another area of concern. You have to allow cookies to have your applications work, even for banking. The user agreement terms and conditions on a mobile device throw your privacy out of the window. Most people, such as Tweeners, are more interested in convenience than their security, so it will take something catastrophic to move their needle from convenience to security. People want information at their convenience, but advertisers want to inundate them with a continuous stream of advertising. The consumer should be allowed to turn off that information stream. Privacy will be the key in the long term.

Internet Service Providers (ISP)
One area of improvement that could be made is in making ISPs accountable for bad actors in their environment. ISPs should be given a freer hand in regulating people using their networks. There needs to be more accountability. If you are an Internet offender, there should be a three-strike rule that is adjudicated by a board to take access away from repeat offenders.

Quality of Software
The market should regulate software quality, but it does not seem to be working. Competition is also an issue. Where you have a few dominant players such as Microsoft and Oracle—how can you compete when they have so much of the market share? There has to be a balance between quality and security just as there has to be a balance between security and convenience.

How to Build a Solid Organizational Staff
When building a staff, I recommend hiring well-rounded individuals. I have had better success getting people who are organizationally focused rather than taking security people and indoctrinating them into the business of the organization. I always begin my search within the company, someone who knows what is important to the organization. The key is that the person knows what the value of the data are to the organization. I prefer to find professionals who invest in themselves on their own dime, paid their way to a technology show so that they understand where the technology fits within the organization in the next five to 10 years—that is part of growing your workforce.

Changing Role for the CISO
I see the role of the chief information security officer (CISO) changing to that of a chief privacy officer or a chief digital officer. There is always contention between meeting the needs of the masses rather than the outliers, but you first have to address the masses needs before the outliers. Still, outliers cannot be ignored; otherwise they will be your problem. CISOs have to be broad-based and business and technology focused. They have a difficult position because they have to become all things to all people.

Education is the key to the future. Our society wants instant gratification and the security professional has to find a way to balance security, privacy and convenience.

Chuck McGann
Chief Cyber Strategist, CRGT

[ISACA]