“The perfect security for a CISO is no compromise security which the end user does not come to know”

Mark Hickman, COO of Winmagic, shares his take on growing importance of security, his point of view on the encryption debate and the thrust areas for his business within the Indian market

“The perfect security for a CISO is no compromise security which the end user does not come to know”  - CIO&Leader
Is the demand for your solutions in a country like India fairly secular or is it restricted to a few specific domains?
 
Lot of enterprises are changing their current providers that works better for their environment. It is not really sector-driven. Every segment from BPOs to finance to healthcare to pharma is seeing demand. And we are slowly making small in-roads to the government, which will be a big focus for us in the next couple of years. 
 
 
Is the demand more compliance driven?
 
It is more business-driven. A lot of it has to do with the fact that India has lot of organizations which deal globally and it is necessary to secure data. Compliance is something that the government is looking at in India. It is not actually mandated by the government that everything needs to be encrypted in India. These kind of legislations are there in China, Philippines, South Africa, Europe and are taking data security to the next level. 
 
 
In India, privacy is still not that important for the consumers. So, what should be the approach of global companies operating in India? Should they be as concerned about privacy as they are in the West?
 
There are no personal privacy laws on personal information in India yet as there are in North America, Europe and other places. If an organization in India is not protecting its data and get breached and become public, then it can significantly hurt its brand. People give you credit card, their personal information with the trust that you are going to look after that information and not going to fall into the hands of people who are going to use it for other uses. It affects your brand, stock and reputation is driven by that. 
 
 
What do users need to do?
 
The most important thing is to have a plan about how you’re going to do it. We’re seeing more organizations having CISOs and they are not reporting to IT but to Managing Directors, CEOs, CFOs because security is becoming a critical element for the success of the company. So there has to be a strategic plan on how to implement this. Unfortunately, some organizations haven’t taken it seriously. They have used ‘check-box security’. I have got encryption but is it a solution that can easily be hacked. I’ve got a ‘check-box solution’ and if auditors come in, I can say, ‘Well, this was encrypted but not really secure we think it is.’ About 20% data breach is internal. So you have a Data Loss Prevention (DLP) strategy across your enterprise. A lot of organizations over the last 3-4 years are focused on what I call, ‘Bells and Whistles.’ They have been bringing in high-tech technologies that can do a million different things but it really does not take care of the fundamentals. It’s akin to getting fancy things for your house alarm, breakers, securing every window, motion sensors but leaving the front door open with your valuables on the table. So people need to take care of the fundamentals and have a strategic plan across the industry. There is no 100% safe security. That doesn’t exist. So you have to protect your organization and your data as comprehensively as you possibly can in today’s world. 
 
 
In EU GDPR, one of the requirements is to rectify or erase in 24 hours. What’s so challenging about that? 
 
The challenge is understanding how bad is breach is, being able to communicate that and make it public within 24 hours. If you have a device or file that wasn’t encrypted or compromised, you have to make that public within 24 hours. Large organizations just don’t do anything within 24 hours. If you want to move that quickly, you need to have your PR team ready to go, publicize it, do damage control, notify regulators and scramble to see if that device/file was encrypted. Hence, encryption is written in three different articles which people should use. Previously, in the healthcare regulations in North America, encryption has been recommended and never been enforced. Data privacy laws have pushed people to secure the data, without the government actually mandating encryption. 
 
 
And then there is the other side—the issue of enforcement agencies demanding access to encrypted devices. How do you see that?
 
In the movies, they say something is encrypted and somebody can hack it in 5 minutes. That is not true. If something is encrypted with a strong password, nobody is going to unlock it. Nobody can just type away and unlock encryption. For example, when the FBI actually gained access to the iphone, they hacked the authentication and not the encryption which had a 4 number code. On an iphone, when you punch in 10 times, it actually locks. So to figure out the code is actually almost impossible. If you punch in many times and break the authentication, then it’s very easy to hack as there are 9,999 combinations. What we believe is, if there is a back-door to our technology which there is not—we secure government agencies, banks, healthcare, manufacturing, pharma, etc. and we would know all the targets. Thus, it seems a good idea to have a back-door encryption. However, this actually makes you less secure because lot of the things we need, such as power grids are all secured by encryption. Having a back-door encryption will lead to always having that one point of weakness. So we don’t believe in back-door encryption and take the same kind of stand as Apple does. 
 
Now whether certain social media platforms need to encrypt messages is another debate. In India, they have come up with regulations. In Europe, there are regulations due to various terrorist attacks and terrorists using social media platforms to communicate. 
 
 
You talked of a significant replacement market. Is there something specific that your solutions provide, that is not available in the deployed solutions? 
 
The number one thing you need with encryption is device compatibility. When you think about how devices change, new laptops, desktops, Operating Systems change (Microsoft coming up with different releases all the time), there is no embedded encryption in operating systems in Windows and Mac. So device compatibility is critical. The other thing is we are very innovative in our technology. This is all we do. So, we always push the envelope. We are trying to go the next level, being the first one to have different Operating Systems, fully managed servers, first ones to have people capability. We unlock devices before we touch the data in Windows and it’s actually in the pre-boot area and we can do that wirelessly or connectedly and nobody else can do that. We can manage different types of encryption, whether it is embedded or hardware encryption or using our software engine. Therefore, we’re continuously pushing that envelope to give our customers a much better experience so that it is easier to manage, deploy and is cheaper. We do password resets. Our user deployment of management makes it significantly cheaper for organizations to run. 
 
We get the latest laptops from HP and Lenovo before they come out in the marketplace and we ensure our technology works seamlessly on those platforms. So HP and Lenovo have selected WinMagic as their encryption partner. We work down to the Unified Extensible Firmware Interface (UEFI) code level with them. 
 
 
From your solutions, which are the ones that you think fit well into Indian requirements?
 
This falls into two categories: There are some large enterprises that are using others solutions which are not meeting their needs and causing significant pains in how they implement, difficulty in managing, affecting end-user performance and then there are organizations that haven’t done any encryption. Today, if these organizations were to have a breach and that information is going to reach the public, then the confidence of the company will drop hugely. So now they are starting to address it. Now, there are ‘Greenfield opportunities’ which involves replacing existing technologies and making solutions less disruptive with greater device compatibility and easier deployment. The perfect security for a CISO is no compromise security which the end user does not come to know. 
 
 
Any specific solutions…?
 
Our business falls into two categories: end-points and cloud. On the end-point side, majority of the time in India, we’ve been securing laptops. Most organizations do it first on laptop. It is easier to steal a laptop than desktop. On the cloud side, more and more organizations are moving to cloud and hosting data to third party. We offer stability to manage and secure that data with only you controlling the key on your site. Even if your data is on the cloud, the key is to manage that data that sat on your premise and this is another area which is picking up in India.
 
We see our business doubling every year. After Japan, India is our biggest business in Asia. And definitely, India has our biggest team. We have a support center. 
 

Event date: 
Thursday, August 10, 2017

Add new comment