CWHK: How would BYOD impact businesses in Hong Kong or Asia Pacific? What is BYOD's implications in terms of risk management, data protection, and data management?
AC: There are four ways of looking at this. First, the Web has opened up infrastructures not just to workers, customers, suppliers, but also hackers.
Second, hackers are increasingly sophisticated--there are APT (advanced persistent threats) attacks from nation states; organized cyber crimes by criminal ecosystems and elaborated supply chain of attack designers, money launderers, and information stealers.
Third, we can leverage virtualization technology in the cloud to improve security by consistently applying policies and updates to all virtual machines. But if we don't take advantage of virtualization and do all these, the glass could end up half-empty.
Fourth, IT organizations need to manage control when it comes to BYOD. They also need the ability to tell the difference between a normal transaction or flow of information and the abnormal ones. On top of that, IT needs to create security constructs that can leverage features of individuals' devices in some instances, but work independently in others--I think this is the answer to BYOD.
CWHK: What were Hong Kong customers especially the banks' responses to the RSA security breach last year? What did RSA do to ensure the effectiveness of its two-factor-authentication tokens?
AC: We met our concerned customers in Hong Kong after the incident. We had remediation processes and upon request we replaced their tokens. We also issued official letters explaining the situation and how we handle it so that our customers can share with their auditors or board of directors.
Equally important is that we gave remediation advice within a day after our knowledge of the incident. The stolen information [from RSA] can't be used in any successful attack. What's never reported in the media is that there isn't a single incident where a customer suffers loss due to the RSA security breach. One of the [media] reports said that information stolen from RSA was actually used in an attack, but that attack was defeated.
CWHK: Is there any chief security officer at RSA? Do you think CIOs can also serve as CSOs?
AC: Yes, there is. CSOs have specific areas of expertise while CIOs are generalists who have understanding of infrastructure, security, and applications. CIOs are almost like general managers who will be more focused on helping organizations apply information to support business missions and objectives. So I don't think they can replace each other.
CWHK: Do you think the role of CIO will become obsolete in the next five years as businesses are using more utility-based tech or cloud computing?
AC: No. The CIO role will change--it will become far more strategic and interesting. That's good news to CIOs. I think CIOs will need people to help them manage infrastructure as more of them will be moved to the cloud.
Sign up for Computerworld eNewsletters.