There are other examples. One time, a university member was targeted for diversion of payroll for the highest paid employees. That threat was shared and the other universities were prepared for the threat and were able to detect it.
Someone mentioned in your recent Boston meeting that some organizations still believe that all you need is a good perimeter defense. How much of a problem is that?
BENWAY: It's not just that perimeter defense is not enough, it's also the argument about where you focus investments and activity. Do you focus on prevention or detection? The resiliency crowd says you need to focus on detection because you're not going to keep all the bad guys out. But a significant amount of the population says that is just waving the white flag, and prevention is where you need to focus.
I've heard some folks suggest that 80% of organizations out there today still believe in the perimeter defense approach, and if you have a good firewall and patch it that you'll be okay. If those numbers are accurate, it's a pretty significant problem because, as Michael Chertoff [former Secretary of the Department of Homeland Security] says, there are two types of enterprises, those who know they've been hacked and those who don't know they've been hacked.
GUENTHER: The big issue is the lack of sophistication of many staffs, and therefore the inability of a company to do what they need to regardless of the mindset. So even if they understand the perimeter is dead, the fact is in many companies it's the trust issue. If you think about intelligence-driven defense, and many vendors are pitching that as the next generation of security, only about 5% of companies, if that, actually are capable internally of doing that.
BENWAY: Sometimes it's a combination of lack of sophistication and lack of the necessary resources, particularly in small and medium sized businesses. They don't have the ability to hire the sophisticated staff and invest in the sophisticated tools. So they have to turn to approaches that folks are just now beginning to consider, like leveraging the cloud more, and recognizing the value of training employees, partners and suppliers. That's a significant issue.
Turning to the larger goal of making New England a cybersecurity mecca, how do you go about that?
GUENTHER: If you lay down California versus Massachusetts in terms of IT, obviously IT has grown much bigger out there than it has here, although we've got a significant play with companies like EMC, RSA, Akamai and others who are members of the ACSC. But the cybersecurity challenge is a multidisciplinary play. The real play is to bring together technology, social sciences, policy, economics and law to figure out how to construct systems that work with human behavior and allow people to actually be more secure, because the architecture is framed around human behavior and provides the right incentives.
Sign up for CIO Asia eNewsletters.