SHIMEL: Agreed. Now let me switch gears a bit. In the security industry we have a tendency to go for the shiny new trinket and the latest and greatest. Richard, you're a dean of this industry, is that a good thing, a bad thing or a non thing?
STIENNON: Definitely don't go buy the shiny new technology and then figure out how to use it. Start with understanding the threats. Actually a bigger issue is the move away from so-called risk management procedures, which are all based on identifying assets, determining their vulnerabilities and then stack ranking them. You're never going to get that done, right, you'll still be doing that 10 years from now. It is better to start recognizing the threats and then build up defenses against each particular threat. For the most part the tools are there, but a lot of them are from very young companies.
SHIMEL: Fantastic. Kevin, you can only talk about what you're allowed to talk about, but how does an organization like Oak Ridge Laboratory go about evaluating security solutions, how do you look at an up-and-comer versus well-established companies for new kinds of solutions?
KERR: One thing we like is the openness of being able to look at what they're doing behind the curtains. If you come to me with a magic box and says it can do X, Y and Z and you're not willing to show me how it works, you're not going to get much further. I don't need to know all the secret sauce, obviously, but I want to know why it's doing what it's doing and, not only that, if it can be integrated with the tools I have.
I'm going to be the first to admit that we have some wonderful shelfware here that we bought and stuck on our network because I didn't have enough resources or didn't have enough money to buy services, it's never been fully implemented for the capability it offers. We're actually in the process of downsizing some of our tools and trying to end up with two or three that provide a wider swath of visibility into our network, because my objective is to see as much as I can with the tools we have, baseline things, and then allow my experts to be able to drill down based on the wider swath.
SHIMEL: OK guys, we're coming up on the end here. Any final advice to share?
STIENNON: My advice is to throw out your current risk management regime and start over by looking at the three common threat vectors: We've got the hactivists (with Anonymous being one of the most obvious examples), we've got cybercriminals and we've got nation-states. Then strive to understand the methodologies and the targets that each of those will go after, and then look at your current defense regime and see if it's anywhere close to being ready to counter those.
Sign up for CIO Asia eNewsletters.