Physicists have to live with disturbing margins of error, and so

do managers of risk, says Peter Berlich, a former global head of

information security at ABB — the Swiss power and automation

technologies company; and he should know — he holds a PhD in

physics from the University of Freiburg.

Now working on the ABB account at IBM Switzerland, Berlich

describes his journey from physics through general IT to security

as determined by a natural curiosity. "Security is very interesting in

that it is both technically challenging and it brings you closer to

certain aspects of the business than pure IT delivery does. I am a

naturally curious person who likes to learn new facts and to fix

things. Also — and I think this is very important — you can have

a big impact in security with a small amount of resources.

In t ernet p ioneers

Berlich worked at CERN, the birthplace of the world wide web,

from 1991-94, and there is a strong element of early-days Internet

culture in his background. "Yes", he says, "a lot people I know have

travelled the same route. Indeed, many of the original Internet

pioneers in Germany you now find in security and privacy roles".

Back in 1997 Berlich was the author of Core, [1] an award

winning contribution to an Internet literature contest sponsored

by Die Zeit and IBM. This 'hypertext' he describes as his "go at

absurd literature". The text is at once a parody on Casablanca and

the story of a storytelling machine going nuts. On a third level it is

the simulation of a computer that gives the reader the illusion of

being in control while at the same time he is anything but. In the

end, all three levels converge in a loop (or vicious circle) of 'Play it

again, Sam'. “ Finally, a vending machine eats a sandwich.”

This treatment of people at the mercy of technology is apt for

our time, as we find ourselves ruled by computer code — whether

legitimate or illegitimate.

His physics background inspires his approach to security. “ You

have to accept a level of uncertainty, and this is what you get

conditioned to in physics, where all you can measure, by

definition, is incomplete information. It's similar with risk

management, which is all about knowing your risks, prioritizing

them, and chosing an affordable level of protection.

th

e

in

fo

se

cu

ri

ty

t

od

ay

i

nt

er

vi

ew

28

Info

secu

rity To

day

May/Ju

ne 2

004

The physics of information securityBrian McKenna

Peter Berlich is a security execut ive at IBM Switzerland on the global ABB account , and was global head ofinformat ion security at the Swiss automat ion and power giant . He says the informat ion security professionmust evolve towards risk management and emulate the ways of the physicist . Brian McKenna reports.

Berlich: naturally curious

you can have a big impact in security with a smallamount of resources

“ Quantifying risk with any reasonable degree of accuracy may

be an investment in itself. Risk management starts with the

question of whether or not to make that investment” .

ABB out sourced t o IBM

Berlich is today the account security manager for the IBM-ABB

outsource team. He transferred to IBM in September 2003 as part

of an outsourcing agreement for ABB's IT services.

He was global head of information security reporting to the

CIO at ABB. There, he managed a team of four security

specialists. At IBM, the security team has, he says, “ a different

role. We are able to harness the company’s resources and

knowledge when it comest to security managment. This is

something I see as a big benefit to ABB, and being supported by a

massive peer group is something I appreciate personally” .

ABB is a global manufacturing company specializing in

automation and power technology, and employs 140,000 people

worldwide, with its Head Office in Switzerland. ABB and IBM

have a ten-year agreement to outsource close to 90% of ABB’s

global information systems infrastructure

operations. Berlich is one of 1200 employees who

made the transfer. The $1.7bn contract was

described in a statement in July 2003 as one

which would help ABB significantly reduce costs.

Berlich describes ABB as a company with a

wide range of businesses. "It grew from a

historically very diverse company with

thousands of subsidiaries worldwide to a more

unified entity".

He established the global information security

function at ABB from scratch. "The main driver

there, back in 2000, was that ABB was

consolidating its IT, so a global security function

went with that naturally". He spent three years

doing security at ABB. "Over time my role

became more business oriented, and more

prominent. When I left ABB, it was recognised as an indispensible

element in the company's risk management".

The prof ession

Berlich is a CISSP, and a member of the recently formed European

Advisory Board of (ISC)2 (the International Information Systems

Security Certification Consortium), the not-for-profit

organization that certifies information security professionals.

"The CISSP examination forces you to go over your knowledge

base", he says, adding that he also values the importance (ISC)2

attaches to security education on the job, and to networking with

other security professionals.

He is also a member of the council of the 'grey [Germanophone]

chapter' of the Information Security Forum (ISF), and values the

Curriculum Vitae

Name Dr. Ekkehard Peter Berlich

Age 40

Degrees and professional credent ials

• CISSP, (ISC)2, 2002

• PhD in Physics, University of Freiburg/Germany, 1997

• Diploma in Physics, University of Freiburg/Germany, 1990

September 2003 - today Security Delivery Project Executive ABB account at

IBM Switzerland, Zürich/Switzerland, reporting to

the head of delivery on the ABB account.

2000 - 2003 Global Information Security Manager at ABB Group,

Zürich/Switzerland, reporting to the ABB CIO

1999 - 2001 Teacher for computer languages and technical

computer science at Fachhochschule Zürich,

Zürich/Switzerland (part time)

1997 - 2000 Deputy Head of IS, Project Leader Internet/Web,

System Administrator at ABB Corporate Research

Ltd, Baden/Switzerland

1997 Graduation (Dr. rer. nat.)

1996 - 1997 System Administrator at Verlag für Neue Medien,

Freiburg/Germany

1995 - 1996 Freelance Software Developer and Internet

Consultant, Freiburg/Germany

1991 - 1994 Delegation to European Organization for Nuclear

Research (CERN), Geneva/Switzerland

1991 - 1995 Scientific Assistant at University of Freiburg,

Freiburg/Germany

th

e

in

fo

se

cu

ri

ty

t

od

ay

i

nt

er

vi

ew

29

Info

secu

rity To

day

May/Ju

ne 2

004

Once the technicalproblems we have to

struggle with todayhave been broughtunder control, the

profession will movemore into riskmanagement

I suspect most securityprofessionals are on their own

professional contacts he has built through the

organization. He does worry, though, that the

profession is "split into one core part that is active

and networking and the rest. There might be

different networks, which is what I would like to believe, but I

suspect most security professionals are on their own” .

The main topics for the new European Board of ISC 2 he sees as

the perception that the CISSP is a US certification that is still US-

centric in its content. "That is the gap we have to bridge", he says.

"There is also a huge focus on security technology in our

profession, which is reflected in the body of knowledge underlying

the CISSP. The risk management focus needs sharpening” .

The m arket

Looking at the IT security market more generally, he senses that "it

is maturing. In five years it will be commoditized in terms of the

technical aspects. By then the market will have cleared and will

have consolidated.

"Once the technical problems we have to struggle with today —

mostly around software — have been brought under control, the

profession will move more into risk management.

“ We also shouldn’t forget that behind many technical problems

lie business risks that have to be addressed on a people level. I

would say that technical skills are less crucial for a security

manager than people and business skills.There is a risk that they

may get in the way and misdirect attention.

Privacy features strongly in Berlich's published output [2], and

he sees it as both a business issue and as a social issue: "we need to

protect the concept of privacy precisely because we have the means

to destroy it completely".

"After the security market has had time to consolidate, the

privacy market may partly replace and supplement it. I believe that

a number of viable business models exist, and that once computing

and online services have become pervasive, privacy and identity

management services will evolve".

[1] Peter Berlich: Core, Internetliteraturwettbewerb (Internet

Literature Contest) sponsored by Die Zeit and IBM, 1997

[2] Peter Berlich, Hansen, Camenisch, Clauß, Pfitzmann,

Waidner: ‘Privacy-Enhancing Identity Management’, Information

Security Technical Report , Volume 9, Issue 1 (2004), Elsevier,

UK, pp. 35-44; http://dx.doi.org/10.1016/S1363-4127(04)00014-7

th

e

in

fo

se

cu

ri

ty

t

od

ay

i

nt

er

vi

ew

30

Info

secu

rity To

day

May/Ju

ne 2

004

Top t ips for other infosecurity professionals

• Don't try to do all things yourself. A new security manager is being faced with

huge expectations and all too easily, people start throwing everything security

related into his direction. This way lies burnout to the individual and risk to the

business.

• Mind the business risk — make sure where you invest money is where the risk

really is.

Biggest challenge

• For IBM, to make the ABB outsourcing work. “ Standardization across the board

and creating commercial responsiblility are the challenges” .

Professional inf luences

• The Informat ion Security Forum (ISF) community. “ Being at the interface

between technology, security and business has always appealed. I believe that in

security we find a particular brand of personality — curious, engaged, open but at

the same time steadfast and with lots of perseverance — how else can we fight

the impossible fights we have to? That's what makes this community so interesting

to work with” .

• Jim Barrington, former CIO of ABB and now CIO of Novartis. “ He brought a very

business minded approach to IT” .

we need to protect theconcept of privacy preciselybecause we have the means todestroy it completely

Relaxed, but focused on risk