Upload
brian-mckenna
View
215
Download
0
Embed Size (px)
Citation preview
Physicists have to live with disturbing margins of error, and so
do managers of risk, says Peter Berlich, a former global head of
information security at ABB — the Swiss power and automation
technologies company; and he should know — he holds a PhD in
physics from the University of Freiburg.
Now working on the ABB account at IBM Switzerland, Berlich
describes his journey from physics through general IT to security
as determined by a natural curiosity. "Security is very interesting in
that it is both technically challenging and it brings you closer to
certain aspects of the business than pure IT delivery does. I am a
naturally curious person who likes to learn new facts and to fix
things. Also — and I think this is very important — you can have
a big impact in security with a small amount of resources.
In t ernet p ioneers
Berlich worked at CERN, the birthplace of the world wide web,
from 1991-94, and there is a strong element of early-days Internet
culture in his background. "Yes", he says, "a lot people I know have
travelled the same route. Indeed, many of the original Internet
pioneers in Germany you now find in security and privacy roles".
Back in 1997 Berlich was the author of Core, [1] an award
winning contribution to an Internet literature contest sponsored
by Die Zeit and IBM. This 'hypertext' he describes as his "go at
absurd literature". The text is at once a parody on Casablanca and
the story of a storytelling machine going nuts. On a third level it is
the simulation of a computer that gives the reader the illusion of
being in control while at the same time he is anything but. In the
end, all three levels converge in a loop (or vicious circle) of 'Play it
again, Sam'. “ Finally, a vending machine eats a sandwich.”
This treatment of people at the mercy of technology is apt for
our time, as we find ourselves ruled by computer code — whether
legitimate or illegitimate.
His physics background inspires his approach to security. “ You
have to accept a level of uncertainty, and this is what you get
conditioned to in physics, where all you can measure, by
definition, is incomplete information. It's similar with risk
management, which is all about knowing your risks, prioritizing
them, and chosing an affordable level of protection.
th
e
in
fo
se
cu
ri
ty
t
od
ay
i
nt
er
vi
ew
28
Info
secu
rity To
day
May/Ju
ne 2
004
The physics of information securityBrian McKenna
Peter Berlich is a security execut ive at IBM Switzerland on the global ABB account , and was global head ofinformat ion security at the Swiss automat ion and power giant . He says the informat ion security professionmust evolve towards risk management and emulate the ways of the physicist . Brian McKenna reports.
Berlich: naturally curious
you can have a big impact in security with a smallamount of resources
“ Quantifying risk with any reasonable degree of accuracy may
be an investment in itself. Risk management starts with the
question of whether or not to make that investment” .
ABB out sourced t o IBM
Berlich is today the account security manager for the IBM-ABB
outsource team. He transferred to IBM in September 2003 as part
of an outsourcing agreement for ABB's IT services.
He was global head of information security reporting to the
CIO at ABB. There, he managed a team of four security
specialists. At IBM, the security team has, he says, “ a different
role. We are able to harness the company’s resources and
knowledge when it comest to security managment. This is
something I see as a big benefit to ABB, and being supported by a
massive peer group is something I appreciate personally” .
ABB is a global manufacturing company specializing in
automation and power technology, and employs 140,000 people
worldwide, with its Head Office in Switzerland. ABB and IBM
have a ten-year agreement to outsource close to 90% of ABB’s
global information systems infrastructure
operations. Berlich is one of 1200 employees who
made the transfer. The $1.7bn contract was
described in a statement in July 2003 as one
which would help ABB significantly reduce costs.
Berlich describes ABB as a company with a
wide range of businesses. "It grew from a
historically very diverse company with
thousands of subsidiaries worldwide to a more
unified entity".
He established the global information security
function at ABB from scratch. "The main driver
there, back in 2000, was that ABB was
consolidating its IT, so a global security function
went with that naturally". He spent three years
doing security at ABB. "Over time my role
became more business oriented, and more
prominent. When I left ABB, it was recognised as an indispensible
element in the company's risk management".
The prof ession
Berlich is a CISSP, and a member of the recently formed European
Advisory Board of (ISC)2 (the International Information Systems
Security Certification Consortium), the not-for-profit
organization that certifies information security professionals.
"The CISSP examination forces you to go over your knowledge
base", he says, adding that he also values the importance (ISC)2
attaches to security education on the job, and to networking with
other security professionals.
He is also a member of the council of the 'grey [Germanophone]
chapter' of the Information Security Forum (ISF), and values the
Curriculum Vitae
Name Dr. Ekkehard Peter Berlich
Age 40
Degrees and professional credent ials
• CISSP, (ISC)2, 2002
• PhD in Physics, University of Freiburg/Germany, 1997
• Diploma in Physics, University of Freiburg/Germany, 1990
September 2003 - today Security Delivery Project Executive ABB account at
IBM Switzerland, Zürich/Switzerland, reporting to
the head of delivery on the ABB account.
2000 - 2003 Global Information Security Manager at ABB Group,
Zürich/Switzerland, reporting to the ABB CIO
1999 - 2001 Teacher for computer languages and technical
computer science at Fachhochschule Zürich,
Zürich/Switzerland (part time)
1997 - 2000 Deputy Head of IS, Project Leader Internet/Web,
System Administrator at ABB Corporate Research
Ltd, Baden/Switzerland
1997 Graduation (Dr. rer. nat.)
1996 - 1997 System Administrator at Verlag für Neue Medien,
Freiburg/Germany
1995 - 1996 Freelance Software Developer and Internet
Consultant, Freiburg/Germany
1991 - 1994 Delegation to European Organization for Nuclear
Research (CERN), Geneva/Switzerland
1991 - 1995 Scientific Assistant at University of Freiburg,
Freiburg/Germany
th
e
in
fo
se
cu
ri
ty
t
od
ay
i
nt
er
vi
ew
29
Info
secu
rity To
day
May/Ju
ne 2
004
Once the technicalproblems we have to
struggle with todayhave been broughtunder control, the
profession will movemore into riskmanagement
I suspect most securityprofessionals are on their own
professional contacts he has built through the
organization. He does worry, though, that the
profession is "split into one core part that is active
and networking and the rest. There might be
different networks, which is what I would like to believe, but I
suspect most security professionals are on their own” .
The main topics for the new European Board of ISC 2 he sees as
the perception that the CISSP is a US certification that is still US-
centric in its content. "That is the gap we have to bridge", he says.
"There is also a huge focus on security technology in our
profession, which is reflected in the body of knowledge underlying
the CISSP. The risk management focus needs sharpening” .
The m arket
Looking at the IT security market more generally, he senses that "it
is maturing. In five years it will be commoditized in terms of the
technical aspects. By then the market will have cleared and will
have consolidated.
"Once the technical problems we have to struggle with today —
mostly around software — have been brought under control, the
profession will move more into risk management.
“ We also shouldn’t forget that behind many technical problems
lie business risks that have to be addressed on a people level. I
would say that technical skills are less crucial for a security
manager than people and business skills.There is a risk that they
may get in the way and misdirect attention.
Privacy features strongly in Berlich's published output [2], and
he sees it as both a business issue and as a social issue: "we need to
protect the concept of privacy precisely because we have the means
to destroy it completely".
"After the security market has had time to consolidate, the
privacy market may partly replace and supplement it. I believe that
a number of viable business models exist, and that once computing
and online services have become pervasive, privacy and identity
management services will evolve".
[1] Peter Berlich: Core, Internetliteraturwettbewerb (Internet
Literature Contest) sponsored by Die Zeit and IBM, 1997
[2] Peter Berlich, Hansen, Camenisch, Clauß, Pfitzmann,
Waidner: ‘Privacy-Enhancing Identity Management’, Information
Security Technical Report , Volume 9, Issue 1 (2004), Elsevier,
UK, pp. 35-44; http://dx.doi.org/10.1016/S1363-4127(04)00014-7
th
e
in
fo
se
cu
ri
ty
t
od
ay
i
nt
er
vi
ew
30
Info
secu
rity To
day
May/Ju
ne 2
004
Top t ips for other infosecurity professionals
• Don't try to do all things yourself. A new security manager is being faced with
huge expectations and all too easily, people start throwing everything security
related into his direction. This way lies burnout to the individual and risk to the
business.
• Mind the business risk — make sure where you invest money is where the risk
really is.
Biggest challenge
• For IBM, to make the ABB outsourcing work. “ Standardization across the board
and creating commercial responsiblility are the challenges” .
Professional inf luences
• The Informat ion Security Forum (ISF) community. “ Being at the interface
between technology, security and business has always appealed. I believe that in
security we find a particular brand of personality — curious, engaged, open but at
the same time steadfast and with lots of perseverance — how else can we fight
the impossible fights we have to? That's what makes this community so interesting
to work with” .
• Jim Barrington, former CIO of ABB and now CIO of Novartis. “ He brought a very
business minded approach to IT” .
we need to protect theconcept of privacy preciselybecause we have the means todestroy it completely
Relaxed, but focused on risk