Customer Podcast: Interview with Philip Casesa of (ISC)²

(ISC)² is the worldwide leader in educating information security professionals. In this interview, Philip Casesa explains how an organization responsible for training IT security staff views its own security requirements.

• Go to:    Full Podcast | Podcast by Topics | Transcript

(ISC)² is recognized as a worldwide leader in educating information security professionals throughout their careers. Founded in 1989, it has certified thousands of IT security professionals around the world. Philip Casesa, IT operations manager for (ISC)², joins us to explain how an organization entrusted with educating security professionals around the globe views its own data security strategy. Philip will explain how (ISC)² protects its intellectual property and brand and also discuss how recent security breaches have sparked a new wave of security thinking at (ISC)².

Full Podcast 

Listen to the complete Podcast:

Podcast by Topics 

Listen to a topic of your choice:

1. As a non-profit global leader in educating and certifying information security professionals, you're a public target for electronic attack. Can you tell me the kinds of challenges that you face?
2. Your audience is very technical, so your organization is in the good position because many of them even know how to identify an email hoax and know what an email header is. Other companies would probably not be that lucky. What are the potential impacts of such an incident to the company?
3. How would such an incident affect your brand?
4. Are these attacks isolated incidents?
5. And how does (ISC)2 solve this problem?
6. So how did you implement email encryption, technically?
7. How many of your emails do you sign?
8. Apart from signing emails, do you also encrypt electronic messages?
9. And how do you encrypt those emails?
10. (ISC)2 is a company of security professionals. Would you say that implementing email security was easier in your organization?
11. What does a user actually have to do to encrypt an email?
12. Do you process emails for encryption at the gateway for all users?
13. Apart from emails, do you encrypt any other data?
14. When you chose the email and laptop solutions, what were your criteria for selection?
15. How has your security strategy evolved over the past few years?
16. What advantages do you see in an enterprise solution versus a point solution?
17. What problems would you encounter if you were using point solutions?
18. Would this complexity translate to a higher cost of operation?
19. Which solution did you deploy at (ISC)2?
20. The PGP legacy often implies that PGP software is a tool only for techies and is very hard to use. Would you say that's still the case today?
21. How long did the user training take?
22. How does your support team like this solution?
23. Do want to tell us a little bit about the daily reporting?
24. If your best friend were to start an enterprise data protection project today, what advice would you give?

Transcript

Find the transcript of the whole Podcast here:

[music]

Intro Announcer: PGP Security Podcasts. Brought to you by PGP Corporation. The Global Leader in email and data encryption.

[music]

Intro Announcer: (ISC)2 is recognized as a worldwide leader in educating information security professionals throughout their careers. Founded in 1989, it has certified thousands of IT security professionals around the world.

We thought you'd be interested in hearing how an organization entrusted with educating security professionals views its own data security strategy. And that is why we've asked Philip Casesa to join us today. Philip is the IT operations manager at (ISC)2. He has previously been a consultant at Ernst and Young, and held positions as a software engineer at DataGlyphics, and Decision Management International. He has a Bachelor of Science degree in Decision and Information Science and an MBA, both from the University of Florida.

Christian Kirsch is a product marketing manager for PGP Corporation, and he'll be talking with Philip about how (ISC)2 protects its intellectual property and brand. And they'll discuss how recent security breaches have sparked a new wave of security thinking at (ISC)2.

Let's listen now as Philip Casesa and Christian Kirsch talk about current strategies for enterprise data protection.

Christian Kirsch: Hello. I'm Chris Kirsch. And today we're speaking with Philip Casesa, IT operations Manager of (ISC)2. Welcome, Philip.

Philip Casesa: Thank you.

Christian: As a non-profit global leader in educating and certifying information security professionals, you're a public target for electronic attack. Can you tell me the kinds of challenges that you face?

Philip: We face a lot of those same challenges that large corporations, such as banks and other such organizations face. Those include email hoaxes, phishing emails, and privacy concerns. Our corporation is very concerned about protecting the privacy of our members and complying with a number of international privacy laws. We also hear a lot from our members, due to the nature of our organization, about the kind of technical problems and information security problems that they face. That gives us a leg up when it comes to protecting our infrastructure.

We want to be an example to our members, and an example to other corporations worldwide when it comes to information security. So that leads us to look for solutions that are very flexible, and meet a number of needs at the same time.

Christian: Thank you, Philip. Your audience is very technical, so your organization is in the good position that many of them even know how to identify an email hoax, and know what an email header is. Other companies would probably not be that lucky. What are the potential impacts of such an incident to the company?

Philip: We actually have a leg up at (ISC)2, because our members are experts in information security. And that gives us a leg up when we're combating items such as an email hoax. But in general, what happens is that we're inundated with calls to our customer service. We have to work on an email campaign to set the record straight in case of a hoax as well as, you know, some PR items, depending on the severity of the issue. And it also requires us to pursue legal action sometimes.

Christian: OK.

Philip: All of these things distract from our mission of educating and professionalizing the practice of information security. And that's what our core mission is. It's not necessarily running an information security organization.

Christian: How would such an incident affect your brand?

Philip: Well for us, (ISC)2 is based on a reputation. Since we educate and certify information security professionals, we as an organization have to maintain a level head and shoulders above the average company when it comes to information security. Our reputation is easily damaged by any kind of email hoax or any kind of data compromise. It really does. When it damages our reputation, that makes a really large impact to our business.

Christian: Are these attacks isolated incidents?

Philip: Unfortunately, no. We're seeing more and more attacks on different types of organizations worldwide. Not only on organizations such as our own, where we try to cater to the information security professional, but even consumer-based businesses: banks, credit card companies, any type of financial industry, where we see these types of attacks all the time.

Christian: And how does (ISC)2 solve this problem?

Philip: Well, a number of years ago, we decided to start putting electronic signatures on our emails, basically a digital signature that validates that we are the original sender of the message. This sends the message to our members that they can verify that a message that comes from us is absolutely authentic.

Christian: OK, very good. So how did you implement email encryption, technically?

Philip: We started out working from the desktop machines, where we would have a piece of software on the desktop. The email would originate from that particular desktop, and then be broadcast via our mailing server to all of our members. Later we decided that we needed a more flexible solution as our workforce grew, as more and more people were responsible for sending out email information. Then we kind of transitioned to a gateway.

Christian: How many of your emails do you sign?

Philip: We sign all official communications. That includes any kind of announcement, newsletters, anything that originates from us to our broad membership.

Christian: Apart from signing emails, do you also encrypt electronic messages?

Philip: Absolutely. We encrypt a number of types of messages, one of which is our education and testing material, since these are the foundation of our organization's value. We also make sure that executive communications -- those things that are sensitive from internal employees - are also encrypted. We also make sure that our vendor contracts and other sensitive documents are encrypted.

Christian: And how do you encrypt those emails?

Philip: It's much the same way as we started with signing emails. We would start out by -- everyone would have a copy of a desktop product for encrypting emails back and forth. But it was very difficult to use, because there's no key management system. There's no way to know. It takes a little while to get somebody's public key to somebody else's computer. And it makes it very difficult to get started.

It made it hard to manage, and very hard on the IT support staff. So we transitioned to using the gateway, where we've taken away a large part of the interaction from the user's side. All they really need to do now is just to mark a message as confidential, and it's automatically encrypted.

Christian: So (ISC)2 is a company of security professionals. Would you say that implementing email security was easier in your organization?

Philip: We have the same challenges as any organization. While the foundation of the organization is that of an information security organization, not all of the employees are what we would call information security professionals. For example, customer service, administration. Those people, while very well versed in what they do, and are excellent at their jobs, are not information security professionals. They don't use encryption products day in and day out, even at their home, or anything like that. So we wanted to find a solution that would be easy on them.

Christian: What does a user actually have to do to encrypt an email?

Philip: Well with our gateway, right now the users don't have to do much of anything. We have rules on the gateway: emails to certain people are automatically encrypted. We also have the ability to mark "confidential" on the email before it goes out, and those emails are automatically encrypted.

Christian: So do you process emails for encryption at the gateway for all users?

Philip: We try to. For certain types of mailings that we do, it requires encryption still on the desktop. Our managers and our legal counsel also have the desktop products, so that they can continue to have control over what key they use.

We've also introduced, though, for the general employees, enterprise key management. And enterprise key management is managed on the gateway.

Christian: Apart from emails, do you encrypt any other data?

Philip: We do. Internally, we also try to identify sensitive materials that simply need to be just encrypted files, - not just emails. And we even take it down now to a machine-level where laptops that have higher risk data on them are encrypted on the entire drive. So we have full disk encryption using our same key infrastructure.

Christian: When you chose the email and laptop solutions, what were your criteria for selection?

Philip: Well, we were looking for, basically, our enterprise key management system where administrators have the ability to recover keys in case a user forgets their encryption key. We also want to make sure that the data is recoverable in such a situation.

We also were looking for a product that could definitely do a lot for us at the exact same time and that included the signing of the emails, email encryption and also gave the ability to do the full-drive laptop encryption. We're a small staff, so maintaining disparate systems and having all kinds of different keys around the organization makes a difficult to manage.

Christian: Let's zoom out and have a look at the bigger picture. How has your security strategy evolved of the past few years?

Philip: Well, our security strategy in years past was to focus on the perimeter. If nobody gets in, our data is safe. But we're starting to see, even in industry, a shift in the focus of information security. While we have committed extraordinary resources to the perimeter, we've left the inside -- the employee, or the contractor or a snooping eye that has access to the internal network -- we've left all that data vulnerable.

So we've shifted our focus here to start to look at the data itself. Not only within emails but on our laptops, making sure those are encrypted. Any kind of files that are sensitive in nature, those are encrypted and we keep those encrypted internally and they are encrypted to only users that need to see them.

We make note of a case of another unfortunate organization, Fidelity National, which has been in the news recently where an employee was able to download a significant amount of information and would sell it to a marketing company where that information would be valuable to them. So that's a prime example of trying to secure internally the items that are most valuable to you.

Christian: OK, thank you, Phil. What advantages do you see in an enterprise solution versus a point solution?

Philip: Well, first of all, an enterprise solution really gives us the ability to address new problems as they arise. For example, today we're encrypting the laptops. Tomorrow we're addressing how to encrypt the data on USB devices. And then, years from now, we're talking about, "Well how do we protect data from devices that don't even exist yet?"

By having an enterprise solution, it gives us ability to roll out new features to all of our users simultaneously and address these issues from a policy perspective as opposed to going to each workstation and then adding a new tool, a new item, some new functionality to an existing product. It really gives us the ability to run the operation from a central location.

Christian: So what problems would you say if you were using point solutions?

Philip: We don't want to have to go to every desktop in the organization throughout the world. And our staff, we try to keep it centralized and we don't have an IT person on staff in every single location that we operate. So we try to do things remotely.

By having a point solution, where it's something that an end user can't manage, it definitely adds to the complexity of our job when it comes to protecting the uncertain threat. It also increases our vulnerabilities because we can't get to all the threats at the same time.

Christian: And would you say that this complexity translates to a higher cost of operation?

Philip: Oh, absolutely. You can just tell right now by the nature of our operation, if we have to travel overseas to help users out with their issues, if we had to spend hours out of a day, we probably actually have to hire additional staff to make sure that when we do roll outs that we can address all our vulnerabilities in a very quick time frame.

Christian: So which solution did you deploy at (ISC)2?

Philip: Well, we've been a customer of PGP for over five years. People that are within the organization had been using PGP much longer than that. We started out with PGP desktop. We would buy PGP desktop licenses for each individual that required it and they would go and create their own key. As the organization evolved, as we brought more non-technical staff on to the payroll, we needed a solution that would be easier to use for the end user. So, we moved to the PGP universal products.

We started out a couple of versions ago now, and now we're on the most current version. So we deploy this solution ourselves, too, internally. One of our security managers on-staff is quite the manual guy. He likes to read technical manuals and was able to do most of the tasks of setting it up just from the manual itself, which is quite a feat in this day and age with the complexity that you would expect.

Christian: Well, that's certainly a very good person to have in your team, Philip.

Philip: Absolutely.

Christian: So the PGP legacy often implies that PGP software is a tool only for techies and very hard to use. Would you say that's still the case today?

Philip: Well, I think when we were concentrated mostly on desktop, and especially with the older, older versions of desktop, that yes, that's true. But with the gateway... We've really created this solution that the user is not even totally conscious of which is exactly where you want to be when you want to have universal compliance with the policies of signing emails and encrypting emails. So we're definitely seeing, right now, a huge leap in ease of use and it's very much now an enterprise solution.

Christian: So how long did the user training take?

Philip: Well, to be honest, we didn't train users a whole lot. We told them, "If you do certain things, you'll follow the policies such as marking an email as 'confidential.'" We taught them how to mark emails as "ready for encryption" and that's about the extent of the training.

Christian: So how does your support team like this solution?

Philip: We like it. We find it very easy to support. We've also noticed that as we do updates to our universal server that it pushes those updates to the desktop product as well. So that those who do have desktop get the latest updates as soon as they're available.

We find that the performance is very good. Our PGP server is not very taxed as far as resources-wise. And it operates transparently which means that if they don't know it's there, we don't get any complaints about it.

Christian: Do want to tell us a little bit about the daily reporting?

Philip: Each day, our PGP server sends us a report as to how many emails were signed, encrypted, how many emails came in, since it is part of the full-mail flow. And it gives us an idea of what kind of traffic we're experiencing both inside and outside of the organization.

Christian: So Philip, let me ask you this. If your best friend were to start an enterprise data protection project today, what advice would you give?

Philip: Well one, first of all I would say that we need to plan what exactly we're trying to protect. Know what data is valuable to you, formulate a strategy for getting protection on it, not only from external users but internal users who don't need access to it, focus on the protection of the data itself from an enterprise level.

And it's too easy to be caught up in guarding the perimeter and giving in to the fear of what hackers can do to your network while accessing it from the outside while someone inside the organization is walking out and selling your data. Absolutely, make sure that you have a security professional available to handle your project, identify your data and strategize with you on your enterprise data protection.

I would also say, "Make sure that these security professionals are credentialed to do the job." And that's kind of what our company does. We make sure that security professionals are ready to take on the challenges of information security within an enterprise. So finding someone that holds a CISSP certification or an SSCP certification is part of the solution.

Christian: Today, we've been talking with Philip Casesa, IT operations manager for (ISC)2 about his strategy around enterprise data protection. Thank you, Philip.

Philip: Thank you, Chris.

Intro Announcer: And thank you for joining us for this podcast brought to you by PGP Corporation. If you'd like to learn more about how we can help you defend your data, please join us online at PGP.com.

[music]

About (ISC)²

(ISC)² is the non-profit global leader in educating and certifying information security professionals throughout their careers. Since (ISC)²’s inception in 1989, it has certified information security professionals from government agencies and companies throughout the world. Several (ISC)² credentials meet the stringent requirements of ANSI/ISO/IEC Standard 17024, a global benchmark for assessing and certifying security professionals.