Interviews


Bruce Cowper, Top International Security Authority, Chief Security Advisor Microsoft Canada

This week, Stephen Ibaraki has an exclusive interview with Bruce Cowper.

Bruce CowperAs the Chief Security Advisor for Microsoft Canada, Bruce is responsible for the overall security strategy, working closely with the Public Sector, large enterprises, Industry Associations and the Community across Canada. He comes from a security background in secure system design, forensics and security risk management and as the Chief Security Advisor, leverages his real life hands-on experience to relate to the challenges faced today. Bruce is a prolific speaker and can frequently be found in the media and at conferences across Canada and beyond.

Bruce is a founding member of the Toronto Area Security Klatch (TASK) and an active member of numerous organizations across Canada. Before moving to Toronto and joining Microsoft, Bruce held positions on the board of directors of several IT companies, championing the development of technical excellence and the customer experience. Bruce is also a founding member of North America's largest Security Conference, Sector.

Bruce holds a degree in Computer Systems Engineering as well as industry standard qualifications.

See Sector.ca.

To listen to the interview, click on this MP3 file link

Go to www.microsoft.com/youshapeit/technet for a look at this interview and much more.

The latest blog on the interview can be found in the IT Managers Connection (IMC) forum where you can provide your comments in an interactive dialogue.
http://blogs.technet.com/cdnitmanagers/

DISCUSSION:

Interview Time Index (MM:SS) and Topic

:00:38: As Chief Security Advisor, can you provide a quick overview of your work?
"....My role encompasses three big areas. I am the liaison between the Canadian government and Microsoft from a security perspective....Second, a big part of my role is education and awareness around security and that is not necessarily just around the Microsoft products and strategy angle....Third, I spend a lot of time within the community with things like Task and Sector...."

:05:12: In terms of some of the things you talked about in Canada I would assume that most of those would also apply globally.
"....We can look to applying some of the learning that we have had here, on an international stage....Canada, the UK, and elsewhere may have (already) been through some of these challenges and one of the opportunities that we have is to take the lessons and help countries and organizations around the world bypass some of that learning curve...."

:06:36: What can you say about security governance challenges, best practices, and solutions?
"....One of the things we've seen with the economic downturn is how people look at things like security, privacy, and governance....We are seeing a lot of organizations almost making security, privacy, and governance coalesce within their organization whether that is by physically amalgamating departments or by taking a more holistic approach...."

:10:38: Can this be extended to strategy (and Defense and depth)?
"....When we start to think about how we achieve things like compliance and how we control things that are happening with the governance, the strategy becomes the means to getting the job done....Strategies now include sub-topic areas like interoperability, green IT, virtualization, standards, etc. The strategy components that I'm seeing a lot of organizations do involves reaching out to vendors, partners, and even the community to ask what did you do and how did you do it, what were the challenges and what were the learnings that you had, so that I can have a more effective strategy moving forward...."

:12:46: You talked earlier about defense in depth. Can you give us an overview of what that means?
"....When you look at security, the traditional view has been one of 'a point in time' solution in many cases....What we are finding is that a lot of organizations who went down that path are now wanting to tie them together....We are trying to get people to step away from the 'point in time' solution and from the reliance of technology and to understand that it is very much about a holistic view of technology, compliancy, policy and strategy within your organization...."

:19:05: Do you have more best practices to share on the areas we talked about earlier and others?
"....The best practices are coming out of the industry themselves. When we start to talk about virus protection, a lot of the strategies around that are defense in depth....There are other areas to consider such as mobile devices or other devices that are not directly controlled by the corporate environment ....There are a number of fundamental points to look for....Making sure your machines are up-to-date (operating system and applications)....Going through and understanding the assets that you have....Looking at what the threats are within my organization...."

:26:04: What do you think is the greatest source for information and also for support for security-related issues? Is it vendor sites, the community, working with groups like TASK, or attending conferences? What is the impetus behind your work with TASK and Sector?
"....A lot of the way that we learn is by connecting through others. First, being able to ask the questions....Second, when I'm starting to think where I am going in the future and my strategies around implementing 'x', rather than having to look into everything myself I am able to go to people and ask what they did ....Third, the career component.... Fundamentally the community is the way for all three of them...."

:28:17: Provide your predictions of future IT/Business security trends and their implications/opportunities?
"....There are some big trends that I am seeing both on the technology side and also elsewhere. When I start to look at some of the big threats that are occurring right now....Things like input validation and other areas like that are still seen as especially big attack vectors for a lot of organizations....Malicious software....Attacks against virtualization....Mobile devices....Voice-focused attacks....Social engineering....Consumer devices....Insider attacks....Games and gaming consoles....The number of organizations who are not taking the holistic view and are still taking the 'point in time' approach to their security...."

:40:54: Which are your top specific recommended resources and why?
"....There are three basic resources that I would recommend people look for. One, look towards the community (user groups, industry associations). Second, the blogs....My third resource is people and making sure that you connect with the people who surround you because the last thing that we want to do (especially as security professionals and the management layer) is live in a little silo. Getting the outside perspective is incredibly important....
There are also people within the industry who are worthwhile paying attention to. Privacy - Michael Geist and others, Infrastructure security from a management perspective - Kai Axford & Steve Riley; Go to http://www.microsoft.ca/security to download the security resource kit which contains a list of people to watch....."


:46:16: If you were doing this interview, what questions would you ask and then what would be your answers?
"....What do people think of when we talk about terms like defense in depth?....What do people think of in terms of the differences between security and privacy?....We are all consumers. How do we see and feel that industry is doing with helping to protect me/family/information when I'm on-line?...."

:50:25: Bruce shares a story from his work and experiences.