MacDonnell Ulsch is the chief executive officer (CEO) and chief risk analyst at ZeroPoint Risk Research LLC, based in greater Boston (Massachusetts, USA). Formerly, he was with the National Security Institute and continues to serve on its advisory board with former military, intelligence and defense experts. He is also a Distinguished Fellow of the Ponemon Institute. Ulsch has advised the Ministry of Defense in the UK; worked in Belfast, Northern Ireland; served on the US Secrecy Commission; and worked with US Senator Sam Nunn on information security issues. Ulsch has written numerous papers, articles and research studies. He is cited in many books and academic studies and is the author of THREAT! Managing Risk in a Hostile World, published in July 2008. A frequent public speaker, he has lectured at a number of universities and conferences.
uestion
What are your predictions regarding information security/privacy legislation?
nswer
In general, legislation tends to favor the consumer because one of the biggest privacy concerns in the US is protection against personally identifiable information theft. Most states now have passed such legislation, typically known as computer security breach notification laws. The US federal government lags behind in the passage of similar legislation, with the exception of the recent Red Flag rules for banks, the Gramm-Leach Bliley Act of 1999, Regulation S-P, and the Health Information Portability and Accountability Act.
There has been legislation suggesting that, in addition to executive management, security officers may be held responsible for breaches. While this is not likely to happen soon, it is on the minds of some and may one day become law.
The problem of identity theft is not going away and effective privacy management has a long way to go. One thing is clear: the passage of bills supporting these themes will ultimately result in more investment in security and privacy, and more oversight.
uestion
You served as an advisor to Dan Brown when he wrote Digital Fortress. What advice did you give him? How realistic is the book in its coverage of the National Security Agency?
nswer
I was privileged to be a source for the book at a time when I was doing work for the National Security Institute. I made some suggestions based on discussions Dan and I had on national security issues that he used in his book.
The inspiration for Digital Fortress came about from a real incident regarding national security. When Dan was teaching at Phillips Exeter Academy, in Exeter, New Hampshire, USA, one student allegedly sent another student an e-mail that threatened President Bill Clinton. Within 24 hours, the US Secret Service visited the campus to determine the seriousness of the threat. The incident caught Dan’s attention, and he wondered how it was possible that among billions of e-mails that traverse the Internet, one threatening the life of the President of the United States could be identified so quickly.
uestion
What do you see as the biggest privacy threats/ risks? How can businesses and individuals protect themselves?
nswer
I am concerned about the threat from the evolution and cooperation among organized crime, international narcotics trafficking and terrorist financing. Identity theft is one way of laundering money. Wherever large sums of money are generated illegally, we can expect to see interest in identity theft from these three groups.
Executive management is increasingly acknowledging this threat and realizing the impact a security breach would have on their businesses, including the potential regulatory, legal, financial and reputational effects. We are still on the near side of the curve. We rely too much on regulation and not enough on good risk management, good security and effective audit management.
uestion
How do you think the role of the security professional is changing? What would you recommend to security students or new security professionals to better prepare them for this changing environment?
nswer
Security officers today are becoming very aware that physical security is as important as network security. In the future, security officers will take more corporate—and perhaps professional—responsibility for security breaches and increase the certification requirements.
Security is becoming more critical in managing risk and promoting good governance. The stakes are higher than ever, and there is no indication this will change. We need to make security a top priority at the board level. Security needs to be on management’s agenda and understood as a critical component of how enterprise risk is managed.
uestion
What has been your biggest workplace challenge and how did you face it?
nswer
My biggest challenge over the years has been the struggle to bring into unison the disciplines of threat analysis, regulatory compliance, security, privacy, risk management, governance and audit. We still have a long way to go—it is a process and not an event. It is a career-long mission that I hope one day will translate into every organization’s vision of the pursuit of integrity.
ISACA Journal, formerly Information Systems Control Journal, is published by ISACA, a nonprofit organization created for the public in 1969. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors, employers or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.
Subscription Rates:
US: one year (6 issues) $75.00
All international orders: one year (6 issues) $90.00
Remittance must be made in US funds.