Bill Bonney

[apss_share networks=’linkedin, twitter, google-plus, email, print’]

Bill Bonney is VP Product Management and principal consulting analyst for TechVision Research, and is co-author of the “CISO Desk Reference Guide.” He also founded the eCyber Advisory Group to deliver on the “virtual CISO” model, and he serves as a board member for the San Diego CISO Round Table. Previously, Bonney was director of Information Security and Compliance for Intuit. He is also a member of the FHOOSH Board of Advisors. LinkedIn | Twitter

“Companies generating large volumes of data, including data lakes or large binary blobs of data, could protect and move that data more quickly with FHOOSH.”





Amazon | Web Site | LinkedIn



Q: How should CISOs effectively allocate IS budgets in response to threats and cybersecurity advances?

A: It all comes down to data. One of the first things we tell our readers in our book, “The CISO Desk Reference Guide,” when we start explaining the “how” around being a CISO is take an inventory of the data you have. What is it, where is it, and how is it important to the company? Once you know that, you can put in place appropriate data protection schemes. If you try to protect everything equally, you will fail under the weight of that task. Knowing what to protect and why it matters to the company is job one. Once that is complete, then it’s a question of what can threaten that data. Its confidentially, its integrity, its availability (CIA). Once that is done, construct defenses that protect whichever of C, I and A are important to you and determine how to recover from a loss. That’s how you deploy your budget. Understand what data matters, understand the risks to that data, construct a protection scheme for that data, and put resiliency plans in place.


Q: What are the biggest cybersecurity challenges facing IS teams now?

A: I think talent, tools proliferation and the speed of change are the biggest challenges CISOs are facing today. The demand signal has definitely been sent. There is a shortage of talent, so schools and governments are responding. There have been many high-profile breaches, so many, many vendors are coming out with more and more “next generation” tools and are trying hard to win the land grab. These responses are rational. The reaction to the talent shortage is rational but inadequate, because we need to do more than throw more people at the challenge. We need to figure out how to work smarter using artificial intelligence tools to assist people with their jobs. Then, we can focus on the things that truly require human intelligence. The reaction by tool vendors to the number of breaches is rational but misplaced, because so much more information is digitally exposed than ever before, representing significantly more economic value than ever before. There are huge rewards available to cyber thieves that provide astronomical incentive. Given the resulting onslaught in attacks, we will not be able to win this battle by detecting or stopping breaches. The numbers are against us. And we don’t even have a rational response to the pace. Yes, breaches are coming a mile a minute, but change and new product introduction is also continuing to accelerate. There is no let up on the horizon. Practically no one I am aware of is trying to turn the flame down.


Q: What are three surprising things that could help CISOs be more effective today?

A: Spend less money, not more. CISOs had been so starved for so long that they initially welcomed the new bulk up of their purse with open arms. They now have a lot more tools to care for. Another might be “you aren’t getting out thought, you’re getting out executed.” Even with all the talk of “advanced persistent threats” (APTs) over the last few years, helping your company focus on the basics, like patching and training, is far more effective than fancy new tools. An untrained workforce has a 75–80 percent phishing response rate; with a trained team, it’s just 25 percent. This form of credential stealing is a much more common attack than the sexy and mysterious APT. It’s pure economics. A cyber thief would rather craft an inexpensive phishing attack than mount an expensive APT campaign. The third might be to get more deeply aligned with your trusted vendors, even in the face of increasing risk from third parties. You will lose the battle to afford and hire the talent necessary to run your business and your vendor already has the expertise needed. Let them (with appropriate oversight) run more things for you. As we move toward selling services instead of “things,” every organization, regardless of size, should look for outsourcing options. It is becoming more common for vendors to provide a set of outcomes instead of just selling products and tools. There’s almost nothing that can’t be sold as a service if you think far enough out into the future.


Q: What trends do you see driving the need for data security in 2017 and beyond?

A: Data is becoming the number one raw material in ALL industries. Data is also becoming the number one output of ALL industries. Five years ago, Marc Andreessen famously said, “Software is eating the world.” Software eats data. In the past, the raw materials were valuable, to the point of being worth stealing, but since they were physical assets, they had to be stolen in person (exposing the thief to potential harm) and physical countermeasures could be deployed. The company provided physical security to protect warehouses, supply chains, factories and distribution. Now, the raw materials are valuable, as are the products, but neither is physical. So physical countermeasures cannot successfully stop their theft. Data, as the new ultimate product, is often held by the company. So, the company must protect the raw materials and the finished products, indefinitely. This trend will continue. In five to 10 years, every product we know of today will be delivered as a service. In 10 years, you’d be crazy to buy a car. Simply consume a service. Companies buy fewer servers every year while using far more compute resources; they simply consume cloud services. These services are defined using configuration files (data). In both cases, the data is the raw material and the product. Steal it and you’ve stolen the full property of the producer and consumer. And to do so, you don’t even need to be on the same continent.

The explosion of user-generated data will put extra stress on many, many systems, with respect to storing and securing that data. Storage is so inexpensive, people burn it without a second thought. Organizations that need to rapidly and securely move large amounts of data from place to place, or need to store it without having to put extra (expensive) protection around it, can benefit from FHOOSH. Using FHOOSH on a file not only encrypts it but also makes it much faster to move around: two great wins. Companies generating large volumes of data, including data lakes or large binary blobs of data, could protect and move that data more quickly with FHOOSH. The rapid rise of police body cameras, and even personal drones, will exponentially grow the amount of video data that needs to be transported and stored. Since the large volume of police video can be used as legal evidence, it needs to be protected and encrypted. FHOOSH takes these types of large files and data objects, and very efficiently secures them for fast transport to public, private and hybrid cloud and data storage environments.