Can you provide a profile of your roles and challenges?
"...My role is a Chief Technology Officer with a small technology company called Third Brigade which provides security products to keep your server safe. But I'm more or less an industry spokesman for this type of technology....speaking to customers, analysts, including the press ...."

What are your recommendations for security governance (PCI and SANS work)?
"....Compliance is driving our industry. One of the latest security standards which probably has the biggest bang for the buck in terms of compliance and is driving a lot of improvement in security is PCI (from the payment card association)...It's a risk taking standard....SANS is helping to produce another set of guidelines called the Consensus Audit Guidelines...It's very new and can be found through the SANS website (http://www.sans.org/cag/....This is sort of a Top 20 of the most important controls and metrics for effective cyber defense and continuous FISMA compliance...."

Can you talk about defense in depth and really what that means?
"....You are not going to have just one layer of security....the more the better. If one should fail you will have others to back you up....The best way to think of this is that the innovation cycle in IT security is driven by the bad guy not from the good guy. In most industries it is the opposite...."

Brian profiles the Conficker worm and comments further on virus protection, malware removal.
"....Patch the vulnerability....Make sure the virus protector product can detect and clean the particular malware....A four strong password policy....Standard controls for log inspection....Registry control....Look at traffic to and from server....Shield the specific vulnerability....Any one of them can stop it, but we need the combination of them to be defense adept and to be protected...."

What about Cloud computing?
"....We lose what we know as security by default...where you had all your little groups of experts that really knew their stuff and doing the right thing....As opposed to the virtualized world, a few mouse clicks and you can spin up a new server and maybe host it in another country. It is so easy to turn on and deploy that a lot of the security processes that we had by default can very easily get lost...."

What do we need to consider with Virtualization?
"....We have some very important issues with security....Your server images become like laptops now and in the corporate world the laptop is a catalyst where you really need to have end-point security on your machine. Before, you could live with perimeter security where the network was clean on the inside. But where you have computers totally protected one day and then move off the network and connect elsewhere and then return infected from the inside out - that is a problem. The same issue is happening to servers as we go forward in this cycle...."

Provide your predictions of future IT/Business security trends and their implications/opportunities?
"....We are getting more and more interconnected....and we spend less and less energy putting security in....We have more capability, more inter-connectiveness and less control for security....In the enterprise we have another problem, I call it the security skills divide...."

Which are your top specific recommended resources and why?
"....There are a lot of government organizations which are very good for looking at policy and guideline publications....Security organizations such as SANS...."

If you were doing this interview, what questions would you ask and then what would be your answers?
"....The world is getting harder and the bad guys seem to be winning....What do we do?....How do we turn this around?...."

Brian shares some thoughts about his work.