Today’s interview is with Brian Honan who lives in Dublin, Ireland. I’ve known Brian for a couple of years now and he is never shy to chime in with his ideas. He is also the first person to offer to help if you come to him with a problem.
Q: Tell me a little about yourself.
I am an independent consultant based in Dublin Ireland specialising in the area of Information Security. I have worked for myself for over 5 years now and previous to that held numerous senior management roles both at the technical and business levels, so I like to think that I have a good broad view as to where information security can support the business. I also set up Ireland’s only CERT team, IRISS-CERT www.iriss.ie, due to their being no other body in the country providing such a service. I enjoy writing and have published a book on the ISO 27001:2005 Information Security standard, I am the European Editor for The SANS NewsBites and also write for numerous industry publications.
Q: How did you get interested in information security?
Way back in the late 80s I worked in a the IT support function of a large Irish financial company. PCs were relatively new and I was the “lucky” one tasked with supporting them. Back in those days PCs ran PC-DOS and adding connectivity cards for networks or mainframes required a lot of “hacking” around with the hardware and the operating system. This helped build up my curiosity into how systems and networks worked as I battled to connect PCs to the various business platforms in the organisation. Then one day some of the PCs got hit with a computer virus. In today’s terms it was fairly benign, but back then it was a major issue and there was very little support available. Indeed, finding an anti-virus product was difficult. As a result of that first outbreak I fascinated with the motives and skills shown by the virus writers. That fascination spawned my interest in security as I looked into ways to make the systems I was charged with more secure.
Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?
I do not have a formal third level qualification in IT. Rather my qualification is in Personnel Management. Over the years I have amassed various industry certifications from organisations such as Microsoft, SANS, ISACA, Citrix, HP, IBM etc.
Whether or not those qualifications added value to my information security career is hard to quantify. It is difficult to know whether or not you got a particular role purely based on the number of acronyms you have on your CV. However, I would say that they have added value to me personally in that they confirmed to me that I was competent in the technologies I worked with. It was good to have a third party confirm your own skills. I am a firm believer in rating someone based on their ability to do the job in a professional manner and I have worked with many talented people who did not hold any official information security certifications. So if anyone is looking to seek a certification my best advise is that you do so for your own selfish reasons and not because it is the latest and greatest certification that is appearing in the job adds.
I believe that my qualification in Personnel Management has given me a unique insight into the field of Information Security. While being knowledgeable in the technical aspects of information security, one of the key elements in Information Security is people. Knowing what motivates and drives people is invaluable when designing information security programmes. Also being aware of the Human Resource and Industrial Relations that are integral when dealing with people is also invaluable when making key decisions in relation to information security issues.
Q: What are some of the issues, specific to Ireland, that you run into from a security perspective?
Ireland is a small country with a population of around 4 million people which tends to lead to an attitude that “we are too small for anyone to hack us”. Unfortunately this is not the case and to help address the issue I established Ireland’s first CERT team, The Irish Reporting and Information Security Service (IRISS www.iriss.ie). In the year that we have been operational we have been very busy dealing with numerous issues, primarily shutting down phishing sites hosted on compromised Irish based websites.
The other main issue I see is that many companies believe that information security starts and ends with the deployment of a firewall and some anti-virus software. They tend to forget that technology is only one part of the puzzle and they need to also ensure the other elements of people and processes and also properly dealt with.
Finally I often come across the problem where companies’ do not understand their legal obligations under the Irish Data Protection Act and there is also a lack of awareness, especially within the SME sector, of the PCI Data Security Standard (PCI DSS).
Q: Do you think that computer users in Ireland are more or less susceptible to information security exploits or malware? Why?
I don’t think that Irish computer users are any more or less susceptible to information security exploits or malware. I would say they are as equally susceptible as users in other countries. But the problem is not just at the user end, I think overall as a profession we have failed to properly educate end users on how to deal with the various threats that are out there. This is not just a failure in how we educate end users against the various security threats but also in the technology we use to defend ourselves, the underlying technology used on our networks and our computers, and finally how we tackle international crime.
Q: What do you find is the hardest security concept to explain to senior management? How do you approach it?
The biggest challenge I find is explaining that information security is not just a technology problem but a business problem and needs to be dealt with in the same way as any other business problem. I find the best way to deal with this is to explain information security problems in the terms of the risk they pose to the business. When the business can see the potential bottom line impact a security threat can pose either in terms of Euros or reputation then they tend to pay more attention.
Q: What did you want to be when you grew up? Would you rather be doing that?
At one stage when I was growing up I started my own band and had ambitions of becoming a rock star. There are times when I am in the middle of an ISO 27001:2005 audit or other information security project that I think would I rather be doing this or be in a 5 star hotel room with a bunch of groupies?
Q: What projects (if any) are you working on right now?
I am working on a number of customer projects assisting the achieve ISO 27001 compliance/certification. I am developing a ISO 27001 based risk management product that I hope to launch in 2010. Running the IRISS-CERT is keeping me busy, especially as we hope to soon become accredited with TF-CSRIT and FIRST. I have a number of writing opportunities that I am exploring, one of them will be blogging for Infosecurity Adviser http://www.infosecurityadviser.com/. There are also a number of other projects I am working on in relation to cloud computing and managing the security around that area.
Q: What is your favorite security conference (and why)?
Being based in Dublin the better security conferences require me to travel. So I am selective about which ones I go to as I want to ensure my time is well spent. So it would not be fair for me to pick one conference over another. I would though recommend local chapter meetings of the ISSA, ISACA and here in Ireland the Irish Information Security Forum. Local meeting provide a great opportunity to meet and share experiences with your peers while also getting to attend some good presentations.
Q: What do you like to do when you’re not “doing security”?
Relaxing with the family.
Q: What area of information security would you say is your strongest? What about your weakest?
My strongest would be in the areas of information security management, developing information security programs, designing and architecting a secure network infrastructure. My weakest area would be in application security – I never had the patience to write or examine code and have the utmost respect for those with skills in that area.
Q: What advice can you give to people who want to get into the information security field?
The best advice I can give is to communicate. Working in this field can be very challenging, fun and rewarding. But be warned that many businesses and organisations see information security as a necessary evil so don’t be surprised when the business doesn’t put the same priority to issues as you do. Learn to communicate to the business in terms they can understand. Communicate with your peers and others in the field, that way you can learn from them and they can learn from you. The bad guys who are trying to attack your systems are sharing information with each other, so those of us defending our systems need to also share information so we can better defend ourselves.
Q: How can people get a hold of you (e.g. blog, twitter, etc.)
My Email is firstname.lastname@example.org
My company website is www.bhconsulting.ie
My twitter handle is @brianhonan
My own blog is www.bhconsulting.ie/securitywatch
My Infosecurity Adviser Blog http://www.infosecurityadviser.com/view_profile/brian_honan/752/
My book “Implementing ISO 27001 in a Windows Environment” can be found here: http://www.itgovernance.co.uk/products/2207