What happened at Citicorp 12 years ago?
Someone was able to get into the cache management system. There were millions of dollars at stake and it was a great trauma for all of us. We knew the source was in Eastern Europe, but we didn't know if it was from an unskilled hacker or a government organization. I was really worried that it might have been the KGB. What steps did you take once the breach was discovered?
We called in the FBI. Tsutomo Shimamura came in to help as well. He's the white hat who helped lead the feds to Kevin Mitnick [a hacker who spent five years in federal prison. He has since become a successful consultant, author and speaker]. Mitnick hacked into Tsutomo's computer and left a message essentially saying, 'Nananananana -- I've broken into your computer.' Tsutomo found Mitnick's signal and tracked him down, leading the feds to him.
There's an amusing side story to this: Tsutomo comes in to help us figure out what happened and our receptionist tried to turn him away. He was wearing blue satin shorts, a t-shirt with mathematical equations all over it, a crash helmet and rollerblades. The receptionist motions him away, saying, 'We don't take deliveries here.' She thought he was a delivery boy! In the end, he helped us determine that it was an unskilled hacker, not an organized group. What was the biggest lesson that came out of it?
That when you don't take security seriously, things can happen. We had no perimeter. There were modems all over the damn place. Knowing there are 100 million customers and 300,000 employees and that someone among them can compromise the system -- that's a very daunting prospect. The lesson is that security is a business and economic issue. Don't talk about security as security.
As soon as the cache management system was compromised, that's what we said to the business people: Don't think of it as a security issue, think of it as a business issue. Security is one of the most complex issues. It's woven into everything in the business. In your [Converge05] speech you mentioned the danger of overly rigid security systems. Can you expand on that?
All organizations are changing and adapting. Businesses rarely stand still. At Citibank, every employee moved twice a year. So when you have static and rigid systems that aren't built for those changes, it's destined to fail. Put in a high-tech system and throw in restrictions and someone will find a way to break them. When Citigroup had to acknowledge a couple of years ago that information on 3.9 million of its customers had gone missing, it must have brought back memories of your experience a decade ago. Do you think companies in this situation are mishandling things or are they doing the best they can?
Well, I think that when this happens you have to respond. You can't sit back, doing and saying nothing. But with all this concern about identity theft you're seeing a 'gotta act now' mindset, and that's not necessarily good. It doesn't permit a deeper, more thoughtful approach to the problem. It all ties in with the need to step back and look at different ideas. With the current mindset, legislators feel they have to legislate. It creates the feeling that business can't handle this on its own. There's a rush to judgment, which often leads to an imperfect solution. Haven't companies brought this climate on themselves by not being more up-front about compromises when they happen?
The big problem with businesses is that it's not important until it's important. And security is a tough job when constituencies you work for don't get it. What does it take for businesses to get it?
You need to be able to look at things differently because when you rely too much on your experience you stop learning. When we [Wharton] first put a group of CEOs in a room, it was a disaster. Everyone thinks they know everything. That's what happens when you mature -- Your capacity to recognize things diminishes and you lose the ability to execute. We tell people they have to be able to step back and recognize their limitations. At the same time, you have to rely on your experience. Experience is valuable and you don't want to change things just to change them. You want to merge experience with new thinking.
Trust is key. Companies must understand the importance of authenticating people. During a hotel stay, I walked into my room and the cleaning woman was in there. She stopped what she was doing and asked me to put my keycard into the lock. She wanted to make sure I was really the guest in that room. I was very impressed by that. Companies can learn from her example.