An Interview with Oracle’s Director of Cybersecurity Strategy: Part 3 - Private Sector & Foreign Cybersecurity & the Future

Paul Laurent, Oracle’s Director of Cybersecurity Strategy, Public Sector, was one of our speakers at the GovDefenders Cybersecurity Virtual Event. He has graciously returned to talk to us about public sector cybersecurity for National Cybersecurity Awareness Month. The following Q&A is part three of a three-part series where we talk the private sector, foreign cybersecurity, and the future of cybersecurity.

You can read part one of our interview (NIST, FICAM, Federal & SLED) here
and part two (Citizen Privacy & Identity-as-a-Service) here.

DLT: What cybersecurity lessons can the public sector learn from the private sector? And what lessons can the US learn from foreign governments?

Laurent: I feel the private sector does a better job of making the business case for and taking steps to protect their “crown jewels” when it comes to data.  The public sector could better quantify their primary business function, which is maintaining the public’s trust.

That public trust is what “hacktivist” collectives like Lulzsec and Anonymous targeted when crafting attacks on public sector organizations.  It’s fairly common to see hacktivist attacks that don’t do much substantive damage to assets or services, but primarily result in negative press and embarrassment for the organization.  I think they understand that negative press hits public sector where it lives because  it erodes faith and trust in government.

So while I feel the public sector understands their mission (providing safety, services, information) quite well, to the extent they have escalated maintaining and protecting that trust as a business case with quantifiable benefits and costs (and aligned practices and priorities that reflect that analysis), I think we could take some direction from private sector.

While the concept of privacy and an individual’s digital rights can vary widely from country-to-country, I think we’re long overdue to forward that discussion in the U.S.  Over the past several months the headlines have churned out a steady stream of new revelations around the NSA, PRISM, Edward Snowden, etc.  While the net results of this information will mostly be a domestic issue, there’s a lot be learned just from seeing how other countries have approached privacy.

I can’t say for certain that having a more mature privacy discussion would have changed those headlines per se, but it stands to reason that we’re no closer to understanding where our balance between privacy and national security should rest without having that conversation.

DLT: Can you look into your crystal ball and tell us your predictions for ID&AM (Identity and Access Management) and cybersecurity over the next decade?

Laurent: I think we’ll see the emergence of “robust identity.”  That is, an identity that’s highly secure, doesn’t rely on passwords as a sole means of authentication, is usable with countless services and organizations, enables privacy protections, etc.  There’s already a lot of progress on all of these fronts taking place with the National Strategy for Trusted Identities in Cyberspace (NSTIC).  NSTIC is an initiative sponsored by the White House that proposes a public/private partnership between all interested and willing players in the identity space to reach those same goals, and there are a number of other standards development organizations pushing component and parallel goals forward at the same time.

We’ll also continue to move down the emerging path sometimes referred to as “The Internet of Things”, where networked devices, vehicles, shipments, locations, etc. give us actionable information on their current status and the environment around them.

While it may sound like a supply chain or perhaps an asset management issue, as we interact with “things” more & more, those interactions more closely begin to resemble identity management.