Copyright 2004 Integrity IncorporatedCopyright 2005 Integrity Incorporated Toronto Talks Integrity February 15 2005 Integrity in Business Carolyn L Burke,

Copyright 2004 Integrity IncorporatedCopyright 2005 Integrity Incorporated

Toronto Talks IntegrityFebruary 15 2005

Integrity in Business

Carolyn L Burke, MA, CISSP, CISM

CEO, Integrity Incorporated

Copyright 2005 Integrity Incorporated

Lexus cars may be vulnerable to viruses

that infect them via mobile phones.

Landcruiser models LX470 and LS430 have been discovered with

infected operating systems that transfer within a range of 15 feet.

Typical Scary Story


• There isn't a virus on the loose. YET.

• New urban legend. But it got me thinking.


How do we prevent this scenario from occurring?

Back up a step...


• John reminded me to send in this talk a few weeks ago.

• I was hesitating... And I suddenly figured it out.


Toronto Talks

• 4 years ago, I spoke here on peer-to-peer networks, before most folks knew what these were.


Peer-to-peer

• Now, MP3's, Kazaa, Napster are house-hold names.

• File sharing runs rampant!!

• Emerging need for new forms of security.


Security

• Worms and viruses travel over P2P networks, over instant messenger clients, over mobile phones.

“Could you wait just a little before you infect my computer? I need to get this done.”


More to secure

• Bluetooth-enabled devices potentially subject to ‘bluejacking’

• Proof of concept virus on the loose


Your car

• The Lexus is bluetooth enabled!

• What could bluetooth control in the car?

• What can the car connect to?

• What can connect to it?


remote steering

connectivity

danger !


What’s the problem?


Ubiquitous computing.Ubiquitous malware.

• Viruses, worms, and yet unidentified forms of malware will follow. – Into cars and their control systems.

– Into mobile phones and digital cameras.

– Into sunglasses and satellites.

– Into pacemakers and nuclear controls.


“Defend the Perimeter?”


But where is the perimeter?

• The perimeter will expand into– biotechnology computation

– nanotech computation

– DNA assembling curcuits

• We've barely scratched the surface in the security and privacy sectors designing protection systems. And we're in a race to do so.


Security is

•A never ending race.

•Today, it's your car.

•Tomorrow, it will be your heart.

•And soon perhaps, your thoughts.


The pattern

• computer scientists– hardware and software

• psychologists– wetware

• geneticists – dna


Control

• Contain and control information and its practical applications.

• Areas are merging at the nano level AND macro level.


Stepping back

• Need a broader look at the issues

• Computer security is more than just 'securing the perimeter' - i.e. locking your doors and arming the alarm.

• We need embedded, decentralized security too. Ubiquitous security.


It's about INTEGRITY

• in the stuff we build or buy

• in the way we use that stuff and maintain it

• in the people around us

• in the organizations around us

• in our communications and the systems used for them


• integrity in our hearts ...

• In the knowledge that our biological self will function according to the spec.

• In the knowledge that our personal and professional values will and can be retained.


Integrity

• INTEGRITY is not just good security.

• It's the act of balancing our own principles with worldly situations that arise.


Integrity

• Integrity isn't an inflexible set of beliefs.

• It's the wisdom and courage to act in the world while fostering our heartfelt principles.


So how do we behave with integrity in business?


Stepping further back

• Let's look at leadership. – Charismatic leader

– Procedural leader– Administrative leader


CHARISMA

• Start-up CEO's – often high charisma charmers

– they solve problems and lead people through character

– the company is a monarchy.

The cult of the charismatic leader.


PROCEDURES

• A mature company is driven by leaders who – Teach and foster the management teams.

– Leave senior people autonomy to run their divisions accountably.

– Roles, responsibility delineated in advance.

The CEO remains an authority figure, but is approachable, reasonable, and influenced by good input.


ADMINISTRATION

– Standardization

– Auditing

– Control functions

– ISO certifications

– Best practices

– Everyone knows their roles.

– Procedures are clear.

The CEO is a darn good administrator of an effective system.

Look farther down the curve though. These companies run like successful, well-oiled machines. How? Through


So leadership plays a role

• In each model, the CEO is essential.

• But in a well-oiled machine, communication is not only top-down.

• Creativity has room in every role.

• And behaviour is governed and predictable.


CEOs

• And yes, over the last 20 years, we've seen this get out of balance.

• Celebrity CEOs dominate the news. Martha Stewart. Carly Fiorina. Conrad Black. The Enron group.

• They are not however always at the helm of success for their companies.


CEO Success

• Success comes in reliably satisfying your market. And celebrities are not generally known for their reliability.

• Standardization is.

• So as remarkable as it may seem, you need to be this wonderful combination of visionary administrator. And so does the your company.


CEO Integrity

• The visionary administrator needs some tools…


So how do we behave with integrity in leadership?

Hint: ethics and policy.


Consider

• The law, legislation, regulation, industry standards, best practices

• Potential problems with each technology we invent and implement

• Ethical ramifications


And consider

• Societal ramifications and the effects on our shared future

• How to institutionalize the best of breed practices that result

• And of course, the profitability of our decisions for our business ventures


And get practical

build integrity into all aspects of your business.


Bluetooth-enabled glasses (Oakley, Motorola)


How - Business Documents

• Clear vision and mission statements which state your principles / values

• Clear business plan which incorporates your principles and values


How - Policies, guidelines, procedures

• Security

• Privacy

• R&D

• Ethics

• HR

• CSR

• Sustainability

• Standards adoption


How - Compliance systems

• Audits

• Compliance technology: monitor and log, secure, retain, report, analyze

• Feedback systems to add checks and balances

• Quality assurance


What could Lexis do differently?

• In-car firewalls isolate hardware from firmware and software systems

• Plan ahead about problems integration will bring

• Best practices in security and ethics

• and…


• Advance policies and R&D strategies to forge ahead while keeping the risks at bay

• Monitor and plan for new risks that arise from new technologies

• Do all these continuously


Continuous process

• The problem is ongoing: – “Security is a process.”

• So is ethics. So is having integrity.

• 90% of an effective solution is using governance and compliance systems to monitor and improve existing solutions.


What can I do differently?

• And this isn't about Lexus which is a new urban myth


Each of us in our business day relies on the policies and practices of our organizations

to guide us.

Are they good enough?


Our companies have mission and vision statements.

Do these encompass a forward looking, proactive, AND safe view of progress?


We each face ethical challenges regularly.

Are the people around us trained to effectively handle

ethical challenges?


We are business leaders.

Are you a visionary administrator or a cult

figure?


I mentioned satellites…

• Are communications satellites safe-guarded from viruses or hackers?

• [IBM Security Survey 2005]


Where else are computer components embedded?

• I want every company to:– comply to a code of ethics and the laws

– use standards

– follow industry best practices

– audit their processes


So what are you doing to safeguard your

customers?How do you plan to embed

protection systems into your products / services?


Integrity

• The use of values or principles to guide action in the situation at hand.

• Know your leadership values & principles.

• Situations will present themselves.

• What kind of leader are you?


Exercise in Integrity

• Clearly state your personal values and principles. Highlight them in:– your company mission and vision – your business plan– your policies, procedures, and practices– your leadership style

Do they align?


Q & A

www.integrityincorporated.com


Your car key

• Matthew Green starts his 2005 Ford Escape with a duplicate key he had made at the corner store.


Key cracking

• This Johns Hopkins University team recently cracked the security behind “immobilizer” systems

• Used in millions of Fords, Toyotas and Nissans.


How to steal a car

• Extract data from the key by standing near the owner

• An hour of computing

• A few minutes to break in, feed the key code to the car, and hot-wire it.


Ubiquitous. Embedded.

• Embedded computing is supposed to augment a car’s protection.

• Tool kits which duplicate key cracking will become available to download.


Is your car safe to drive?


Is the car still in the driveway!


Resourceshttp://linkingINTEGRITY.blogspot.comP2P overview

… /2005/02/guide-to-peer-to-peer.html

Bluetooth glasses … /2005/02/motorola-and-oakley-introduce-first.html

DNA circuit assembly… /2005/02/dna-assembled-computer-circuits.html

Bill Gates on Interoperability http://go.microsoft.com/?linkid=2153987

Integrity Incorporated http://www.integrityincorporated.com/subscribe.aspx


Toronto Talks IntegrityFebruary 15 2005

Carolyn L Burke, MA, CISSP, CISM

CEO, Integrity Incorporated