 
|
|
In partnership with:
MaylJune issue The physics of information securityPeter Berlich is a security executive at IBM Switzerland on the global ABB account, and was global head of information security at the Swiss automation and power giant. He says the information security profession must evolve towards risk management and emulate the ways of the physicist. Brian McKenna reports. Physicists have to live with disturbing margins of error, and so do managers of risk, says Peter Berlich, a former global head of information security at ABB — the Swiss power and automation technologies company; and he should know — he holds a PhD in physics from the University of Freiburg. Now working on the ABB account at IBM Switzerland, Berlich describes his journey from physics through general IT to security as determined by a natural curiosity. "Security is very interesting in that it is both technically challenging and it brings you closer to certain aspects of the business than pure IT delivery does. I am a naturally curious person who likes to learn new facts and to fix things. Also — and I think this is very important — you can have a big impact in security with a small amount of resources. Click here to view Peter Berlich's Curriculum Vitae. Internet pioneersBerlich worked at CERN, the birthplace of the world wide web, from 1991-94, and there is a strong element of early-days Internet culture in his background. "Yes", he says, "a lot people I know have travelled the same route. Indeed, many of the original Internet pioneers in Germany you now find in security and privacy roles". Back in 1997 Berlich was the author of Core, [1] an award winning contribution to an Internet literature contest sponsored by Die Zeit and IBM. This 'hypertext' he describes as his "go at absurd literature". The text is at once a parody on Casablanca and the story of a storytelling machine going nuts. On a third level it is the simulation of a computer that gives the reader the illusion of being in control while at the same time he is anything but. In the end, all three levels converge in a loop (or vicious circle) of 'Play it again, Sam'. “Finally, a vending machine eats a sandwich.” This treatment of people at the mercy of technology is apt for our time, as we find ourselves ruled by computer code — whether legitimate or illegitimate. His physics background inspires his approach to security. “You have to accept a level of uncertainty, and this is what you get conditioned to in physics, where all you can measure, by definition, is incomplete information. It's similar with risk management, which is all about knowing your risks, prioritizing them, and chosing an affordable level of protection. “Quantifying risk with any reasonable degree of accuracy may be an investment in itself. Risk management starts with the question of whether or not to make that investment”. ABB outsourced to IBMBerlich is today the account security manager for the IBM-ABB outsource team. He transferred to IBM in September 2003 as part of an outsourcing agreement for ABB's IT services. He was global head of information security reporting to the CIO at ABB. There, he managed a team of four security specialists. At IBM, the security team has, he says, “a different role. We are able to harness the company’s resources and knowledge when it comest to security managment. This is something I see as a big benefit to ABB, and being supported by a massive peer group is something I appreciate personally”.
ABB is a global manufacturing company specializing in automation and power technology, and employs 140,000 people worldwide, with its Head Office in Switzerland. ABB and IBM have a ten-year agreement to outsource close to 90% of ABB’s global information systems infrastructure operations. Berlich is one of 1200 employees who made the transfer. The $1.7bn contract was described in a statement in July 2003 as one which would help ABB significantly reduce costs. Berlich describes ABB as a company with a wide range of businesses. "It grew from a historically very diverse company with thousands of subsidiaries worldwide to a more unified entity". He established the global information security function at ABB from scratch. "The main driver there, back in 2000, was that ABB was consolidating its IT, so a global security function went with that naturally". He spent three years doing security at ABB. "Over time my role became more business oriented, and more prominent. When I left ABB, it was recognised as an indispensible element in the company's risk management". The professionBerlich is a CISSP, and a member of the recently formed European Advisory Board of (ISC)2 (the International Information Systems Security Certification Consortium), the not-for-profit organization that certifies information security professionals. "The CISSP examination forces you to go over your knowledge base", he says, adding that he also values the importance (ISC)2 attaches to security education on the job, and to networking with other security professionals. He is also a member of the council of the 'grey [Germanophone] chapter' of the Information Security Forum (ISF), and values the professional contacts he has built through the organization. He does worry, though, that the profession is "split into one core part that is active and networking and the rest. There might be different networks, which is what I would like to believe, but I suspect most security professionals are on their own”. The main topics for the new European Board of ISC 2 he sees as the perception that the CISSP is a US certification that is still US-centric in its content. "That is the gap we have to bridge", he says. "There is also a huge focus on security technology in our profession, which is reflected in the body of knowledge underlying the CISSP. The risk management focus needs sharpening”. The marketLooking at the IT security market more generally, he senses that "it is maturing. In five years it will be commoditized in terms of the technical aspects. By then the market will have cleared and will have consolidated. "Once the technical problems we have to struggle with today — mostly around software — have been brought under control, the profession will move more into risk management. “We also shouldn’t forget that behind many technical problems lie business risks that have to be addressed on a people level. I would say that technical skills are less crucial for a security manager than people and business skills.There is a risk that they may get in the way and misdirect attention. Privacy features strongly in Berlich's published output [2], and he sees it as both a business issue and as a social issue: "we need to protect the concept of privacy precisely because we have the means to destroy it completely". "After the security market has had time to consolidate, the privacy market may partly replace and supplement it. I believe that a number of viable business models exist, and that once computing and online services have become pervasive, privacy and identity management services will evolve".
[1] Peter Berlich: Core, Internetliteraturwettbewerb (Internet
Literature Contest) sponsored by Die Zeit and IBM, 1997
|
|
