Security Profile: Igor Drokov

Igor Drokov Igor is the CEO and founder of Cronto, a UK-based information security company. As the name implys, with a degree in Engineering gained at the top university in Moscow, Russia, Igor went on to the University of Cambridge, UK, where he graduated in 1999. In 2005, he co-founded Cronto to deliver secure authentication that normal people can use As you can see in his blog, Igor is a strong believer in transaction authentication as a means to avoid phishing.

How it came about

I had the pleasure to communicate with Igor following a comment he made on my blog. I soon realized this guy is really into transaction authentication and IS, and decided to do a profile.

His interest in IS is explained like this:

“IS has many facets: human, technology and business, and its evolution is directly connected to progress in all those areas. It is something that affects everyone, whether they want it or not (Are your medical records secure? Is your bank account safe?). Hence, working in this area is both fascinating (ever changing threats, scale) and, if you can get it right, rewarding: you can make a visible difference to business and to people’s experiences.”

Risk and reward

When asking Igor to explain IS, he says: ”Information Security is a composite subject – one that encompasses different disciplines under the same umbrella and applies a combination of them to a range of application areas. It is also one of those terms that different people understand differently, depending on their background. ”

People understand the term IS differently. That is a fact.

Igor then names a couple of important aspects:

Risk and economics:
The art of finding the right balance between risk and reward (profit)
Psychology and usability:
making users feel secure and providing a system they can use

The business impact

Igor is a CEO in his own company. That takes him directly into the management position, and makes it easy for him to recognize the impact security has on business.

“Security is often seen as a cost centre rather than a business enabler. This perception is built on the concept that the most secure house is the one that doesn’t have any doors or windows. Similarly, the most secure business would be the one that doesn’t have any customers. Both scenarios are not acceptable in the real world,“ Igor says.

What happens when a company uses that approach to security?

“This often leads to security being ignored by the business until it is too late (the security spend always peaks around well-publicized security breaches) or until regulatory compliance is introduced (e.g. FFIEC guidance and 2-factor authentication),“ Igor explains.

Ok, so that is the wrong way. What do you suggest as a good solution?

Igor explains: “It shouldn’t be this way… security could and should facilitate the business, help to increase profits, but for this to happen business and security people need to be able to communicate and work out aligned incentives. Mike Rothman’s Pragmatic CSO series http://www.pragmaticcso.com/poster.html and the Economics of Security research area http://www.cl.cam.ac.uk/~rja14/econsec.html are great steps in the right direction“.

Three challenges in 2007

I ask Igor to let the readers in on what he believes are the three major security challenges in 2007:

Resolving the complexity of identifying threat models and understanding the compliance landscape relevant to YOUR organization. Every business is relying on Information Technology to one degree or another, so ignoring IS is not an option, but understanding its role in your business is challenging. PCI DSS, SOX, NAC, 2FA, EV SSL, XSS, DDOS – what is relevant to my business, what is essential and what is “noise”, e.g. if I “just” want to open a web shop?
Recognizing the value of security innovation and becoming more open to new approaches. By only buying security solutions from a handful of large security vendors, businesses entrust their ability to mitigate ever evolving threats into the hands (and minds) of a few R&D departments – clever as they might be, the lack of competition has never helped progress. Yet, on a business-decision making level it is an understandable sentiment: “No one has ever been fired for buying from XYZ plc”.
Aligning business and security incentives. How to avoid falling into the trap of thinking when business is doing well and there are no issues: “why do we need spend more on security”? Equally, understanding the impact of security measures on customer experience is vital: could the process be both simple and secure, can the business market its security? Having strong security that is totally transparent to users doesn’t necessarily make them feel secure (see Schneier, http://www.schneier.com/essay-155.html), whereas having “security theatre” without any practical value could be brand damaging – getting the balance right is not easy, but it could have a profound effect on the business.

More on Igor Drokov