Ted Schlein, a partner at venture capitalist firm Kleiner Perkins Caufield & Byers, has been in the information-security business for more than 20 years. He started his career in the sector in 1986 as a marketing manager at Symantec, after graduating from the University of Pennsylvania.
During the course of his studies, he found time to set up two companies, one of which — Reality Technologies — he sold to gaming giant Electronic Arts. Schlein continued in the same vein at Symantec by developing Norton Utilities for the Apple Mac.
As a result, he was promoted to head up the vendor's utilities division, where he built Symantec's AntiVirus program for the Mac, an application that helped create the market for anti-malware software. In October 1996, Schlein was headhunted by Kleiner Perkins Caufield & Byers to run its Java Fund and has since invested in such success stories as Google.
ZDNet.co.uk recently caught up with Schlein to get his thoughts on why current approaches to IT security aren't working and what the solutions might be.
Given your experience in antivirus product development on the Mac, it would be good to kick off with the perennial question of whether, in your opinion, Apple products are inherently more secure than Microsoft's?
I don't think the Mac is inherently more secure than PCs, as they get hacked too, but usually in a different setting — at home or in small offices — and you do not read about this. Most major corporations have PCs deployed, so these tend to be the target of more attacks, since this is how the large corporations are run.
Where do you think the information security industry is at today?
I think that we've failed as an industry to protect users' information and data. And the reason that I say we've failed is because the number of exploits and breaches and the amount of dollars lost goes up a lot year-on-year, despite the fact that billions of dollars are spent trying to protect corporate networks and data. That's the industry's report card.
As a result, even though I designed and shipped commercial antivirus software when I was at Symantec, my investment philosophy shifted about five years ago. The way that we've approached technology doesn't scale, because systems can't be islands unto themselves. We can't say that everything inside the firewall is good and everything outside is bad, which was built into the security philosophy from the start. The idea was to identify what's bad and keep it off machines, using things like firewalls and intrusion-detection and prevention systems.
In future, software engineers have to be responsible for security. Engineering principles have to be built into security and applied by the people creating the software
Ted Schlein, Kleiner Perkins Caufield & Byers
The problem now is that the enemy we're fighting has gotten smarter and is using more sophisticated weapons, so the stakes have gotten much higher. In the past, it was about the casual hacker but there's much more money in it now and it's become big business. However, we, as an industry, are fighting the situation in the same way, so there's a fundamental disjoint.
I think the biggest issue is that we need to change who is providing the defences and how we provide the defences. In the past, the "who" part was the network operations guys, and they basically put in a box to stop malicious data packets.
So what is the solution to the problem, in your opinion?
In future, software engineers have to be responsible for security. Engineering principles have to be built into security and applied by the people creating the software. It's about software flaws, not bugs, and hackers take advantage of the fact that the software being written is insecure.
So the idea is that, if we're able to detect when the software has vulnerabilities or flaws in it and remove them from the code, they become impenetrable to attack. It's the same thing as inventing a vaccination, such as polio, and giving it to people when they're born. So solutions have to be developed. It's a very hard problem though because systems are made up of multiple applications and flaws have to be traced through the code all at once.
But, about five years ago, I asked myself whether this problem was solvable with technology and whether it was possible to automate the process to make it scaleable. And that's when I found Fortify. It's their mission, and they believe that security has to be done from the inside out, not the inside in. If we're able to get this done, the idea is that, eventually, we won't need firewalls, intrusion-detection systems and so on, as they won't have a role and hackers will be unemployed.
What are the key inhibitors to adopting this approach in your view?
Inertia. Marketplaces are resistant to change and people don't like hearing that engineering should be responsible for…
Talkback
I must say that the security companies are guilty as much as the hackers. They sell the software (anti blah-blah) to the meangers who believe, that it is the solution (seems cheap, only needs money).
Security ‘experts’ create good names like ‘virus’ to confuse even more the boss. No attempt is made to explain that it is all software which if tested properly should pose very little risk (had Windows/IE been tested better a whole industry would not have existed).
Managers hate to hear that something needs to be tested (most of them just do not understand what testing means).