Q&A: Ed Bellis on Web-based Business and Software Security

Dennis Fisher: Okay, welcome back to this CSO series podcast, also known as Real World Security.  My guest today is Ed Bellis, the CISO of Orbitz Worldwide, one the top travel sites in the world.  Ed’s got a pretty broad range of experience in the technology industry, having worked as a web architect at Ford Motor Company, and a manager at Ernst & Young before getting into the security world as a V.P. in Bank of America’s information security organization.  He’s been the CISO at Orbitz for a little more than five years now, so we’re going to talk a lot about the way that the CISO job has evolved in Ed’s time in the industry, and the challenges associated with that job these days.

Before we get started, Ed wanted to make sure that everybody knew that the opinions he expresses in this podcast are his, and not those of his employer, Orbitz Worldwide.  So keep that in mind. 

So Ed, thanks for joining me on the podcast.  I’m glad we finally found a time that works for both of us. 

Ed Bellis: Yeah, likewise, Dennis.  Thanks for having me.

Dennis Fisher: Alright, so let’s sort of start off at the beginning.  How did you get into security?  You were in the technology industry.  Did you just think you know, technology’s kind of fun, but what it really needs is, you know, some more stress and hurdles?  And people calling me at 4:00 in the morning with emergencies. 

Ed Bellis: Absolutely.  I sat around one night thinking how – I was pondering on how I could make my job more painful.  [Laughter]  No, so what I like most probably in this field, it was somewhat by choice, somewhat I just kind of fell into it.  I’ve kind of been, as you said briefly in the bio, I hit on a number of different areas within technology. 

I started off my career like a lot of folks in the system admin role.  Specifically Unix system administration.  As the web came around, I started doing a lot more on application developments – specifically web application developments, and that led me – you mentioned my experience at Ford.  I was doing some web work within their W3 group there, and we ended up doing a number of different initiatives there, but one of them was actually building some authentication and authorization applications and infrastructure for all of their internet and external sites around the world, and that’s where I really started dabbling quite a bit with security doing some things with old app infrastructures and single sign-on and things like that.  And then it progressed from there, and I just kind of – I think by the time I reached Ernst & Young, I was doing it fulltime. 

Dennis Fisher: Okay.  Yeah, it’s interesting.  I covered the auto industry back in the ‘90s, too, so I remember watching the automakers, especially the big three, try and figure out what they were going to do with the internet.  You know, whether they were going to let like every dealer build their own website, whether they were going to try and build it for the dealers.  How all their authentication stuff was going to work in terms of like, you know – because there’s a lot of communication that goes on between the dealers and the factory in terms of like inventory and financing and all of that.  It must have been kind of a mess to deal with.

Ed Bellis: Yeah.  That’s probably an understatement, but yeah.  We were totally – I mean, it was all brand new to us, so we didn’t even realize what we were getting into.  But I mean certainly after I ended up leaving Ford, they actually ended up building a whole separate business out of just their B-to-B exchange network where they combined everything they were doing at Ford along with G.M. and Chrysler, and created a separate company which was spun off that managed a lot of that for them.  So it turned out to be a mess yes, but a big business for somebody. 

Dennis Fisher: Oh, that’s right.  They did.  And it was sort of an online exchange for them and their suppliers and their partners and everybody.  Right? 

Ed Bellis: Absolutely. 

Dennis Fisher: Okay, so back in the ‘90s when you were first getting into security, at that point it was kind of just network security.  You know, keeping people off your network.  Things have obviously changed a lot since then, but it’s – you know, the basic goal is kind of the same.  Which is, you know, keeping the sensitive data safe.  How’s the practice of information security changed in the time since you started til now? 

Ed Bellis: Sure.  For one, I would say that it’s certainly received a lot more attention in the past oh, five to ten years, than it did in the ‘90s.  But I would say probably the biggest challenge and the biggest change that I’ve been dealing with from a security standpoint over the last ten years, it’s just that the pure size and complexity of everything.  We didn’t even – just taking my past 5 ½ or so years at Orbitz and the amount of growth that we’ve gone through both organically and by acquisition, we have ended up with a hodgepodge of different brands and systems and applications and everything around the world.  And the complexity has increased, you know, tenfold at least. 

And yes, we’ve grown in terms of the number of resources that we have manning that, but it doesn’t compare to the amount of complexity that you end up dealing with.  So some of the things that we’ve been working towards getting a better handle on is building in – I know a lot of folks in my position are given the same things, where they’re looking at their – you know, their development life cycle and how they can put security into it, and we’ve moved from a traditional waterfall model – you know, several years back, which most folks are not using agile.  We’re certainly no exception to that rule.  And how do we keep up with not only the complexity, but the speed of which we push things out to production.

So you know, if we’re pushing out different iterations and different builds on different brands on different systems all across the world every single week, and we as an information security team certainly don’t scale that well to keep up with all that, how do we go about doing that? 

There’s been a few initiatives.  One obviously just some of the areas that we can inject security into the agile process through the different iterations and stories, but also pushing those security tests up further into the life cycle, trying to reach all the way up to the developers rather than – I would say, you know, six, seven years ago you were talking about testing well after something meets the productions to now hopefully catching it so that, at the very least, within the QA environments. 

Dennis Fisher: Right. 

Ed Bellis: So I’ve been pushing.  In fact, the talk that I gave at _____ D.C. recently was talking about using SCAP, which is the Security Content Automation Protocol.

Dennis Fisher: Right.

Ed Bellis: And the whole point about that is it’s a collection of standards that help you automate a lot of the – I don’t want to say the mundane tasks, but the ones that are certainly automatable if that’s a word.  I’m sure it’s not.  [Laughter]  So that you can focus and scale your team on the more strategic initiatives within your company.  And that’s really the only way a business like ours can continue to grow and keep up with the demands of a security team. 

Dennis Fisher: I mean obviously your business is pretty much entirely web-based, and you know, if things go wrong for your web applications, it’s an enormous problem.  So how much – not authority, but how much input do you as a security guy have with the application developers?  You know, because traditionally in a lot of organizations those two groups of people don’t always get along all that well.  

Ed Bellis: Yeah.  I’ve got to say that we’ve made an absolute ton of progress here.  One of the things I’ve talked about in the past is actually developing a security satellite type team where you are – you’re almost cherry picking individuals within development and within QA, and within operations to kind of be your eyes and ears on the ground for security.  And we brought in, you know, a series of several development teams, and conducted secure code training on site where we’re going through and showing them you know, not only all the issues, but how to actually prevent these issues.  How to fix the ones that are currently there.

Dennis Fisher: Yep. 

Ed Bellis: And it’s been really helpful.  I think you have to maintain a good relationship.  As far as the amount of influence we have, I’m not sure that we have any more or less than any other area of the business, but that’s actually an improvement I would say over the past ten years in security where you’re right, ten years ago you talk about security, more than likely you’re talking about systems and network security and not much on the application side. 

Dennis Fisher: Right, and it seems like you know, maybe at the beginning of this decade, you know, eight or nine years ago before you started hearing a lot about software security, it just – you know, most developers didn’t have any kind of security background.  They didn’t see it as part of their job.  Maybe they figured that was – you know, security was something that you addressed after the application was you know, developed and probably deployed.  So that obviously made things a lot more difficult, and it sounds like getting things started as early in the process as possible has helped you guys out a lot.  

Ed Bellis: Oh, most definitely.  I would say it certainly – it’s an uphill battle.  Right?  And it’s not just – I mean, you’ve got to get everyone in the same mindset that yes, security is not only everyone’s job because that’s quite the cliché, but it’s a piece, specifically when developing web applications – it’s a piece of your job as much as a piece of it is of performance.  Right?  You wouldn’t design or develop an application that just performs so unbearably bad that no one’s going to be able to use the sites or, you know.  The security bugs, the tracking system, certainly gets as much if not more attention than a function bug, or a performance bug or anything else.  So I think we’ve made a lot of progress in that area.  Obviously we’re still working on it.

Dennis Fisher: Sure.  Yeah, I think everybody is.  You know, including the big guys, too, who we all know.  So in the last, you know, maybe three or four years, there’s been this huge epidemic of data breeches.  There’s been a lot of press attention about it, you know, both in the tech press and the general press as well.  How’s that focus changed the way that you have to do your job?  Because I think that you guys had a laptop stolen about a year ago or so, which isn’t – you know, the end of the world.  It didn’t turn out to be a gigantic incident the way that some of these others have, but you know, were you able to use that as sort of an object lesson, and say listen, you know, here’s why we really need to be careful with this sensitive data.  Take all these precautions.  You know, all of that kind of thing.

Ed Bellis: Oh, absolutely.  I will say that that particular incident turned out to be certainly painful on my team, but also it was almost ironic about the timing, as we were in the middle of deploying encryption on all of our laptops at the time, and that particular laptop had not yet been hit.  So that was – you know, had us all crying for several nights.

Dennis Fisher: Of course. 

Ed Bellis: The old adage that you know, an incident is worth – I don’t even know what the old adage is, but the incident certainly garners a lot of attention, both good and bad.  But that is a lot – that does a lot to help the CSO in terms of leveraging some of those projects to push some through.  That said, I mean, is laptop encryption – should that be the number one priority for information security at Orbitz?  I would always argue no.  Right? 

In fact, you could look at the number of incidents that happened, if you go through any of the open databases and say, you know, there’s a whole lot associated with laptop theft or laptop loss, or you know, a tape fell off the back of a truck or something like that.  And yes, those are definitely things that need to be considered.  We should do as much as possible to scope down where data flows, and obviously you don’t want it to be on those types of portable media devices.  But that doesn’t necessarily mean that because that data was lost that that data was compromised.  Right?  Whereas things like we’re talking about unlike the web applications – you said it before.  That’s a business.  Right?  That is our cash register, and if something goes wrong in the web application, more than likely that is going to be a direct compromise of our data. 

So yes, in a very long-winded answer, it does help you promote that – those methods and those remediation activities within your organization, but it’s not necessarily focusing or prioritizing the right ones all the time. 

Dennis Fisher: That’s a good point.  Yeah, because the stories you always see, you know, I’ve written them myself –you always see, you know, there’s these paragraphs saying, you know, had this data been encrypted you know, it wouldn’t have been such a big problem.  And there’s some state laws that make exceptions for encrypted data as well in these incidents.  But you’re right.  It’s not always the right focus.  But do you guys do any sort of security awareness, user education type training for your user population around this kind of stuff?

Ed Bellis: We do.  Absolutely.  We do a couple of different things.  We certainly provide some general security awareness training, whether that be online or through customized courses here.  And then we actually go through and give more detailed in-depth security training for specific areas of the business.  Right?  So you may have something much more general that’s training on information security policies, or proper data handling, what to do with PII, et cetera, but then you’ll have specific training for developers, specific training for QA staff, or for you know, systems engineers that are much more geared towards how to go about doing their particular tasks.  They tend to be a little bit more technical in nature. 

Dennis Fisher: And do you feel like that has an effect?  I mean, for the people who maybe aren’t, you know – security isn’t really a part of their job.  They’re just, you know, in marketing or something, but they might have customer data on their laptop when they fly off to San Francisco, or Dallas. 

Ed Bellis: Marketing means lots of training.  [Laughter]  Yeah, I think it has a – it does have some effects.  I think that those relying on security awareness as their security controls are probably in for a harsh awakening if there is such an organization out there.  I think it prevents – how do I say this?  It prevents the stupid?  [Laughter]  But it doesn’t by any means prevent the accidents, and it certainly is not going to prevent the malicious. 

Dennis Fisher: That’s an excellent point.  Yeah, and so I mentioned compliance a little bit earlier.  How much of your time these days is spent on compliance as opposed to security?  Are they kind of one and the same for you now? 

Ed Bellis: I wouldn’t say they’re one in the same, but we have worked really hard to map out essentially – we’ve got a catalog of our own security controls right within the organization, and we’ve created this catalog based on what’s the right thing to do and how’s the best way to protect that data.  And then mapping that back to the compliance requirements.  Right? 

So I’ve had this discussion with Mike Don and others before, but I mean I think it’s pretty well known at this point that security – or compliance is not equal to security, but security can usually equal compliance.  Now I say usually because there are certainly some – we have seen especially on a global basis and talking specifically within the European Union, there are areas where there’s conflicting compliance requirements.  Right?  

Dennis Fisher: Yeah.

Ed Bellis: And you choose the less – either the lesser of evils, or the risk that you’re willing to take, because at some point – SOX is a great example of that.  Right?  Where Sarbanes-Oxley actually conflicts with many of the privacy controls within the EU, or you know, if you’re doing security and data monitoring, that affects some of the EU standards.  In fact, I know that they’re working on this in the European Union where they’re talking about making it mandatory opt-in for the use of any type of cookies on any websites I guess with EU residents.  So obviously that would have a huge impact.

Dennis Fisher: Yeah. 

Ed Bellis: I think they’re far from doing that now, but you know, not terribly far. 

Dennis Fisher: That would be a huge change.  [Laughter]  I mean, I’m not sure how I’d feel about that.  I mean, it seems like a great idea, but at the same time, the challenges involved that seem large and hard to get your head around it at first. 

Ed Bellis: Oh, absolutely.  It’s a huge not only challenge, but it’s a huge change to the way almost all the sites out on the internet are working today.  And not only that.  They could indirectly cause security issues.  Right?  It could – I mean, I would certainly not advocate this, but you could see a site going out there and saying okay, well if you can’t use cookies, then we’re going to check things like session tokens within the URL to get _____.  Well now you’ve got a much bigger security problem all in the name of compliance. 

Dennis Fisher: Excellent point.  Yeah, that’s – so it’s that sort of cascading effect that maybe isn’t taken into account, especially by legislators who may not have a technical background. 

Ed Bellis: That’s a nice way of putting it.  Yes.  [Laughter] 

Dennis Fisher: We’ve seen a little bit of that in our country, too. 

Ed Bellis: Yes, indeed. 

Dennis Fisher: So just to kind of wrap things up, how are you feeling about the general state of web security these days?  We’ve seen a lot of – you know, in the last year or two these kind of really large scale sequel injection attacks against, you know, legitimate websites.  It’s happened to – it happened in the New York Times.  Theirs is a little different.  There was a malicious ad, but there’s been some on Business Week, and other you know, legitimate very popular sites that get, you know, compromised, and then their users get attacked.  And you know, the site owners may not know about it for hours or days after it happens.  So how are you – you know, what’s your general feeling on how things are going these days?  Are we getting better?  Are we on the right track?

Ed Bellis: Yes.  We’re definitely getting better.  I would say that’s another – we were talking how things have shifted over the past five to ten years.  That is one of the big shifts.  Not only a shift to application security, but a shift from you know, attackers going after the sites to attackers going after users of the sites or the application.  Right? 

Dennis Fisher: Yeah.

Ed Bellis: So where sequel injection was a problem before because people were, you know, downloading the contents of your database, they’re now using it to upload contents into your database so you can serve that up to your users.  So that’s been a big change, a big focus.  Just referencing the Verizon data breach report, though, I would say if you just looked at the stats in there, you would say if you were covering a lot of the basics, that eliminates almost everybody that’s in that report. 

Dennis Fisher: Yeah.

Ed Bellis: So if you’re doing all of the basic things at least through applications security, right?  If you’re covering all the input and output validations and some of that, you probably have eliminated, I don’t know, just rough guess 80-85% of the attacks that ended up in breaches in that report. 

Dennis Fisher: Yeah, and I think somebody just said that in a – I think it was somebody from the NSA that said that last week. 

Ed Bellis: Oh, I did not steal that from them.  [Laughter] 

Dennis Fisher: No.  We can take that part out.  [Laughter] 

Ed Bellis: I’m sure they will.  They read Orbitz.  Right? 

Dennis Fisher: Right.  Exactly.  Yes.  Yeah, it’s all on Echelon.  You don’t have to worry about any of that.  [Laughter]  Alright.  Well Ed, thanks a lot for your time.  I appreciate it.  And hopefully we can do this again as things go along, and there’s more.  There’s always interesting stuff to talk about, there’s no question about that. 

Ed Bellis: Absolutely.  Thanks for having me on, Dennis.

Dennis Fisher: Alright.  Take care.

Ed Bellis: You, too.  Bye. 

Dennis Fisher: Bye. 

Commenting on this Article is closed.