Gary McGraw: This is a Silver Bullet Security Podcast with Gary McGraw. I’m your host, Gary McGraw, vice president of security technology at Synopsys and author of “Software Security.” This podcast series is co-sponsored by Synopsys and IEEE Security & Privacy magazine. For more, see www.computer.org/security and www.synopsys.com/silverbullet. This is the 148th in a series of interviews with security gurus, and I’m super pleased to have today Gøran Breivik. Hi, Gøran.
Gøran Breivik: Hi.
Gary: Gøran Breivik is the CISO and chief privacy officer of the municipality of Bergen, Norway, the second-largest city in Norway, with a population approaching 300,000. After a brief stint in the army, Gøran was consultant and programmer for a number of organizations. He’s an early adopter and active participant in software security in the Nordics. He organized the ROOTS Conference for a decade, started and ran the Bergen Java User Group for four years, and served on the board of the regional Norwegian Computer Society for two. More recently, Gøran has focused on building security in at the workplace, even while his purview has expanded into privacy as GDPR swept the world. Gøran has a degree in information science from the University of Bergen and holds a CISSP. He lives in Bergen with his wife, Anne, and two teenage boys. So thanks for joining us today.
Gøran: Yeah, thanks for inviting me.
Gary: It’s nice to have you here in Virginia, and I can actually see you across the room, which is odd for one of these Silver Bullets. So you’re a trained technologist who’s been working for a city government for a decade. What’s it like to work with a city government and try to align its goals with security?
Gøran: It’s really interesting to work with the security technology and the business of the local government. It’s really a huge field of different topics and different problems we have to deal with.
Gary: So city governments are providing services for people and thinking about stuff like water and sewage.
Gøran: Yeah, yeah, yeah.
Gary: Stuff like that. And so security seems to be kind of a tangential aspect of that. Do you think that you get enough support? Do people pay attention to security? Or do you have to say, “Oh guys, the security too!”
Gøran: Well, you know, people are paying more attention now than they did 10 years ago.
Gary: That’s good. I was getting ready to ask you that.
Gøran: So yeah, and of course GDPR has helped a whole lot, opening even more doors. But I think that especially technologists have been paying more and more attention in the last 15 years. And yeah, I think we’re going the right direction but too slow.
Gary: Oh, that’s interesting. So if you had to briefly characterize the approach the city’s taking to information security, what would it be? Would it be network security, data protection, defense of users, building secure systems? What are the components? What’s the main thing you worry about all day?
Gøran: Well, the main thing is actually that we don’t have enough focus in the early stages of digitization. So that’s where we’re trying to go. We’re going into the processes that focus on digitization in different fields.
Gary: I see. So as computers get more and more commonly into everything, you have to make sure that security is thought about.
Gøran: Yeah, computers and software, of course.
Gary: So who sets your budget? Is it the city council, the mayor?
Gøran: It’s the city council.
Gary: Yeah, the city council. And do you go talk to the city council about what you need from a security perspective, or is that somebody else’s job?
Gøran: Well, not directly. I talk to the administrative leaders.
Gary: They do the pitch.
Gary: Do you think they understand what you do?
Gøran: Both, a little bit of both, I think. Some of them do, and they—of course they understand some of it, but don’t get into the technology part of it.
Gary: Sure. But they know how to ask for money.
Gary: I mean there’d have to be somebody who understands it, either them or the city council or somebody to set a proper budget.
So you have a set of people that are working for you now. What kinds of backgrounds do those practitioners come to the table with?
Gøran: Well, they are pretty diverse, actually. We have one person with a judicial background (I guess you call it that in English). And we have a couple of people that have a more technological background. One of them came from the same course of study as I did.
Gary: Yep, OK.
Gøran: And we also have a couple with an army background. So that’s pretty much it then. Actually, we have a social anthropologist.
Gary: Oh wow. So do you look to bring people with diverse backgrounds into your group?
Gøran: Yeah, absolutely. And that’s because of two things, of course. One thing is that it’s difficult to get people with the same kind of background that I have, software security and security in general. We have a shortage in Norway also. So that’s one reason, but also to build a nice team that can support each other in different ways.
Gary: Yeah, interesting. So, long ago in a previous life, you worked on abuse and misuse cases in software development, like 20 years ago, with a focus on agile methodologies. Is it hard to get developers to think like a bad guy?
Gøran: Yes. And no.
Gary: OK, let’s hear the answer.
Gøran: Yes, because they are, you know, they’re told to prioritize just the really important tasks, and their leaders don’t think that security is the most important task yet. Not everybody at least.
Gøran: But then again, you have much more focus from developers today, I think. They are much more interested in seeing what security is about and learning about how to hack their own code.
Gary: So they have naturally a more skeptical stance than they would’ve, say, 20 years ago?
Gøran: Yeah, absolutely.
Gary: Why is that? Is that just because security is something that’s more common that people think about more? Why do you think?
Gøran: Yeah, I think that’s because security has become more of an everyday problem that actually the common Joe knows about. It’s something that even developers now will focus on. They don’t have to be told to do it, and they don’t do it just because they’re told to, but they’re actually interested in it.
Gary: Yeah, in the past, I mean, one of the problems in software security is that developers weren’t aware that they were supposed to think about security. And if you said, “Hey, you guys should work on security,” they’d go, “Oh, that sounds great. That’s cool. Teach me about that.” So it’s not like they didn’t want to, and they knew about it and didn’t want to, it’s more that they just didn’t even know that that was part of their job.
Gøran: No, that’s true.
Gary: And that’s changed?
Gary: Even in Bergen?
Gøran: Even in Bergen. Even though we started pretty early with the ROOTS Conference in 2003, I think.
Gary: Yeah, you’re anticipating my next question. So you were active in the ROOTS Conference for a decade, you know, starting in 2002, 2003, and serving as chair for a number of years.
Gøran: Yeah, well, not as chair, but on the board at least, or the committee. And I was running the security track. We started that in, I think it was 2003.
Gary: I think I went to that one.
Gøran: Yeah, I think so, so you were…
Gary: It was 15 years ago.
Gary: So at that time, agile was fairly new. It was the trendy thing in software development. And now software is moving towards even more rapid development cycles, with stuff like CI/CD, continuous integration, continuous development. So what impact does that speed have on security, in your opinion?
Gøran: It seems to me, at least those environments that I’ve been watching for the last couple of years, it has a positive impact on their focus on security.
Gary: Mm-hmm. That’s good.
Gøran: Because yeah, they have more control, they have more time because of automation in those processes, so they can use more time to watch what’s happening and start to learn about security themselves.
Gary: That’s good. That’s kind of ironic.
Gøran: Yeah, it could be.
Gary: You know, so the development cycle’s tighter, but it gives you more time to think about security.
Gøran: Yeah, because it’s faster to get the fixes out. It’s also more relaxing, I guess. I don’t know. I haven’t talked to them about that exactly.
Gary: There are some aspects of software security that are easily automated, like finding bugs or doing automated regression testing, and there are other aspects of security that are difficult to automate, like architectural analysis or threat modeling. So do you see a discrepancy there in the types of activities that developers are carrying out these days?
Gøran: Well, I think that’s due mostly to their interests. We have a couple of developers that are pretty interested in architecture that will naturally do that kind of analysis, architectural analysis, to find problems and understand problems. And then again you have people that are more into coding and are using activities that are more about the code stuff.
Gary: Yeah, but the code stuff in some sense you can automate, right? So you can have a static analysis tool find bugs for you.
Gøran: Yeah, can automate to a certain degree, of course.
Gary: Finding them, not fixing them. Nothing fixes them.
Gøran: Right, that’s a big…yeah. I think that’s a big issue with the automation stuff. If you don’t do it right, you get a lot of overhead and then turn people off.
Gary: Right, because they get a lot of false alarms or too much work to do.
Gøran: So that’s a big problem, and people need to do that in a controlled fashion.
Gary: How many developers do you have working on stuff for the city?
Gøran: Not too many for the city. In the core team, there are about 20 to 30, depending on when we’re talking about. And then you have smaller development teams all over the place.
Gary: Right, and some contractors probably.
Gøran: Yeah, yeah. On big projects, we have contractors that even go in and do special tasks.
Gary: And how do you keep a consistent approach to software security among the different teams that are working on stuff?
Gøran: Actually, we’re not trying to do that yet when it comes to software security.
Gøran: We’re mostly trying to…my team are going through the processes that they use to develop software at all, and then we’re trying to put some activities in there. And that’s all we do, and we try to actually just encourage them to think security, do some activities, even though they don’t have…feel they don’t have time to do it all.
Gary: So anything vs. nothing is…
Gøran: Kind of, yeah. But then again, as I said earlier, I believe that people are more into it now. They have more time for it now. They have more understanding. So it seems that the activities are being more popular and more used at the time.
Gary: Yep, yep. So let’s see, I think I met you in 2002 in North Carolina, so that’s been 16 years. And it seems like we’ve made a lot of progress in the world in software security since I met you way back then. So how’s it coming in Norway, this software security stuff?
Gøran: I think it’s really, really too slow. Even though we have, as I said, plenty that has happened in the last 15 years, but still too little. I think that all the software, all the different software conferences are focused on software development. Not to say digitization in general. There’s almost never a real good focus on security during those conferences.
Gøran: That says quite a lot, actually.
Gøran: So they shouldn’t have one conference at all without a proper security focus.
Gary: Yeah, I sort of agree with that. I mean, we have the opposite problem happen in the States too a little bit, where there are conferences like Black Hat that focus on breaking stuff, but they don’t tell you much about how to build stuff properly.
Gøran: Actually, I think that’s one of the big problems, because security people and developers look at security as kind of a special field for people especially interested in that. And I think that’s part of the problem, that we start conferences that’s all about security.
Gøran: And other conferences all about development.
Gary: And they don’t ever mix.
Gøran: No, we have to mix them. That’s the whole point. If not, we’re not going to go forward at all.
Gary: So I wanted to dig into the Norway thing a little bit. Academics in Norway, some academics that I know, pay a fair amount of attention to software security. So in Gjøvik at the høgskole [DCS1] and at University of Bergen, there are people working on software security and professors who focused on that. And so there seems to be something in academia. What happens to the students who work on software security when they’re undergrads at these places? What do they do? Where do they go?
Gøran: Well, some of them go out to work with security. I know that a couple of the guys you know from the Bergen environment, they have gone to the same company in the financial services. And so they are pretty strong on application security, I think, if you compare them to a lot of others. Then again, financial services are probably the ones that have come the furthest, in Norway at least.
Gary: Right, so commercial concerns.
Gary: Like banks, they lead the commercial concerns.
Gary: Yeah, that’s the way it was in the States too.
Gøran: And they also I think feel the most attacks.
Gary: Now we’re seeing banks and independent software vendors and IoT vendors all kind of merging into the same thing in BSIMM9. They’re all using very similar architectures, they’re using similar security approaches, so maybe we’re standardizing on some kind of world architecture finally. That’ll help.
Gøran: Yeah, that could help if it’s the right architecture for…I don’t think one size fits all. I think that could be a trap to go into.
Gary: Yeah, of course.
Gøran: But if people are actually paying attention to architecture at all, that will help.
Gary: Yeah, I’m with you on that. We’ll be right back after this message.
If you like what you’re hearing on Silver Bullet, make sure to check out my other projects on garymcgraw.com. There, you can find writings, videos, and even original music.
So how much awareness of software security does the national government in Norway have?
Gøran: Well, they haven’t too much of it. But there are, all the time, there’s stuff happening and cases in the media, and we have, of course, the different departments that focus on security in other areas. And we also have a search and so on. So of course they have focus on it, but in my mind, it doesn’t mix too well with development, digitization of the everyday public sector, even though it’s…
Gary: Gotcha, it’s more about defense and cyber warfare and all that.
Gøran: Yeah, right, right.
Gary: And then you have some national labs like SINTEF that are focused a lot on software security.
Gøran: Yeah, then we’re back at academia again. Even though they are commercially driven, partly at least.
Gary: Right. So you’ve known about the BSIMM since its very earliest days. I think you saw the very first one that had nine firms, and I talked about it in Bergen. Tell me about the BSIMM in Norway. When are we going to get a BSIMM in Norway result?
Gøran: We have actually had one. You know, SINTEF used BSIMM as a measuring stick for…I don’t know, it was a trial in the government, or the public sector, I mean. So we had some results from that. I am not sure if they’re going to use it again. They did it on the…
Gary: They didn’t join the community. They measured themselves.
Gøran: No, I think that’s too…I think that’s sad, actually. I told them that they should, but then again it was an assignment they did.
Gary: Sure. What we see is when you measure yourself, you tend to lie. It’s kind of like looking at yourself in the mirror in the morning. You’re like, “Oh, everything’s great.” And then your wife goes, “Are you wearing that to work? I don’t know about that.”
Gøran: So you should have the community to look it over and, yeah, help you.
Gary: It’s an important part of not just a measurement stick, but being able to talk with the same vocabulary, learn from others, and so on. Yeah, I’d love to see some more BSIMM in Norway, OK?
Gøran: Yeah, me too. So we’ll try to work on that. I guess we, as I have talked to you about earlier, maybe just getting it down in some way would help, because it seems to be built for, at least the material we use or get, are from huge companies.
Gary: Bigger companies.
Gøran: Than the Norwegian…yeah, scale.
Gary: So you were a developer for many years, a Java developer, and you did development professionally, really kind of before you became a computer security guy, although your thesis had some security in it.
Gøran: Actually, I was more of a computer security guy and not a developer. And I became a developer because of the market.
Gøran: It wasn’t…there wasn’t a market for security, especially a software security consultant at that moment.
Gary: Sure. So my question is how important do you think it is to be a developer before being a security guy? Like, is it easier to start as a security guy and become a developer and then a software security guy, or start as a security guy and learn how to do development and then become a software security guy? What do you think?
Gøran: I can’t answer that, but I can, from my perspective, wanting to do both programming and understanding programming and computers and security at the same time, and more in my mind became a security guy before I became a developer for real. Even though I wasn’t a good one, I understand much more of how security works and how it…yeah. The depths of security problems are much easier to understand if you have actually developed yourself.
Gary: Yeah, well, and it becomes a little bit different when you ask developers to do something, you know what that means.
Gøran: Yeah, actually.
Gary: You don’t just say, “Hey, fix all your code and do it by tomorrow.” It’s like, “Oh, that looks kind of hairy. I don’t know how you’re going to do that.”
Gøran: So that also helps. We can talk to the developers and one another. We understand each other on another level.
Gary: So recently, GDPR has swept the world in kind of what I think of as a disorganized tidal wave. So how does GDPR impact your job?
Gøran: Well, in several ways, actually. We have, as I said before, we have had a lot more focus on us and what we do and how we can help in the organization. In that way, it has been a really good experience and a positive one. But of course, you have those strict rules about what you can’t mix. It depends on who you talk to, of course, but it seems you can’t mix the responsibility for security and the responsibility for privacy.
Gary: Why not?
Gøran: Too much…well, people mean that you can’t do both things. You have to…when you are trying to do the job as a privacy officer, you are supposed to see to it that the security people do the right thing. But in my mind, it’s kind of the same thing because information security is required by privacy to work at all.
Gøran: Even though it has other aspects too.
Gary: So some people think that they are necessarily at cross-purposes even though they might not always be at cross-purposes.
Gøran: Yes, I usually say that if you are an operational security chief of some kind, that’s another story, of course. If you actually do the operational stuff, or are responsible for putting the security software—like firewalls, whatever, IDS and IDP and stuff like that—to work, that’s another story maybe.
Gary: Yeah. So when you do GDPR stuff in Bergen, are you thinking mostly about the users of the city systems? Are you thinking about data privacy inside the city systems? Like, what is the main…how do you do it?
Gøran: How do you do GDPR? That’s a really big…yeah, a really big question.
Gary: Everyone would really like to know.
Gøran: Yeah, me too. No, actually, we’re just…every system, every need, every process in the public sector uses a lot of privacy information. So the way we do it is that we just go in and do the stuff everybody does, I guess, do an analysis of what information you actually use in this process, and an information analysis to map out what kind of information you use, how you use it, what you actually need. That’s an interesting question on stuff like that. And then we partner that with risk analysis and DPIA.
Gary: Yeah, so I guess in that respect, it works very well with security, because you think about it while you build the systems. You want to build privacy in, you want to build security in, and designing things right really helps.
Gøran: But even though the systems are built, we can go back and have a look at how they are built and maybe tweak the requirements a bit, so we can even get better. So that’s our focus to get better: Use privacy the same way we use information security. Even though it hasn’t got any privacy issues in it, we use it the same way. We use the same methodology, and we use the same way of doing things.
Gary: Are there groups of CISOs or privacy officers in different cities and towns that get together and talk about how to do this stuff in Norway?
Gøran: Yeah, we have an organization called KINS, which is an interest group for information security and privacy in the public sector. We also have something called KS, otherwise for public sector in a lot of different areas. But amongst them are information security, digitization, and privacy. So we meet a lot of like-minded people there, and we talk about experiences and try to…yeah, get better.
Gary: Yeah, and so do the Nordic countries all share information in the same way? Like do you guys talk to the Swedes and the Finns?
Gøran: Well, we do. We meet them, and I know that the different governmental organizations do that a lot. But I haven’t met too many. A couple in organizations—conferences, I mean. In the Netherlands, Amsterdam, I met a couple of people.
Gary: Right, at the BSIMM thing.
Gøran: Yeah. So I guess we do that all over the place.
Gary: Right. Cool.
Gøran: Of course, we share what we can.
Gary: So last question, it has nothing to do with security. You’re an expert photographer. When did you start taking pictures?
Gøran: Oh, I think I started when I was about 13 years old. I got a camera, an old Pentax, and then I took a lot of pictures for a couple years and put it on the shelf for a couple years, and then I’ve been on and off for all my life, actually.
Gary: Ever since you were 13.
Gøran: Yeah, yeah. So it’s a hobby of mine. I like to do that in my spare time.
Gary: Yeah, and here’s the kicker: So what’s the best picture you ever took?
Gøran: That’s a difficult question. I’m not sure if I know, actually. My favorite at the time, right now, is one I have on my wall at home, a picture of the sunrise at our favorite Greek town we used to go on vacation.
Gary: Because there’s sun.
Gøran: Yeah. We were hoping for that here too.
Gary: Yeah, sorry, we’ve eradicated the sun this week in Virginia. You should know, listeners, that it’s been raining for…ever since they arrived from Norway, the whole time. There is sun here sometimes, honestly.
Gøran: Yeah, you’ve told me a couple times. I’m not sure if I believe it.
Gary: Well, thanks, Gøran. It’s been interesting.
Gøran: Yeah, thank you.
Gary: This has been a Silver Bullet Security Podcast with Gary McGraw. Silver Bullet is co-sponsored by Synopsys and IEEE Security & Privacy magazine and syndicated by Search Security. The May/June issue of IEEE S&P magazine has a focus on AI and ethics. The issue also features our interview with ShmooCon founder and Expel CISO Bruce Potter, who calls himself a “CIZO,” even though he’s a CISO. Show links, notes, and an online discussion can be found on the Silver Bullet webpage at www.synopsys.com/silverbullet. This is Gary McGraw.
[DCS1]Guessing this is a reference to Høgskolen i Gjøvik? (NTNU Gjøvik since 2016.)