FBI info security chief discusses taking risks with cloud, big data

SAN FRANCISCO—Anyone is a potential target for cyber crime, reminded Arlette Hart, chief security information officer for the Federal Bureau of Investigation.

If any organization nationwide – or even worldwide – is a primary target for cyber crime, it’s the FBI.

Speaking at the Structure cloud industry summit on Wednesday morning, Hart opined there are different levels of enterprise and risk, advising IT professionals in the audience to be more transparent in what they are providing from a security perspective.

“Accepting a risk doesn’t mean it’s going to happen,” Hart said. “It means if the thing happens, you accepted the risk and will take the steps to mitigate that risk.”

As CSIO for the FBI, Hart said she is responsible for managing everything from governance to operational security in protecting the FBI’s cloud infrastructure against internal and external threats.

“I’m not packing heat,” Hart quipped, clarifying she is not an FBI agent in the field.

Hart offered a few insights into the FBI’s cloud infrastructure, noting everything done by federal agencies must be compliant with the FedRamp cloud framework.

“The cloud is all about big data and being able to aggregate data, which are amazing things,” Hart said. “But when the sword cuts, it cuts both ways.”

Hart explained during a fireside chat with Fortune senior writer Barb Darrow that when data is aggregated from multple channels ranging from email to Facebook and Linkedin, those are pieces that can offer trends and analytics.

At the same time, she pointed out, you can also see what people are doing, where they are and when.

“When we talk about how to protect yourself, don’t put all that stuff out there. Be a little circumspect,” Hart advised.

In a related example, Hart suggested a basic digital camera can be used to take memorable snapshots of a child’s birthday party. But that same device, she suggested, can be used for nefarious purposes as well.

Hart touched on a few other hot topics on IT security, including the “Right to be Forgotten” debate within the European Commission. Hart kept her commentary on this subject brief, but appeared skeptical by remarking those who want to be forgotten often shouldn’t be doing certain things in the first place.

Darrow also asked Hart about various methods enterprises are sampling for bolstering security, such as “Hacking-as-a-Service,” a White Hat-inpsired service similar to bug bounty programs.

Hart replied she is not ready to weigh in on that, admitting she could see both advantages and disadvantages to employing these tactics.

“In the business arena, you’re taking risks. That’s what business does,” Hart reiterated. “Data sitting in a box some place is not a value to anyone. It’s a liability.”