It's not hard to imagine Dorsey Morrow as a high school kid discovering that computers interested him more than football. Now an attorney and holder of the highest network security certification available, he's only 34 and looks younger.
Some of his elders may remember Eagle Corp.'s "Eagle II" computer-the one Morrow got his hands on after playing with an Apple in a sophomore computer lab at his hometown high school in Selma, AL.
"I suppose the guys I hung out with ... we were all geeks!" he laughs, rocking back a little in the chair of his office in Montgomery. "I learned a little programming in 10th grade, and then Microsoft came along and I got interested in DOS, then just went on from there."
He "went on" to earn a bachelor's degree in computer science at Troy State University and was preparing to attend law school in New Hampshire when he met his wife to be, the former Paige Kyser of Montgomery.
He smiles again: "She has strong roots here." He finished law school in Montgomery, not New Hampshire, in 1993.
Today, Morrow continues to practice law in Alabama, occasionally filling in on the bench in Montgomery Municipal Court, but his principal work still involves his love of all things digital. And much of his professional experience in that area has been in a financial environment. He oversaw the computer systems of a Montgomery-based insurance company during his law-school days.
He found time to earn an MBA along the way as well.
This past December, Morrow became a network security expert for Newark, DE- based Hyperon Inc., working with Brinks Internet Security, a joint venture of Brinks and Hyperon.
Not surprisingly, considering his easy, Southern manner and unabashed interest in politics, Morrow is as friendly as they come and a great talker. Nonetheless, his smile disappears and his tone grows dead serious when the subject turns to corporate data security and the hackers who take pleasure, if not always money, in trying to compromise it.
"Fortunately," he says, "most of them are ... well, I call them 'script kitties.' They use 'scripts' that are available at any number of [hacker Web] sites. They download these scripts that make it easy for them to run the attack. Those aren't the guys you have to worry about as much, in part because they like to brag about what they've done. They are out there rattling the doorknob to see whether they can get in.
"It's the security breaches that you never learn about that are the real threat-the ones who are quiet as a church mouse and like surgeons. They come in to get money as fast as possible, then disappear."
Professional hackers choose their targets carefully, says Morrow, who passed the International Information Systems Security Certification Consortium, or ISC2, examination in 1999 (on his first try).
"They are very, very careful in coming in [to your network]. They do their damage and go away quickly and quietly."
And the pros, Morrow adds, don't brag about their successes.
Asked to name a few Brinks Internet Security clients, his smile returns; but, it's a smile even a rookie journalist would recognize immediately as an "I can't talk about that" smile.
"I'd best just say several very large banks and credit card issuers," Morrow allows, "along with some large manufacturing corporations."
Although he's quick to point out that he considers his legal specialty computer law, Morrow is also careful to note that he is licensed to practice law only in Alabama and his work with Brinks Internet Security focuses exclusively on protecting corporate clients' networks from both intrusion and internal threats.
Security has been a focus of corporations for some time, of course, but has "seen even greater attention" in financial services in the past two years-since Gramm Leach Bliley.
"Companies realize you must have security, so you could say our business has cranked up," Morrow says. "Detection is hot, but the fact is that an ounce of prevention will save you from having to spend a pound on that protection."
In addition to his employer's client list, he is hesitant to describe Brinks Internet Security's operations in detail.
Too down to earth to be given to melodrama, Morrow makes no bones about the people he's up against. "They're criminals," he says in a no-nonsense tone, "and they represent serious threats."
If Hyperon or Brinks Internet Security ever decides to put one of their own in a marketing campaign, they'd be crazy not to use Morrow. Hyperon's network security expertise (the company's president, Jim Molini, also holds ISC2 certification) "really was a perfect fit with Brinks," beams the young lawyer, who serves as the security consortium's general counsel on a volunteer basis. "Brinks also had a tremendous amount of knowledge about information security and [a network] infrastructure that would be difficult for anyone else in the world to duplicate."
The bulk of his work involves financial networks, Morrow says, adding that "banks have huge privacy responsibilities in the wake of GLB. All financial services organizations have begun looking at security in a whole new light."
Pressed for at least a general description of his firm's operations, he says Brinks' "intrusion detection system, or IDS, can pick up on any instance of unauthorized outbound client information."
Such an instance wouldn't necessarily mean the data was "leaving the bank," he adds. If the information made its way to a part of the network on which it didn't belong, and on which it could become more accessible to an intruder, the security technology would make that known.
While it's true that he could tell more exciting stories, Morrow says a substantial number of security lapses are owing mostly to companies' failure to stay current on available patches and fixes for their applications.
"A bank's software vendor may well inform them about a problem and say, 'Here's what you need to do.' Too many banks don't get around to it."
Detection may be sexy, but prevention, Morrow says, is smarter.
But, detection of what?
"Any circumvention of your security standards basically," he says. "Any anomalies, anything that strikes you as odd, is probably a sign that something is going on.
"If you see a heavy, unusual spike-say, someone logging on at 11 p.m. for a long period-that would deserve attention."
In a huge corporate network, which may well be an aggregation of many networks, the ability to detect unusual activity is by no means a given.
"To be able to recognize it," Morrow says, "you must have a good baseline for comparison. Privacy is the driver, but you must have a good baseline of what your systems are." Brinks Internet Security project teams work closely with senior management as well as the IT staff for that reason, "because the job of setting those parameters and establishing a baseline for systems is based on each individual client's preferences."
Echoing a theme one hears from virtually all technology firms serving large corporations, he adds: "Without that buy-in from top management, you're going to face significant roadblocks, and that means the job is not going to get done properly."
Security is a "dynamic, changing issue," Morrow cautions, "and it can be very creative on the criminal side. That's why prevention is so critical."
After delivering to clients an assessment of their current security environment at a level of detail specified by the customer ("For some relatively small clients, we're asked to do what amounts to a quick fly-over," Morrow says), Brinks Internet Security normally is hired to fix the vulnerabilities it has identified.
Once again sounding like a no-brag, just-fact observer, Morrow notes that he has never been unable to "find cracks in even the best security systems."
"Occasionally, we don't find cracks or obscure little things. We find gaping holes."
Managers with IT responsibility react differently to the news, but "it's the ones who are not offended when you tell them about it ... that's when you know they're really interested in security."
Morrow says the economy's sputtering performance in the past year hasn't stemmed banks' demand for security services, including technology consulting related to privacy.
"At the same time that banks don't mind spending the money necessary, this is an area where they see real value in return. We see a great deal of business on the horizon, too, on both the consulting and security technology side," Morrow says.
Every bit as dynamic as the latest intrusion threats facing corporations is the law surrounding the operation of the Internet as well as multitudes of private networks, he says.
"Over the past five years alone, this area of the law has exploded," adds Morrow, who makes it his business to stay abreast of it.
"And you really have to immerse yourself in security, too, and read constantly. Luckily," adds the politician in him, "my employer provides an allowance for books and periodicals. You can't beat that."
Spend an hour or two with Morrow and you'll bet it would take one heck of a hacker to beat him at his game.
