Security Management Strategies for the CIO |
|
 |
|
|
|
When Nikk Gilbert was hired to run security at Alstom Transport, a massive manufacturer of trains and other large vehicles with operations in 60 countries, he wasn't quite sure where to start. Alstom had never had anyone dedicated to security before, so Gilbert, IT security and telecom director, started at the beginning, with a detailed security assessment of the entire network. What he found offers a number of important lessons for security pros everywhere.
How challenging was the situation when you got to Alstom?
Gilbert: There was no information security guy. I was the first one. So when I came in I
wasn't sure what to expect coming into a company that didn't have any security at all before I got
there. When I came in I knew I had a lot of work to do and the thing that was on my mind the most
was to get a feel for the network. So I started playing around with a lot of tools I like to use.
Solar Wind is one of my favorites. I got a quick snapshot of how big the network was. Nobody could
give me the big picture.
Once you did that and you ran Core Impact, what did you find?
Gilbert: Once I was able to get to the heart of the network, I considered Core Impact
because I'd seen it work before. I was really impressed and I knew I needed something. The biggest
problem in security is running vulnerability scanners and then you get a 1000 page report that
tells you this machine has 59 exploitable vulnerabilities and you have this document and there's
nothing to it. With Core you don't get that and everything you get is an actual penetration.
There's no false positives. I didn't have a staff yet. So I thought maybe I should get a consultant
and run a scan that way. But I thought I'd run into the same problem.
What are the most common security mistakes you find?
Gilbert: There are several key things that people have to do. If you have a large enterprise
network, you need to have some kind of local patch
management. That's priority number one. You have to get the workstations up to the required
security level. When I came on board, I gave people a month ot get patched. I just dropped it to
two weeks. There were a couple of situations where we had to take it to the next level. Some of our
computers are on manufacturing machines. There's a Windows 95 machine that controls a multi-million
Euro machine that measures how many microns apart two pieces are on a train. You can't patch a
Windows 95 machine. It's a wide open vulnerability. So what we did is put protection in front of
it, intrusion
prevention system (IPS), firewall. The second thing is
antivirus. Every system on the network has to have antivirus. In a global enterprise, you have to
have global distribution. Next thing would be IT security policy. If
you don't have some way to make it happen with some teeth in it, you're going to run into a
problem. Unless you're monitoring and controlling, it's just paper. I'm of two minds on this. I'm
for customer service, because if I didn't have customers I wouldn't have a job. But I know security
impairs some people's abilities to do a job. You have to have a good balance between security and
customer service. When I roll out a new program, I try to find a way to make it attractive to the
user. For example, single
sign-on (SSO). If you take SSO, slap it on a smart card with PKI, the user
isn't going to have to remember 20 passwords.
That's an interesting attitude, because I think a lot of IT folks tend to think of the users
as a necessary evil sometimes.
Gilbert: Yeah, but that's not where all this is going. Maybe five years ago the scare
tactics worked where the CSO goes into the CIO's office and says we have to lock everything down or
we're going to lose billions of Euros. Now we know it's business that drives IT. People have to
focus and say, I have to work on return on investment (ROI), I have to work on customer service, I
have to make these programs attractive to the users. That's the IT security professional of the
future, I believe.
This was first published in January 2007
Join the conversationComment
Share
Comments
Results
Contribute to the conversation