When Nikk Gilbert was hired as IT security and telecom director at Alstom Transport, a massive manufacturer of trains and other large vehicles, he wasn't quite sure where to start. Alstom, which operates in 60 countries, had never had anyone dedicated to security, so Gilbert started at the beginning with a detailed network security assessment. What he found offers a number of important lessons for security pros everywhere.
How challenging was the situation when you got to Alstom? There was no dedicated IT security person--I was the first one--so when I came in, I wasn't sure what to expect. The thing that was on my mind was to get a feel for the network. Unfortunately, a complete network map was unavailable. So I started a LAN/WAN survey with tools I like to use. I got a quick snapshot of how big the network was.
What are the most common security mistakes you find? There are several key things people have to do:
If you have a large enterprise network, you need to have global patch management. You have to get systems up to required security levels. There were a couple of situations where we had to take it to the next level. Some computers are connected to manufacturing machines that can't be upgraded. We've employed an IDS/IPS firewall in front of them to segment them from the network.
Second is antivirus. Every system has to have antivirus. In a global enterprise, you have to have global distribution.
Next thing would be IT security policy. Unless you're monitoring and controlling, it's just paper.
You have to have a good balance of security and customer service. When I roll out a new program, I try to find a way to make it attractive to the user. For example, single sign-on with a smart card is a way of providing good customer service: Asking the user to remember one PIN versus 20 passwords goes a long way.
That's an interesting attitude. A lot of IT folks tend to think of the users as a necessary evil. Yeah, but that's not where all this is going. Maybe the scare tactics worked five years ago when the CSO went into the CIO's or CEO's office and said, "We have to lock everything down or we're going to lose billions of euros." Now we know it's business that drives IT, not the other way around. Security professionals have to focus on presenting a business case and doing proof-of-concept to show a return on investment. That's the IT security professional of the future, I believe.
Read the full version of this interview with NIKK GILBERT at searchsecurity.com/ismag.