This article can also be found in the Premium Editorial Download "Information Security magazine: Security 7 Award winners unmasked."
Download it now to read this article plus other related content.
Security to the Letter
by Herman Mehling
Manager of secure infrastructure services
United States Postal Service
Stress Reliever: Plays ice hockey.
Favorite geek sites: www.techrepublic.com, www.sans.com and www.iss.net
Charles (Chuck) McGann has one of those job titles that simply doesn't do justice to the importance and scope of the work he performs. Describing McGann as the manager of secure infrastructure services for the United States Postal Service is on a par with describing the postal service as an organization that delivers mail.
McGann has an enormously challenging job--securing the world's fifth largest computer network, which consists of more than 500,000 IP addresses, 12,000 servers, 150,000 desktops and 225,000 users spread over 34,000 interconnected offices. Each month, this sprawling, complicated enterprise receives more than 300 million network attacks.
"My goal is to eliminate malicious traffic that could damage the postal service's brand image and potentially weaken the confidence of its customers," he says.
"Chuck is keenly aware of the range of security breaches and understands the damages they do," says Ovie Carroll, special agent in computer crimes from the Office of the Inspector General in Washington, D.C. "He knows it doesn't take much to undermine a network like ours. He has done an outstanding job of rallying all the players together, educating us and keeping us focused on protecting the network."
McGann has stellar qualifications and a unique background that make him a solid fit for the job. A CISSP and CISM, he also holds a certification for information assurance methodology from the National Security Agency. But he brings more than technical expertise to his job--he draws on considerable IT management experience from the private sector, plus a stint as acting postmaster and 18 years as a police officer.
"Chuck is very tenacious--a straight shooter who has helped me create and implement the new structure and policies of the postal service security environment," says Pete Myo Khin, CISO of the postal service. McGann injected business rationale into a security system that used to hold security as an absolute value, says Khin. "Chuck's credo is that business and security are joined at the hip. He works very hard to communicate this to our staff."
In 2004, McGann spearheaded a mammoth intrusion prevention deployment across all the desktops within the postal service. The solution was deployed on 90,000 desktops within three weeks and to the rest within a few months, thanks to a centralized deployment methodology developed by McGann and his team. As a result of this fast and smooth rollout, not a single USPS computer has been the victim of a successful attack. Yet McGann remains humble.
"I could not have achieved such success without an incredible team," he says. "I manage a group of security professionals who act cohesively to commingle their assets for the welfare of the postal service and our customers."
Recently, McGann took on more responsibility by becoming the postal service's lead liaison with the Department of Homeland Security (DHS). His role is to make certain both organizations maintain clear and constant communication about information security in order to develop, plan and execute successful security strategies. In addition to leading the postal service's interagency relationship with DHS, McGann is now driving security assessments to protect the online assets of local post offices across the country.
McGann directs a staff of about 100 who develop and enforce organization-wide security policies and procedures for postal service employees as well as for about 3,000 business partners. As a result, McGann's job becomes more challenging. The postal service's number of business partners has grown ten-fold over the past five years--boosting the potential for security risks.
"The more partners we add, the more vulnerable we are to some individual or group penetrating our security perimeter," he says. "So far, our security tools and procedures have been rock solid, but our challenge is not to become complacent."
This was first published in September 2005