Q: Are you the first Chief Information Security Officer for the Red Cross? What in your background prepared you for this role?
Yes. I've been in security for almost 20 years now starting with the naval nuclear program when I was with Westinghouse. We were a prime contractor. At that time--this was probably in the early to mid '80s--the proliferation of computing equipment and the distributed nature was starting to happen and they were taking the security aspects quite seriously, so we were far ahead of the commercial industry in terms of our addressing the issue by having people dedicated to that function. I was an information security systems manager for the program ... and did everything from soup to nuts.
|Rise of the Chief Security Officer: Even before Sept. 11, many companies were hiring a top executive to oversee their IT security needs, but in the months since the attacks the trend has accelerated. Chief Security Officers' Pay Varies Widely : CSOs in the financial services industry can expect to earn significantly more than their counterparts in utilities, manufacturing and other fields.|
Q: Do you think more organizations are bringing in CISOs and if so, do you think this is as a result of Sept. 11th?
That certainly heightened everyone's awareness for sure. In terms of cyber security, I think the defining factor was in conducting business over the Internet; people are less willing to conduct business if they don't feel secure about their [online] transactions. Here at the Red Cross, I was brought in primarily as a result of some audit findings, [which indicated] there wasn't a dedicated function for security and it needed to be addressed within the Red Cross with the number and complexity of our computing systems.
[Previously] I actually was the first security manager at the House of Representatives in 1996. We developed a computer emergency response team that interacted with the Senate and The White House and alerted people to different vulnerabilities. We would share information with our contacts [there] ... and keep them apprised if we saw something. It was fun to work with the other agencies in that way. My direct title was that of security manager. That brought me from Pittsburgh down to the D.C. area.
|More Stories on Enterprise IT Leaders|
|Smart IT Spending Helps 'Stairmaster' Firm Stay Fit and Nimble : The CIO of the maker of Bowflex, Stairmaster and Nautilus talks about implementing new technologies, IT management's rapid pace of change, retaining good staff and more. Focus On: Indranil Ganguly, CIO, CentraState Healthcare System: The CIO of a New Jersey hospital works hard to make sure that technology helps clinicians improve their ability to deliver health care, not hinder it. ConocoPhillips Chooses Its CIO: The about-to-merge energy giants Conoco and Phillips Petroleum pick the Phillips IT exec to oversee technology. Also, IT exec moves at Alere Medical, Kellwood and elsewhere. BellSouth Calls on Sprint IT Exec for CIO Post: A telecom exec moves to BellSouth, Novell promotes its CTO, Ryder's CIO moves to new position, and more.|
I'm affiliated with an organization called FIRST (Forum of Incident Response Security Teams). They're a worldwide consortium of computer incident response teams from the military, government, and private sector. We're in constant communication with teams from around the planet regarding vulnerabilities. I'm trying to tap into as many systems as I can and have an early warning system on the latest happening on Internet threats and viruses and thing like that. Right now there are less than 100 teams across the world that are part of FIRST. Here in the U.S. I think there are about 50 to 60 teams across the U.S. We have a core team comprised of about 10 individuals all in the technical arena.
Q: What would you like people to know about computer systems security?
The whole discipline is going through a metamorphosis and people's awareness is obviously heightened. My biggest concern with the home user is as broadband proliferates ... I think people are going to be naove about how things really are, and if they don't have virus protection or a personal firewall I think what we're going to see is that insecurity is going to proliferate back into their companies. In other words, as they connect in to their companies they may put their companies at risk if they access [networks] from their home computer. I'm real concerned about the home usage in general.
Another aspect would be ... Web-enabled systems. Everyone wants to get everything up very quickly [meaning their applications, their Web sites and their connections to back-end databases] and that's where you see a lot of compromise because things haven't been properly tested. I question the security and robustness of the systems and they may be lending themselves to more holes and enabling hackers to get into the systems. I've heard that XP is somewhere around 20 million or 40 million lines of code- whatever that number is, if you take the normal coding axioms that state for every thousand lines you have ... you wind up with significant potential holes in your operating system. Due to the size and number of lines of code, there's more opportunity for bad lines of code by the sheer number and complexity.
Q: You mentioned you just became an adjunct professor for University of Virginia's Security Management Certification Program. Why do you feel certification in this area is so important?
The actual degreed programs in information security are just being developed now at the undergrad and graduate levels. We have to fill in a gap with certification to fill that niche - the niche of having trained security professionals. That's becoming more the norm [to have certified security people] and many today have CISSP (Certified Information Systems Security Professional) and that's preferred. So there's a level of consciousness in the business world that states people have certifications similar to hiring Microsoft people [with their certifications]. There's an organization called SANS (System Administration Network Security) and they also have a certification program in information security. They're filling a niche that's more technically oriented. CISSP is more management oriented.
Q: Are these rigorous programs?
CISSP has a stipulation you have to have at least three years security background as a practitioner. By and large the testing process is very rigorous. SANS certifications are taught either through an online model or by going to one of their conferences.
Q: What is occupying most of your attention these days?
We have a real problem with so many of these threats and vulnerabilities surfacing. The tough part is making sure all our systems are upgraded and patched properly. An example: there was recently an SNMP (Simple Network Management Protocol) vulnerability that was really far reaching that included almost every operating system and network device that touched everybody worldwide. This was huge. (Read related story: "Surviving the SNMP Vulnerability Scare" ) These threats and vulnerabilities come up almost daily and we have to gauge the impact to our environment. If it's a high vulnerability it has a high threat potential, and we have to make sure we get in contact with the vendor and get patches and apply them. It's a real constant battle making sure you're applying these patches and fixes appropriately. That's pretty much the main issue. Then we're constantly scanning our systems for vulnerabilities even though we're going through a rigorous process of installing patches. There's always a case where a system may not have a patch.
I'm a proponent of constantly assessing your systems. The basic model is for a Big 5 consulting firm to come in and do an assessment and the organization has to fix the problem but there's so many gaps in there when a problem arises and you can't wait for the auditor or whoever to show up.
Q: What's your view on the implementation of new technologies and bleeding edge versus a more conservative approach?
I love technology and the things it can do. [But] I think it's prudent for organizations to sit back and perhaps wait for the issues to be shaken out, if you will, and not go in with the bleeding edge. An example of that is the wireless technology; there's a lot of jumping on the wireless bandwagon and a lot of insecurities with the wireless applications. I'm trying to hold back the floodgates. There are certain applications, like for your PDAs, there are nice applications for those types of things, but if you're thinking about a wireless LAN application, you have to be careful. There's lot of horror stories [about people getting access to things they shouldn't be able to with wireless]. We're cautiously approaching some things ... you just can't jump in until the dust settles a little bit.
Q: How large is your IT department and what security skills are you in most need of right now?
< We have approximately 750 people under our IT umbrella. We're doing OK [on the security side] but I could probably make a case for more help. I like being able to handle all facets of the job. If someone asks me about my skill set I say, "I'm a little bit country, little bit rock and roll.' I don't like just the management aspects but the technical aspects and being able to get into a system and scan it and understand exactly what's going on with that device.
Q: Who do you report to and what goals have been set by you or by upper management for this year?
I report directly to the CIO. We're at a very nascent state in our security program building everything from the ground up. Basically we're working on the outer periphery and the goals are to have some of our technology in place like intrusion detection. We have a pretty good anti-virus technology process and infrastructure but we're even going to look to improve that with some technology. Some of the goals from a security management side are putting fundamental security policies and procedures in place. By that I mean something as simple as a password policy.
On Page 2, read about: