Managing a Global Security Organization

Bill Boni
Bill Boni

Looking forward, where should enterprises be focusing their information security efforts?

Boni: The summary of this would be on enterprise risk management. That is where they would make the greatest contribution to the overall reduction of the most significant risk that can impact business.

You think the upcoming use of portable IP devices has the potential of becoming global attack machines. Please explain?

Boni: As we’ve already seen in some places, particularly in Asia, advanced data technologies can in fact be abused by computer hackers and other members of the cyber underground for their inappropriate purposes. Already we begin to see the advent of spam and the SMS messaging stream in some locations, so I think it’s a pretty safe bet that as increasingly portable devices acquire increased capability to serve useful purposes, that those devices will be targeted for exploitation by criminals, hackers and others.

How is the speeding up of attacks affecting the way organizations react?

Boni: I think that as we’ve seen with the Sasser worm directed against the Windows environments, and prior to that the Witty worm that attacked security devices produced by a particular company, that the window between the public release of vulnerabilities and their exploitations has shortened considerably. Two years ago it was still six months to a year between the time when an exploit was released and the attacks would commence. With Slammer it dropped down to less than a month and now it’s approximately two weeks between the release of the most recent set of vulnerabilities by Microsoft and the exploitation by the worm writers.

So what this means is companies and organizations that fail to take an aggressive practice towards managing vulnerabilities in their environments run the risk of being crippled when a particular effective or vicious attack is released. So if internal vigilance is the price of liberty, aggressive patching and other safeguards are now the necessary costs of protecting the global infrastructures against the increasingly common threats and attacks.

Comparing security personnel to the police, you call them the Thin Frazzled Line. What’s the future hold for the profession?

Boni: Managements are increasingly aware in all types of organizations of the vital contributions of that thin frazzled line to the success of their business and the protection of their infrastructure that they’ve created. So I believe that the security professionals will find themselves positioned to both making a significant contribution not only to their individual organizations but towards protecting the global eco-sphere of ecommerce and organizations’ communication and therefore be held in high regard by public as well as other private sector officials for their key contributions in creating a safer and more reliable environment for business.

Where do you think a CISO should fit into an IT operation? Should he report to the CIO or someone else?

Boni: I think there are many different answers to that as it is very dependent upon the organization, its culture, operations and priorities. I think that it is absolutely essential that if the CISO is in the IT organization that they hold at least peer reporting relationship to those elements that have operational responsibilities. There are advantages in some cases to having the security officer outside of the IT organization because there is at least a possibility, depending on the personalities and the priorities of the respective parties, that security may find itself being consistently overruled in favor of purely production priorities. However, I think that as a professional it is incumbent upon the CISO to find mechanisms to be effective regardless of the reporting relationship and to balance the need for relationship and collaboration against the need to be objective and impartial when assessing risk and driving the organization to manage those consistent with the business priorities of the organization.

You have developed a 4-pronged security program at Motorola, can you explain the key points protect, detect, respond and recover?

Boni: The foundation of any good security strategy is very basic. Prevent means find ways of reducing the possibility that a particular threat will be able to manifest itself inside the organization’s environment. However perfect protection is typically not achievable at any reasonable cost, so by accepting that fact, therefore, makes sense to have good mechanisms for quickly detecting both vulnerabilities and active exploitation. On the one hand you’re scanning the environment to identify individual systems that may be at risk of a particular threat and in other cases you are using various sensors on the network and devices to find out where and if an attack is actually underway and which systems are being probed or attacked. So detection allows you to be less than perfect on your prevention because it means you’ll be able to quickly determine when a matter requires immediate attention.

This then leads to response and having a team of staff members, both inside the security organization as well as IT operations and elsewhere in the organization, that understands the response protocol and that has a communication list available and knows who to call and for what purpose and are able to quickly make decisions and take immediate action to react to the event as it is unfolding. And the last is to have recovery mechanisms in place, ranging from backup and recovery software and archival media on the one hand to the presence of fully tested disaster and business continuity plan for critical environments and locations and activities. With that program to protect, detect, respond, and recover, the organization is able to take a balanced approach to its risk posture.

Explain the need for a governance framework in a company the size of Motorola. Also who is on it?

Boni: Our organization is global and operates in dozens and dozens of countries around the world. We utilize multiple sources of IT expertise to accomplish our mission, some of which are application development teams, consultants, outsource infrastructure as well as teams of IT staffs. With that very diverse pool of technologists in various locations with various organizational alignment, it is very important to have a framework that establishes who is responsible and accountable for accomplishing what elements of the protection program.

One of the things we’ve done is to establish a security working team with every major organization that we have any sort of sourcing relationship. In every major business unit we have a security manager who is part of my organization that aligns into the business unit IT CIO and the combination allows us then to actively dialog and communicate as far as policy, procedures, processes and work to identify gaps and issues on a timely basis. Now the structure further has provided us an escalation mechanism. At times it’s important that the organization formally accept risk rather than require absolute conformance to a pre-existing policy or procedure framework.
However, there are times whenever a particular business unit doesn’t see the problem in a particular risk because they see all the benefit accruing to themselves if they’re allowed to waive compliance. And so what we do is in the event that the security staff do not believe it’s appropriate for the entire organization to accept a risk, this will be brought to the CIO council. I will chair that meeting and then a decision is made by all the CIOs in attendance and myself as to whether or not the risk is acceptable to the enterprise as a whole. This way we manage the possibility that a particular organization would seek to just ignore a particular set of requirements because it’s inconvenient or they don’t personally see the benefit and advantage. By using the other CIOs to help keep any business unit’s perspective in perspective, we achieve much better consensus and compliance to the essential spirit of the policies and procedures which allows us to manage risk in an intelligent manner.

The US Government is committed to cyber-security. How should business and government work together to protect the national infrastructure?

Boni: In the US, 85 percent of the critical infrastructures are in private-sector hands. It’s very important for the organizations that have that responsibility to take prudent steps to manage the risk that could impact not just themselves but other elements of the country by having levels of protection consistent with the kinds of threats and vulnerabilities that need to be managed. The challenge, of course, is in the absence of any specific information in getting a targeted type of threat; commercial levels of security will tend to be achieved based on that individual organization’s understanding of the degree of risk it faces.

If government organizations wish the private sectors to undertake greater safeguards beyond the commercial baseline then it is important there be mechanisms that allow the timely sharing of threat or vulnerability information in ways that allow the private sector organizations to make informed decisions again about the degree and nature of their vulnerability and therefore take responsible steps to manage that risk. Over time I think we are going to see a greater convergence of common interests between public and private sectors as organizations understand the nature of developing threats and governments develop the ability to share information more efficiently with private sector decision makers.

You feel that lawsuits will be filed with regard to security breakdowns. How so?

Boni: I think that one of the challenges that we all face is taking steps to manage risk consistent with the changes in the operating and technical environment. I think unfortunately there are some organizations that do not take the responsibility as seriously as they should. As a consequence there’s a very real possibility that the legal community will find ways to bring liability and litigation against organizations that are not exercising due diligence or appropriate standards with regards to protecting the information or the operational capabilities they provide to the public. And particularly we have all seen some significant fines issued by the Federal Trade Commission of the US against large and reputable organizations where they have particular systems that failed to protect the privacy of individuals.