Motorola Inc. CISO and VP Bill Boni has a formidable job: making sure his global company with more than 90,000 employees and 10,000 network segments is secure every minute of every day. CIO Insight reporter Debra D'Agostino spoke to Boni about how he negotiates the trade-offs between perfection and "good-enough." What follows is an edited transcript of his remarks.
CIO Insight: How is Motorola retooling operations to boost its information security?
Boni: There are the three key elements, and I think it's important that all three are considered when you create a new security strategy, because prevention, although it might be the holy grail and the ultimate desirable situation, is not possible. We're dealing with IT operations in over 60 countries around the planet with more than 90,000 employees and a quarter million or so network-connected devices. Absolute bullet-proof prevention is an unrealizable objective. Given that fact, what we need to do is have a balance that allows us to quickly detect threats to our operations, and then identify and prioritize risks to the platforms of the operations. Even if you are very diligent at seeking out vulnerabilities and risks and threats, you're still not perfect, so whenever a breakdown happens, how do you respond? Security is not just about cyber-instant response types of protocols for things like viruses or intrusion incidents or defacements, but also about business continuity and disaster planning for events that have less of a personal-directed nature-acts of nature or acts of broader catastrophes such as terrorists or things of that sort.
Did this approach to security exist before you took over as CISO, or were you the change agent?
It's a strategy that has been evolving, and it represents what I think is a best- practices framework. The challenge is to implement the specific details that go into those broad, overarching framework elements in a way that's going to be the right balance for any organization. It's all about deciding the trade-offs and making them wisely, and then getting the whole company to understand what the tradeoffs need to be. I have been at Motorola for three and a half years. I came on as director of information security and was promoted into the role of CISO. We architected the framework and basically sold it to management as a responsible approach, particularly in light of the Sept. 11 circumstances, but it was actually in process before that. I would say Sept. 11 was a watershed event in that it threw into stark relief the fundamental change in the world environment in which we now operate. It basically crystallized a lot of the efforts that we had been doing and gave it a more serious context.
Did you find it was easier to get buy-in from the business side after Sept. 11?
Motorola had never been opposed to doing these things, but the events of 9-11 accelerated or increased the momentum. We enjoy significant management support at all levels of the enterprise, and an increasing level of awareness throughout the enterprise that security-and increasingly, privacy-are key issues that the business and products need to address.
So as CISO, where do you sit in the corporate food chain?
I report to the global CIO, and I am a peer with the business unit CIOs. As the CISO, my job is to kind of be the doctor to the enterprise, to say, "Okay, you have this condition, this condition and this condition, what would you recommend we do about it?" Just like when you go to the doctor and you say, "I'll do that, I'll do that, but you know what, I don't want to do that. I think I would rather do this thing right now so thanks, doc, I hear what you're saying but I'll make the judgment that for me this isn't the right solution right now."
How do you decide what the biggest threats are?
I am a student of military history, and Frederick the Great, one of the greatest military geniuses in history, said that he who defends all defends nothing. And so one of the things that you're struck with whenever you're looking at this array of resources and all of these different business processes and all of these different platforms and environments is: Where do you start? If everything has to be bullet-proof, then you are pursuing the perfection of absolute protection. So we take a look at the highest risk vulnerabilities that exist, analyzing things like the FBI's Top 20 list of Internet vulnerabilities, plus we look at our own platforms and examine the unique things to our business and to our environment that warrant high attention. So when we do our scanning, what we're looking for is the stuff that's the highest risk that is in wide equalization by the underground, the criminals, the hackers and so forth. So we scan our network-connected devices on a regular basis and then feed that data into a vulnerability remediation process.
By definition, if we're scanning for it, then it's already a high-risk, so I don't have to go through a lot of theological debates about whether it's a serious issue. If it's on that list, it is a serious issue. A lot of energy can be burned by having a pursuit-of-perfection type of mentality, to say, "Well, we don't want any vulnerabilities on our network connected devices anywhere in the world." My goodness, think of all the bandwidth and the horsepower you could waste by having an argument with some business manager in some remote location who says, "Well, I don't think this is a really important vulnerability." Technically he or she may be right, it's a low-risk vulnerability and you're arguing and trying to hammer them into submission. So the goal here is to work with the things that, from a business- impact perspective, have significant consequence and therefore focus on a process that remediates those that are significant. And then over the next few years we will work down the list.
How often do you do these assessments?
We are regularly scanning the external perimeter in particular because those kinds of vulnerabilities are accessible to anyone on the planet who has Internet access. At least on a monthly basis on the internal network, we're scanning all the network-connected devices. To put this in context, we have nearly 10,000 network segments. We have nearly a quarter of a million network devices of all sorts. So it's a big population.
That sounds like an arduous task.
We're not the biggest, but it is a big challenge. So doing that very cost effectively and very efficiently is one of the fundamentals that has allowed our program to be effective. That's our goal. Perfection is not achievable with any kind of reasonable level of resource. And in business, you are always competing, as you should be, with the next dollar going to something that's going to have a positive ROI and that's going to put cash into the corporate coffers. Largely in effect, we are viewed as an insurance premium being paid by the enterprise that says we should be responsible to ensure the shareholders that we have a program that safeguards the assets of the enterprise in a reasonable fashion. But we shouldn't gold plate the protection program because, at the end of the day, our ability through security protocols exclusively to add revenues to the company's coffers is very limited.
You mentioned that it was pretty easy to get buy-in from the higher-ups, but what about the line-of-business people?
It's important that you educate and inform, especially in today's high-tech manufacturing companies. People are too smart and are not going to do something just because some corporate person ordered them to. They have to understand the "why" behind the direction. And so one of the key tasks of my team, what we have done, for example, is aligned security officers or managers to every one of our business units. One of their key responsibilities is to help educate and inform staff on the business and technology side as to the nature of the policy framework and the safeguards we have in place, and so in that sense I think of them as my account reps into the business.
So each line of business has its own security representative?
Yes, and those guys are part of my global team.
How many are there?
About a dozen. So part of their responsibility is to help us identify areas to either enhance, modify or extend the policies and technologies and practices that we have in place. So it's a communications vehicle that works both ways. They carry the message from the corporate center out to the units, but they also carry the experience and the priority inputs back from the unit into the center. That way, you have a better way of aligning. If all you have is a policy-making team at the corporate center, you run the risk that there's nobody out in the business units who really understands and therefore believes in the nature of, and need for, the control measures. If the people who are in those units are completely divorced from the center and have no relationship with the security center, then you run the risk that they become captive to the priorities of the people writing the report card. But in this fashion it works, I think, very well. You have the balance between advocacy and awareness, and it helps us to be effective. It can always be improved, but it has to do with the nature of the staff that you put into those roles. Most of our folks are people who have engineering and/or technology backgrounds, and are able to understand both the business process priorities as well as the technical safeguard priorities.
Are employees trained in terms of desktop security or network security?
Part of our program going forward is to develop and execute an awareness and training program for staff that would be globally available, and actually monitor the progress and target specific percentages of the population to achieve a baseline level of awareness that completing that type of training would provide. It has happened in pilot, and now we are stepping through the resources and requirements to take it from a pilot mode to a production mode globally. It would be a series of either in-person sessions or online training sessions that would provide a grounding in the policies and practices for security and privacy for all staff.
So with this new strategy in place, have you seen any improvements to the security of your systems?
Definitely. We have gone through situations where, prior to this, we would have an instance of a work or virus being released, and we would immediately go through a major remediation protocol. Then we would have little wavelets of the virus that would rebound because there were pockets of the organization that hadn't yet implemented the patch, like the I Love You virus, one of those recurring wavelets that wasn't horribly destructive but was inconvenient and annoying most of all. And since we have put in the processes and the technology we have in place now, we have had very few recurrences once the patch or the remediation or the definitions are available. Also, we have had a 90 percent reduction in the externally visible high-risk vulnerability. It's tough to get rid of everything because the perimeter is always changing.