Lockdown: Protecting the Corporate Network

By Peter High  |  Posted 12-13-2012

Lockdown: Protecting the Corporate Network

By Peter High

IN SUMMARY:
WHO: David Fike, Chief Technology Officer, Marsh & McLennan Companies, Inc. WHAT: Sharing his perspectives on how best to secure corporate networks WHERE: New York, NY

WHY: To provide CIOs and other IT leaders with actionable advice and insights about how best to secure the corporate network during increasingly complex times

David Fike, Chief Technology Officer of Marsh & McLennan Companies, Inc., shares his perspectives on the steps he has taken to secure his company's corporate network and the methods he uses to stay a step ahead of those who would try to compromise his corporate systems. Upon arrival as CTO at Marsh & McLennan in 2006, Fike formed MMC Global Technology Infrastructure, which was the first significant attempt to centralize infrastructure across the company. Among other reasons, part of Fike’s logic in so doing was to develop a more secure corporate network.

Describe your approach to securing the corporate network at Marsh & McLennan Companies.

The most important thing to realize is that our security posture and what we're defending against changes rapidly and in real time. The biggest challenge is that what you do today to protect your network isn't going to protect you tomorrow.

The security landscape and types of threats are changing faster than ever. The bad guys are getting smarter and their "time to market" is getting shorter. As I think back to the security challenges we faced in 2006, it is like we are living in a completely different world today.

The starting point is building a strong, knowledgeable team. It is important to hire a seasoned chief information security officer to lead the change and ultimately take responsibility for security. You can spend all the money in the world, but if you have the wrong people it won't matter, so people are really essential.

As your program evolves, a natural conflict will arise between colleagues wanting to access new technologies and services and your need to mitigate the security risks behind those new things. Some examples include:

  • Cloud computing, which brings a lot of advantages to the corporation, but also comes with new and challenging security concerns.
  • There needs to be a balance between effectively protecting our assets and making IT services easy to use so that our colleagues are as productive as they need to be. There is a tension there that can be tricky to reconcile.
  • Security is not “one size fits all." The security profile and needs at one company may be very different at the next. The trick is to work with business leaders to preach the need for security, while also delivering services that meet their needs.

How do you get the balance between ease of use and security right? How do you ensure that the pendulum is not swinging too wildly back and forth?

Lockdown: Protecting the Corporate Network

There are two key actions that I would advise IT leaders undertake. First, stop "bad" (that is, not secure) behavior and identify secure alternative solutions. It is important to know which colleagues are accessing which systems and make sure that people do not access systems in ways that they should not. The CISO needs to be on top of that.

This suggests the policing aspect of security. The second piece of advice, which is to balance things out, is to be prepared to offer alternatives. If the access to systems people want to use isn't appropriate, it is not enough to simply say "No." IT leaders need to understand the needs of colleagues; if they are attempting to do things in an inappropriate way, research and advise them on appropriate alternatives.

Potential threats can change from day to day. How do you remain abreast of the new possibilities? How do you anticipate?

Opportunities and threats have been with us from day one and will always be there. What's important is that we are able to respond to those threats as they change over time. For example, viruses, worms and other social engineering, like phishing, are threats we have always had to deal with. We continue to do so by tackling them through a communication and education regimen with our colleagues. The more informed people are, the less likely they are to be socially engineered to give away passwords.

It is also important to be visible in the security community to understand and ward off unique attacks. We do this by staying engaged with peers in our industry and various government groups. Together, CISOs can form a best-in-class center of excellence.

Another aspect to responding to threats is automation. There are so many attacks and so many threats that if you haven't automated everything you can, you won't be able to keep up. There isn't a big enough budget or enough people in any organization to fight threats without automated help.

We must also keep current. Unless you establish and enforce standards, and continue to modify them, you'll have a very difficult time protecting your environment. It is difficult to patch vulnerabilities in numerous versions of server and network operating systems; therefore it is important to maintain currency with supported versions.

Did you go from many to fewer software instances?

Yes, because then our operations team has just one patch to worry about. Automation helped our operations team focus on critical areas, and isolate and address those concerns.

How do you measure success?

We track metrics like you wouldn't believe. We practice attempts of different types with various parameters and review trends on a monthly basis. We are also aware of and update virus pattern files on a weekly, if not daily, basis so that we can stay in front of serious incidents.

 

Lockdown: Protecting the Corporate Network

What do you foresee as security challenges in the future?

We work in a very mobile world where we need to secure corporate data on a personal device and be able to wipe it just as easily. BYOD, Android, Dropbox and mobile applications have enhanced communication and colleague productivity, but also make it increasingly more difficult to secure data. New technologies bring new challenges.

With regard to pushing toward flexibility in the workplace in IT, are there any hurdles that you need to get over to make sure that you do it right?

The distribution of assets within an organization is always a struggle, and particularly now. It has been difficult to compromise at Marsh & McLennan since client and internal corporate data protection is part of our primary responsibility. Over the last few years our security spending and head count have increased as the risks to the environment have increased.

We also use external security companies that monitor our networks and augment our team. We have an in-house security operations center and external partners, so we have two separate sets of eyes looking at our security 24/7.

Anything else you'd like to add?

We have a good multi-year program and strategy. Our company, fortunately, has business management that supports and aligns with the security posture--and we have a clear governance process for all strategy decisions.

I also want to highlight that we regularly test ourselves. This is key. We have tools and outside relationships to identify how we're doing from a security perspective, which allows us to improve. We specifically test our applications and infrastructure and are proactive about finding problems.