CTO David Fike discusses security issues at Marsh & McLennan, including automation, the policing aspect of security and the importance of tracking metrics.
There are two key actions that I would advise IT leaders undertake. First, stop "bad" (that is, not secure) behavior and identify secure alternative solutions. It is important to know which colleagues are accessing which systems and make sure that people do not access systems in ways that they should not. The CISO needs to be on top of that.
This suggests the policing aspect of security. The second piece of advice, which is to balance things out, is to be prepared to offer alternatives. If the access to systems people want to use isn't appropriate, it is not enough to simply say "No." IT leaders need to understand the needs of colleagues; if they are attempting to do things in an inappropriate way, research and advise them on appropriate alternatives.
Potential threats can change from day to day. How do you remain abreast of the new possibilities? How do you anticipate?
Opportunities and threats have been with us from day one and will always be there. What's important is that we are able to respond to those threats as they change over time. For example, viruses, worms and other social engineering, like phishing, are threats we have always had to deal with. We continue to do so by tackling them through a communication and education regimen with our colleagues. The more informed people are, the less likely they are to be socially engineered to give away passwords.
It is also important to be visible in the security community to understand and ward off unique attacks. We do this by staying engaged with peers in our industry and various government groups. Together, CISOs can form a best-in-class center of excellence.
Another aspect to responding to threats is automation. There are so many attacks and so many threats that if you haven't automated everything you can, you won't be able to keep up. There isn't a big enough budget or enough people in any organization to fight threats without automated help.
We must also keep current. Unless you establish and enforce standards, and continue to modify them, you'll have a very difficult time protecting your environment. It is difficult to patch vulnerabilities in numerous versions of server and network operating systems; therefore it is important to maintain currency with supported versions.
Did you go from many to fewer software instances?
Yes, because then our operations team has just one patch to worry about. Automation helped our operations team focus on critical areas, and isolate and address those concerns.
How do you measure success?
We track metrics like you wouldn't believe. We practice attempts of different types with various parameters and review trends on a monthly basis. We are also aware of and update virus pattern files on a weekly, if not daily, basis so that we can stay in front of serious incidents.