CTO David Fike discusses security issues at Marsh & McLennan, including automation, the policing aspect of security and the importance of tracking metrics.
By Peter High
WHO: David Fike, Chief Technology Officer, Marsh & McLennan Companies, Inc. WHAT: Sharing his perspectives on how best to secure corporate networks WHERE: New York, NY
WHY: To provide CIOs and other IT leaders with actionable advice and insights about how best to secure the corporate network during increasingly complex times
David Fike, Chief Technology Officer of Marsh & McLennan Companies, Inc., shares his perspectives on the steps he has taken to secure his company's corporate network and the methods he uses to stay a step ahead of those who would try to compromise his corporate systems. Upon arrival as CTO at Marsh & McLennan in 2006, Fike formed MMC Global Technology Infrastructure, which was the first significant attempt to centralize infrastructure across the company. Among other reasons, part of Fike’s logic in so doing was to develop a more secure corporate network.
Describe your approach to securing the corporate network at Marsh & McLennan Companies.
The most important thing to realize is that our security posture and what we're defending against changes rapidly and in real time. The biggest challenge is that what you do today to protect your network isn't going to protect you tomorrow.
The security landscape and types of threats are changing faster than ever. The bad guys are getting smarter and their "time to market" is getting shorter. As I think back to the security challenges we faced in 2006, it is like we are living in a completely different world today.
The starting point is building a strong, knowledgeable team. It is important to hire a seasoned chief information security officer to lead the change and ultimately take responsibility for security. You can spend all the money in the world, but if you have the wrong people it won't matter, so people are really essential.
As your program evolves, a natural conflict will arise between colleagues wanting to access new technologies and services and your need to mitigate the security risks behind those new things. Some examples include:
- Cloud computing, which brings a lot of advantages to the corporation, but also comes with new and challenging security concerns.
- There needs to be a balance between effectively protecting our assets and making IT services easy to use so that our colleagues are as productive as they need to be. There is a tension there that can be tricky to reconcile.
- Security is not “one size fits all." The security profile and needs at one company may be very different at the next. The trick is to work with business leaders to preach the need for security, while also delivering services that meet their needs.
How do you get the balance between ease of use and security right? How do you ensure that the pendulum is not swinging too wildly back and forth?