Dennis Devlin says the reason that CSOs like himself have gray hair is that they get paid to think about the worst things that can happen to their organizations. But companies that do this well don’t have to scramble as much when IT security threats emerge, said Devlin, a vice-president with information services company Thomson.
Devlin shared his experiences as an enterprise decision maker last month at a Massachusetts Network Communications Council seminar on network security. Representatives from Cisco, Kroll Ontrack and RSA Security also participated.
The Thomson executive chairs a council of senior security officers at his company, a 38,000-person outfit, that work with line-of-business personnel. “Security is definitely a team sport,” he said.
Devlin said enterprise network security is evolving from what he called an egg model, in which the exterior is hard and the inside is soft, to a stealthy submarine model, where data is compartmentalized and protection is approached from the inside out.
Thomson uses technology from a host of companies, from big names such as Cisco to a mix of startups. But beyond technology, end user awareness is hugely important, Devlin said. That’s both in terms of what information they can and can’t divulge to outsiders as well as what constitutes appropriate network behaviour.
“We need to make people aware we can figure out what you will do even if you aren’t blocked from doing it,” he said. “That’s a motivator to appropriate behavior.”
Among Devlin’s biggest concerns is the vulnerability of the applications his company runs. This is particularly important with the move to Web applications and service-oriented architectures based on lots of small programs that need to be quickly deployable and can’t afford to get slowed down by too many security checks.
“Our applications are just as vulnerable as our operating systems,” he said, noting that Thomson works closely with application vendors to ensure appropriate security levels.
Devlin said he foresees a time when applications such as e-mail will be denied by default and only previously approved messages and senders will be allowed through. Thomson has no shortage of offers from vendors to help with its security needs.
Devlin said he must get 20 calls a day and that his protocol is to tell people to send him a one-page explanation of their technology.
He said he knows of counterparts at other organizations that head up huge security departments that get beat on like pi