Share By Tom Barkley
Some of your employees may work from home, others bring their own device to work, and you’re constantly reminding everyone to be on alert about emails that may contain whatever virus makes the most-wanted list that month.
It’s not easy to be a manager in today’s tech-enabled workplace. But rest assured, there are a few simple steps that can help promote a culture of IT security both in and out of the office — and make things easier for you and your IT security chief.
Real Business recently sat down with Mark Leary, vice president and chief information security officer of Xerox, who has more than 30 years of experience in security management and technical intelligence. He held similar roles at TASC and Northrop Grumman before joining Xerox last year and previously served 22 years in the U.S. Army, where he established the information operations capability in computer network defense and information assurance for the U.S. Army Reserve.
Leary talked about what keeps him up at night and how managers can help companies stay protected against the proliferation of IT threats — from hackers and corporate spies to simple employee error.
How has the IT security landscape changed? Are things only getting more complicated for IT staff — with telecommuting, hacking, corporate espionage, etc.?
From a business perspective and security practitioner’s point of view, this is the era of the perfect storm. First is the fact that technology is accelerating, particularly when we have new emerging technologies around bring your own device and mobility, cloud computing and cloud service providers, IT consumerization, and the proliferation of applications that can be on any device.
The second element is the business model of adapting them. In the past, most organizations had this castle mentality — that the data resided on the networks and infrastructure that they owned, and they allowed just certain people or business processes through a firewall. Today, business is conducted well outside the corporate border.
The third element is the threat landscape. As these new business models emerge and new platforms are being utilized, often the rush to market leaves security by the roadside. There’s a wide gamut of threat, and they have specific motivations — whether it be a 14- year-old in the basement writing a virus just for fun, or state-sponsored espionage trying to steal intellectual property or trade secrets.
Does your background in the army and defense industry give you unique insight into the world of IT security and corporate espionage?
I come from the aerospace industry, which went through what I call the age of enlightenment about 10 years ago. Aerospace became aware that, as a supplier to their federal customers, they were viewed as a weak link. There was a focused effort to get within the supply chain, and using the suppliers as a conduit to get to where their ultimate goal was. That’s caused a huge shift in the mindset of security professionals — and that’s that they’re operating in a contested environment. That in fact it’s nearly impossible to defend everything, particularly when you have these emerging business models with data actually being used outside the corporate environment.
So what keeps you up at night? Is it more the external threat from hackers or spies, or simple employee error – someone who loses their laptop?
It’s all the above. You live the life for so long, it just becomes part of your makeup. You’ve kind of resigned yourself that this is the new normal, and you grow accustomed to understanding, “What’s the threat picture today?” Central Asian threat actors are financially motivated and are looking for an opportunity to conduct some kind of fraud. Or it could be the fact that we’re involved in a particular region where there’s a natural disaster, so what’s our level of service.
On the flip side of the threat, I worry about our employees and whether we have established a “culture of security.” There’s what I call just good cyber-hygiene. Every morning we get up and brush our teeth, comb our hair, and take our vitamins. It’s kind of the same mindset you want employees to have. I’ve signed on to my desktop and check that I have antivirus and it’s running. I’m backing up my desktop to my file share. Once it becomes part of the culture, it becomes internalized. It’s just part of your average day. It’s as natural as brushing your teeth or combing your hair
Are there some simple steps managers and everyone else can take to make the CISO’s job easier?
A lot of people think this is a technology problem, but it’s clearly a behavioral problem. We must understand the information that we’re managing on a day-to-day basis, and just take appropriate measures to protect that information relative to its sensitivity. And the common cyber-hygiene approach is clear — use strong passwords, remember to lock your computer before you leave, make sure you have antivirus in place, accept the software updates that come every Tuesday, and make sure you back up your computer.
If we just practice some very simple, common behaviors, a lot of the security problems that we have — from potential breaches or incidents — are actually mitigated. And from the manager’s perspective, it’s really their role to ensure that proper behavior is being practiced by their employees.