Operating through manageable risk
GM isnt necessarily in a heavily regulated industry such as banking or health care, but how big an issue is compliance for you these days? We actually have a lot of regulatory compliance. GM is a very diverse business. Its a lot of work because you dont want to go to jail. When the board members and officers have to sign their names to documents saying that were in compliance with a certain regulation, they want to be very sure thats true. A lot of these regulations have so many details and specific requirements. You cant take any chances.To some extent. I think people are much more sensitive to the threats that are out there now. Sarbanes-Oxley, things like Enron, theyre threats, too, to shareholder value. That kind of thing hits to the highest level of the organization, and theyre very sensitive to that. The challenge you have in looking for resources is putting it in terms people can understand. Our challenge isnt to operate through fear, but through manageable risk. Were not resource constrained. We try to be very precise in how we make our assessments. Finance CSOs say they get little help from feds in their war against phishing attacks. Click here to read more. With such a huge user base, how difficult is it for you to get the message across to employees about the importance of security? You have to rely on them not to open malicious attachments and things like that. One thing we do is we have a security awareness week on an annual basis with closed-circuit TV broadcasts. We tell people that were not in every region around the world, but you are. You are our strongest protection and can be our weakest link. We have training courses for people to understand their role in the process. With the onslaught of worms and viruses this year, we now expect employees to know what to do. Theres always a way for something to get in, and does the employee know what to do when that happens? Weve seen a reduction in help desk calls since we started that. With the size and complexity of GM, youre in sort of a unique position. Do you share ideas and problems with CSOs in other large companiessee what theyre doing and whats working for them? Sure. We all have common problems. I would like to see more standards come off the shelf. Its kind of like the early days of the PC age. We dont have TCP/IP for security yet. Were still very reactionary. We need to change that model. How do we get ahead a little? It comes through good collaborative effort. Try to drive more commonality in the environment. We have a certain amount of power. If you get eight of the Fortune 10 who say, "Hey, AV providers, you need to start adding spyware detection to your products and not charge extra for it," theyd probably listen. There are some opportunities there. Spyware is definitely becoming a primary concern for enterprises both large and small. But it seems like worms and viruses are still getting most of the attention from the media and vendors. Where do you think the priorities should be, and what can be done to make certain the focus is in the right areas? The explosion of worms and viruses was amazing this past year. You have to deal with that stuff each and every day. And thats where the value of educating our users comes into play. We have to rely on the users to help us out with that kind of thing. Theres really no way to do it otherwise. I cant say that we have a program that trains every single new employee when theyre hired, but they all get some sort of security awareness education pretty soon after theyre brought in. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
With all of those threats out there and news about worms and attacks in the papers every day, do you still have to struggle to get enough money to do what you want in terms of security? Do you still have to justify the ROI [return on investment]?