Motorola Inc. CISO and VP Bill Boni has a formidable job: making sure his global company with more than 90,000 employees and 10,000 network segments is secure every minute of every day. CIO Insight reporter Debra DAgostino spoke to Boni about how he negotiates the trade-offs between perfection and “good-enough.” What follows is an edited transcript of his remarks.
CIO Insight: How is Motorola retooling operations to boost its information security?
Boni: There are the three key elements, and I think its important that all three are considered when you create a new security strategy, because prevention, although it might be the holy grail and the ultimate desirable situation, is not possible. Were dealing with IT operations in over 60 countries around the planet with more than 90,000 employees and a quarter million or so network-connected devices. Absolute bullet-proof prevention is an unrealizable objective. Given that fact, what we need to do is have a balance that allows us to quickly detect threats to our operations, and then identify and prioritize risks to the platforms of the operations. Even if you are very diligent at seeking out vulnerabilities and risks and threats, youre still not perfect, so whenever a breakdown happens, how do you respond? Security is not just about cyber-instant response types of protocols for things like viruses or intrusion incidents or defacements, but also about business continuity and disaster planning for events that have less of a personal-directed nature-acts of nature or acts of broader catastrophes such as terrorists or things of that sort.
Did this approach to security exist before you took over as CISO, or were you the change agent?
Its a strategy that has been evolving, and it represents what I think is a best- practices framework. The challenge is to implement the specific details that go into those broad, overarching framework elements in a way thats going to be the right balance for any organization. Its all about deciding the trade-offs and making them wisely, and then getting the whole company to understand what the tradeoffs need to be. I have been at Motorola for three and a half years. I came on as director of information security and was promoted into the role of CISO. We architected the framework and basically sold it to management as a responsible approach, particularly in light of the Sept. 11 circumstances, but it was actually in process before that. I would say Sept. 11 was a watershed event in that it threw into stark relief the fundamental change in the world environment in which we now operate. It basically crystallized a lot of the efforts that we had been doing and gave it a more serious context.