CISO Keeps His Eyes on the Road

GM's Eric Litt stands guard over myriad compliance, threat management needs created by a far-flung business realm.

While chief security officers and CIOs have a broad range of issues to concern themselves with in todays climate—regulatory compliance, threat management, user education, budget constraints—few among them have the mind-bending number of challenges that Eric Litt faces as the chief information security officer at General Motors Corp. With nearly 325,000 employees working in 32 countries in every region of the world, GM is the definition of the modern distributed enterprise.

Such a diverse, far-flung work force could easily become a CISOs worst enemy in trying to secure the organization. But Litt has taken it upon himself to make his user base an asset rather than a security liability. Through educational programs and user awareness, Litt has been able to get each user invested in the companys overall security. Senior Editor Dennis Fisher spoke at length with Litt recently about the value of user education, justifying security expenditures to senior management and the need for greater collaboration among security professionals across industries.

GM is one of the biggest organizations in the world, and that has to bring with it some unique security challenges. What kind of issues do you deal with on a daily basis that smaller enterprises might not see?

Its mind-boggling how mammoth the business is. Its a tremendously large organization. We have [325,000] employees, but we also have a huge number of partners and suppliers who need access to our network. We share our intellectual property with them. Its a necessity for us to do business. But those companies have employees who we dont control, which is something that we have to worry about. Most enterprises deal with this but on a much smaller scale. There is a huge number of permutations to think about with all of those people coming and going on the network. Im responsible for all of our data, including classifying and the handling of documents. Luckily, I dont handle physical security.

I know GM and the other automakers are very careful about the way that they handle designs and data about upcoming models. Given all of the people who have access to your network, how big of a concern for you is the possible theft of intellectual property?

I have to be very concerned about the theft of intellectual property. If we lose that, it can compromise us tremendously. Thats everything we have. The thing about this position is you dont have total control of your fate. In large part, it depends upon how well you prepare your organization for events you dont know about. There is no certainty in this job. A little luck and a lot of hard work may allow you to survive an attack. A little bad luck and the same amount of hard work, and maybe you dont survive. I dont want to end up on the front page of eWEEK or The Wall Street Journal because of something like that. There is a bit of luck involved. You have to think the way the bad people do. You have to think philosophically. You dont boast about any success you have.

Every enterprise gets its share of attacks these days, but GM must get more than most just by virtue of being GM. Does it feel like you have a target on your back?

We are a symbol of U.S. enterprise. Theres not a much bigger symbol of American capitalism around the world than GM. Just because of who we are, were a target, youre right. But that just means we need to be prepared.

When you look at your biggest challenges in the next year or so, is there anything in particular that stands out? Is identity management on your agenda? Intrusion prevention? Regulatory compliance?

We have an emerging technology group that looks at everything thats out there. They keep me up on everything thats happening in terms of new technologies and trends. I think you have to have an understanding of your environment and take a holistic view and architect a robust security framework. You cant just get caught up in whats new. Its not so important to have a niche security technology that does one thing well as it is to cover all of the potential threats. I try to take a view of the profile of our threats and develop a robust framework to mitigate them. And not just with technology and processes, but more with regulations, policies, procedures and technology. My view of the world is, "Im trying to protect GM. How do I do that?"

Next Page: Operating through manageable risk.