While chief security officers and CIOs have a broad range of issues to concern themselves with in todays climate—regulatory compliance, threat management, user education, budget constraints—few among them have the mind-bending number of challenges that Eric Litt faces as the chief information security officer at General Motors Corp. With nearly 325,000 employees working in 32 countries in every region of the world, GM is the definition of the modern distributed enterprise.
Such a diverse, far-flung work force could easily become a CISOs worst enemy in trying to secure the organization. But Litt has taken it upon himself to make his user base an asset rather than a security liability. Through educational programs and user awareness, Litt has been able to get each user invested in the companys overall security. Senior Editor Dennis Fisher spoke at length with Litt recently about the value of user education, justifying security expenditures to senior management and the need for greater collaboration among security professionals across industries.
GM is one of the biggest organizations in the world, and that has to bring with it some unique security challenges. What kind of issues do you deal with on a daily basis that smaller enterprises might not see?
Its mind-boggling how mammoth the business is. Its a tremendously large organization. We have [325,000] employees, but we also have a huge number of partners and suppliers who need access to our network. We share our intellectual property with them. Its a necessity for us to do business. But those companies have employees who we dont control, which is something that we have to worry about. Most enterprises deal with this but on a much smaller scale. There is a huge number of permutations to think about with all of those people coming and going on the network. Im responsible for all of our data, including classifying and the handling of documents. Luckily, I dont handle physical security.
I know GM and the other automakers are very careful about the way that they handle designs and data about upcoming models. Given all of the people who have access to your network, how big of a concern for you is the possible theft of intellectual property?
I have to be very concerned about the theft of intellectual property. If we lose that, it can compromise us tremendously. Thats everything we have. The thing about this position is you dont have total control of your fate. In large part, it depends upon how well you prepare your organization for events you dont know about. There is no certainty in this job. A little luck and a lot of hard work may allow you to survive an attack. A little bad luck and the same amount of hard work, and maybe you dont survive. I dont want to end up on the front page of eWEEK or The Wall Street Journal because of something like that. There is a bit of luck involved. You have to think the way the bad people do. You have to think philosophically. You dont boast about any success you have.
Every enterprise gets its share of attacks these days, but GM must get more than most just by virtue of being GM. Does it feel like you have a target on your back?
We are a symbol of U.S. enterprise. Theres not a much bigger symbol of American capitalism around the world than GM. Just because of who we are, were a target, youre right. But that just means we need to be prepared.
When you look at your biggest challenges in the next year or so, is there anything in particular that stands out? Is identity management on your agenda? Intrusion prevention? Regulatory compliance?
We have an emerging technology group that looks at everything thats out there. They keep me up on everything thats happening in terms of new technologies and trends. I think you have to have an understanding of your environment and take a holistic view and architect a robust security framework. You cant just get caught up in whats new. Its not so important to have a niche security technology that does one thing well as it is to cover all of the potential threats. I try to take a view of the profile of our threats and develop a robust framework to mitigate them. And not just with technology and processes, but more with regulations, policies, procedures and technology. My view of the world is, “Im trying to protect GM. How do I do that?”
Operating through manageable risk
GM isnt necessarily in a heavily regulated industry such as banking or health care, but how big an issue is compliance for you these days?
We actually have a lot of regulatory compliance. GM is a very diverse business. Its a lot of work because you dont want to go to jail. When the board members and officers have to sign their names to documents saying that were in compliance with a certain regulation, they want to be very sure thats true. A lot of these regulations have so many details and specific requirements. You cant take any chances.
With all of those threats out there and news about worms and attacks in the papers every day, do you still have to struggle to get enough money to do what you want in terms of security? Do you still have to justify the ROI [return on investment]?
To some extent. I think people are much more sensitive to the threats that are out there now. Sarbanes-Oxley, things like Enron, theyre threats, too, to shareholder value. That kind of thing hits to the highest level of the organization, and theyre very sensitive to that. The challenge you have in looking for resources is putting it in terms people can understand. Our challenge isnt to operate through fear, but through manageable risk. Were not resource constrained. We try to be very precise in how we make our assessments.
With such a huge user base, how difficult is it for you to get the message across to employees about the importance of security? You have to rely on them not to open malicious attachments and things like that.
One thing we do is we have a security awareness week on an annual basis with closed-circuit TV broadcasts. We tell people that were not in every region around the world, but you are. You are our strongest protection and can be our weakest link. We have training courses for people to understand their role in the process. With the onslaught of worms and viruses this year, we now expect employees to know what to do. Theres always a way for something to get in, and does the employee know what to do when that happens? Weve seen a reduction in help desk calls since we started that.
With the size and complexity of GM, youre in sort of a unique position. Do you share ideas and problems with CSOs in other large companies—see what theyre doing and whats working for them?
Sure. We all have common problems. I would like to see more standards come off the shelf. Its kind of like the early days of the PC age. We dont have TCP/IP for security yet. Were still very reactionary. We need to change that model. How do we get ahead a little? It comes through good collaborative effort. Try to drive more commonality in the environment. We have a certain amount of power. If you get eight of the Fortune 10 who say, “Hey, AV providers, you need to start adding spyware detection to your products and not charge extra for it,” theyd probably listen. There are some opportunities there.
Spyware is definitely becoming a primary concern for enterprises both large and small. But it seems like worms and viruses are still getting most of the attention from the media and vendors. Where do you think the priorities should be, and what can be done to make certain the focus is in the right areas?
The explosion of worms and viruses was amazing this past year. You have to deal with that stuff each and every day. And thats where the value of educating our users comes into play. We have to rely on the users to help us out with that kind of thing. Theres really no way to do it otherwise.
I cant say that we have a program that trains every single new employee when theyre hired, but they all get some sort of security awareness education pretty soon after theyre brought in.