Alstom Transport is not exactly a household name, but its products are well-known, particularly among travellers. They include the Eurostar and French TGV trains, new high-speed Amtrak passenger trains in California and Singapore's metro trains.
This French-based $16 billion company operates in 60 countries, including most of Europe, the People's Republic of China and several South American nations.
So nine months ago when Nikk Gilbert joined the company as IT security and telecom director, he knew he was taking on a real challenge. He needed to hit the ground running. Here are the key things he focused on to succeed:
1. Choose a good company to work for. Before he interviewed for the job he researched it to be sure it was a good company to work for. Alstom values its employees and proves that with its actions. At the end of its last fiscal year, for instance, it gave every employee several shares of stock as a bonus.
2. Get executive backing. "I interviewed with the CFO and asked him point-blank what their level of commitment was, what kind of budget and support I could expect," Gilbert says. "I left knowing that senior executives knew they needed security and that I would have the level of support necessary to get the job done. Without that you are out of money, out of luck and probably on your way out."
3. Partner with HR and Legal. A good rapport with these two departments is essential to success in the security role, particularly in a multinational company such as Alstom. Just keeping track of the privacy and data security regulations in more than 60 countries world-wide is a challenge. Gilbert has to depend on HR and Legal to advise him on the varying legal requirements he must meet in his job.
4. Develop a rapport with users. IT network security programs flounder when end-users refused to follow them. "Security means inconvenience for users who are just trying to get their jobs done," Gilbert says. "It is important both to remind them of the importance of security and to minimise that inconvenience." Right now, he says, he is in the pilot phase of implementing a smart card/SSO/PKI system across the company because smart cards only require the entry of one PIN rather than the seven or eight passwords users are often asked to enter to access various systems. "We are showing our users that we care about their problems and are working to make things as easy as possible for them. We have determined that this will provide us with good security without annoying people too much."
5. Know what you have. An asset inventory is absolutely necessary and should include a network diagram that shows the schematic locations of workstations, servers, switches and routers as well as a list of hardware. "You may have the budget and know the rules, but if you don't know what you have, you are blocked," Gilbert says. "And when your network is spread out over more than 60 countries, this becomes even more important."
6. Get the right tools. The security officer for a small office can do things by hand. The security officer for a multinational company is totally dependent on his tools for basic activities such as PEN testing and vulnerability scanning. "We picked Core Impact, and it just turned things around unbelievably," Gilbert says. "A lot of the tools out there detect the problems or find the systems that require patching. With Core you can find the vulnerability, execute on the vulnerability, and you own the system." Core's tools are particularly helpful in convincing co-workers that they have security problems "Instead of telling the e-mail supervisor he has a vulnerability, I showed him his last three days of e-mail traffic. That ends any attempt by the system administrator to pass the warning off as a false positive."
7. Review and update corporate security policies. The security officer needs to know corporate policies concerning such key issues as security and remediation procedures. Change management and tracking logs are important. And Gilbert says one of the first things the security officer should do is build a security dashboard that captures and displays information including how many virus attacks are attempted, how many outside probes hit the firewall, etc. Having those statistics in one place is very useful, particularly when talking to senior management. The continual issue for security is that ideally executives never see it. Good security means nothing happens. So executives tend to forget the need to continue to invest in strong security. Statistics that show all the attacks that failed are a good reminder that the organisation is getting good value for its security investment.
8. Use strong authentication. Finally, he says that strong authentication is "a good start on fixing the problems." When the system knows the identity of everyone on the network with a high degree of certainty, it can manage their access and shut out unknown individuals, even those who log into the network from inside the company. If the organisation does not already have a strong authentication system installed, building one should be a high priority of the first nine months.
"Really, when you come into a new situation you need to have a clear set of priorities and hit the ground running," Gilbert says. "This list has guided me in my first nine months, and we have gotten a lot done in a short time following it."