As large-scale security breaches become more commonplace, the challenge for most CIOs and chief information security officers (CISOs) is just trying to keep up with the threats -- never mind innovating around IT security services.
Michael Daly, director of IT security services and deputy CISO at Waltham, Mass.-based Raytheon Co., begs to differ.
In this installment of the SearchCIO.com CIO Innovators video series, Daly explains that it is possible to take innovative approaches to enterprise security and still "close the gap" between threats and vulnerabilities.
"Raytheon is a cyber-company," Daly said at the MIT Sloan CIO Symposium in May. "One part [of our security strategy] seeks to protect our customers. We need to protect our products, like the cruise missile and the Patriot missile. … And we also need to protect our own network."
These efforts overlap, he said. "So, we take knowledge from each piece and strengthen the others."
"Security is a cost, but if you work it correctly you can improve the delivery of the product to the customer," he said. "We can remove some of the pain points. If we can remove downtime, then security is a benefit. [And] therefore, when we innovate in the internal space we can pass that over to the customer. And vice versa."
Daly, who seeks to "bring in smart people who are voracious about looking at data," says that the next frontier of security is going to be in mobile devices.
"Commoditization in mobile like the iPad and other devices brings strong capability to users in their home, and it's the same with customers," he said. "We need to find a way to protect this whole new range of devices that are low-cost and not built with enterprise security concerns in them."
Read the full transcript from this video below:
Raytheon seeks to innovate around IT security services
Scot Petersen: Hi, this is Scot Petersen, editorial director of SearchCIO.com, and I'm here at the MIT Sloan CIO Symposium talking with Michael Daly, director of IT security services, and deputy CISO of Raytheon Company. Thanks for joining us, Michael.
Michael Daly: Thank you very much.
Scot Petersen: Michael, I was reading a little bit about innovation on the Raytheon website, and I found something very interesting. It said, "Innovation is the result of Raytheon scientists and engineers never being completely satisfied with a particular solution. That's because in today's ever-changing global market, new customer requirements are always changing." Michael, what is your role, or your department's role, in this philosophy?
Michael Daly: So, I'm the director of IT security services. Our job is to help manage the risk, inside our network, and so we look for various places where either the technology is changing, our business strategy is changing, or we've seen failures. We then look for innovative solutions to fill in those gaps and try to get ahead of the risk and bring it into a range of tolerance.
Scot Petersen: How do you innovate around a technology like security, which is changing so rapidly?
Michael Daly: It's not an easy thing to do. The first and most important thing is to bring in very smart people, who are voracious about looking at data, and that's important to Raytheon. Raytheon is very data-driven, Six Sigma is part of our culture, and so I think that is maybe the foundation, people focused on looking at data. So what we look for are those patterns and the failure modes, and say, "Well, how could we have seen that?" Then we come up with solutions that would detect it and maybe even predict it and try to close out those problems.
Scot Petersen: How does Raytheon use IT, or IT security services, to differentiate itself from its competition?
Michael Daly: Raytheon is a cybercompany, and that's in one regard a way we differentiate ourselves, but specifically with IT. We have a strategy that, if you can imagine a Venn diagram of three pieces overlaying, one part is that we seek to protect our customers, and so that's our cyberbusiness. But we also need to protect our other products, products we deliver. We make the cruise missile, and Patriot, and we make various sensors and so on, and we need to protect those. Also, we protect our own network. This strategy overlaps and so we have this idea that we can take knowledge and lessons from each piece and strengthen the others. That's really how we differentiate ourselves. We operate across a broad space of both information assurance, the defense, and information operations, where we help give tools to our customers.
Scot Petersen: Do you think there's a culture of innovation at Raytheon that permeates your department and others?
Michael Daly: I do, I really do. I'm very proud of our organization. We have a couple of new patents, just in the last year on technologies we've had to develop. It is part of the briefing that we give the board of directors about the performance of our IT security organization, where we actually track our metrics in terms of the pieces of our organization of our commercial products that we buy from others to protect ourselves. Then, as you get to the pointy end of this metrics pyramid, the lower pieces where we have to protect our environment, those are all custom, innovative tools that we've had to develop, that those threats have escaped all of the commercial products. We focus very carefully on that lower part of the pyramid where we have to innovate to close the gap.
Scot Petersen: Security is a cost, and how do you justify that cost or get a return on investment in security services?
Michael Daly: I think, perhaps, that there are two parts to that. It's true that security is a cost but, at the same time, if you work it correctly you can help improve the delivery of the product to the end customer. That's what Six Sigma helps us with, not to be waving the banner of Six Sigma every few minutes. But it's true that if we look at how we deliver our product to our customer, we can remove some of the pain points. We can actually make it better. If we can remove downtime from an environment, then security is a benefit. The other part, of course, is that, as I mentioned, cyber is a deliverable for our company to our customers. Therefore, when we innovate in the internal space, we can pass that over to our customers, and vice versa. If we can learn from our folks who are working on projects for our customers, and that is allowed to be brought in and strengthen our internal environment, then we do that as well.
Scot Petersen: What technologies are you looking at that's changing the way you operate your IT departments?
Michael Daly: The whole IT business, as you know, is looking at different models like the cloud model, where services are provided outside your wall, on a broader scale and in a different manner. Raytheon's no different. We're looking at services that reside outside our wall. Therefore, we've had to come up with a different strategy around how we protect our information, our customers' information as it moves through these different membranes, if you will. One of our big initiatives right now is a project we call Stonewall, where we are looking to place simple devices, over at these remote locations that can capture some of what we know about the threat, and look for that threat out in the remote spaces. As it is historically, if we built up a good cyberprogram we could protect what was in our wall, but anything outside that we would have no visibility. That's what Stonewall is there to help protect. It's for new acquisitions, for some of our smaller pieces of our company that might be floating around on their own, and our suppliers.
Scot Petersen: One final question: What business drivers are influencing Raytheon and the way it runs IT?
Michael Daly: I think that maybe the biggest one is commoditization. The iPad that you're sitting in front of here and many other devices like that are bringing a strong capability to the user in their home, and that's also true for our customer as well. They're seeing these devices; it's lowering the cost. So I think we, as IT security professionals, need to find a way of protecting this whole new range of devices that are low-cost and not always built with enterprise security capabilities in them. We need to figure out how we get security in there. There's no longer a tolerance for the high-priced enterprise device that's clunky and weighty. People want commodity devices that are cheap and fast and sexy, and we have to figure out how to respond to that.
Scot Petersen: Thank you, Michael.
Michael: Thank you very much.
Scot Petersen: This has been a SearchCIO.com CIO Innovator video. I'm Scot Petersen, editorial director of SearchCIO.com, here at the MIT Sloan CIO Symposium. Thanks for watching.