News Stay informed about the latest enterprise technology news and product updates.

CIO feeling secure about security

The onslaught of worms and viruses that has hit the tech industry hard in recent months has companies once again thinking hard about security. asked Kurt Williams, CIO of Summit Electric Supply, a distributor of "anything that has to do with electricity in buildings," about how his company has approached securing its online computer system. With 22 offices throughout the South and Southwest, roughly 500 employees and $350 million in revenue, security was enough of a concern for the Albuquerque, N.M.-based company to switch antivirus vendors two years ago.

When shopping for a new security system, what was the main thing on your mind?
Specifically, the antivirus side was the main thing for us. We made the switch to Sophos because they had a system to manage antivirus more efficiently, more effectively and more quickly. We were using McAfee, and there were tremendous problems pushing out signature files for a new virus each time new ones were released -- which was almost daily. We felt we were spending a lot of time doing that, yet we were never up to date. Sophos really offers an excellent way to automatically reach for signature files and get them displayed across the network as quickly as possible. All we have to do is monitor the system. The 2003 Global Information Security Survey shows that security is falling as a priority -- 59% of about 2,500 surveyed companies worldwide said security was a high priority, down from 71% in 2000. The decline is all the more odd given that 9/11 and Code Red, Nimda, SoBig and other disasters have happened in the meantime. Why do you think security is falling as a priority? Is it?
We still consider security as a priority, although we don't actively have any plans to increase new investment. Maintenance of our systems and keeping them updated and accurate is a high priority. Over the last few years, we've made the changes we needed to make. We're to the point we need to be. That may be what other people are thinking. How are you spending this newfound time?
The most obvious thing is we were able to spend more time supporting our users in the active job of doing business, which is obviously the reason why we're here. It's allowed us to improve processes and simplify the work for our associates. Can you give us an idea of how much an average security breach costs your company?
That's a tough question to answer. We haven't been infected by a virus shutting anything down in several years. What I can tell you is, with the SoBig virus, we weren't infected in our systems tracking. At the peak of it, we were tracking so many inbound e-mails that it had a minor impact on us in terms of [our] being able to process e-mail in a timely fashion. In one peak period, we were tracking 7,500 inbound e-mails in one hour from single source -- a sister company we had acquired with 10 service centers. They continued doing business with those remaining service centers. A lot of people in the address books were our addresses. It just sort of delayed processing. E-mail that would have been immediate went out in about an hour and a half. You've been through a large security purchase. How difficult was it to persuade people on the business side of the company to invest in security? Are they still clamoring for ROI?
It really wasn't a difficult sell. Most of the people here are aware of some other company or organization our size or larger that has had their network shut down or their business impacted because they were infected by a virus brought in through the mail system. They're also aware that we have a very good record. We didn't get a whole lot of pushback on investments we were making on our security systems. Can you give us some idea of what your company's approach to security is like?
We try and maintain a strong firewall, which will allow the types of transactions that we want to allow and securely handle transactions we don't want to allow and drop them and block those kinds of things. We also realize that security from internal sources is really a big issue. People who study security say you're much more likely to be harmed by someone inside the network than someone outside. We try to impress on our associates that their account is their account, and they shouldn't allow anyone to log on to it and use it. We enforce rules that require them to change passwords on a frequent basis. We try to make sure they understand how to create a secure password, not just use their daughter's birthday or dog's name. We approach security on a number of different levels, training being one of them, systems being another. Does your company have a chief security officer? Why would one firm need one while another wouldn't?
We never even really considered having a CSO. We have a person on my staff who is responsible for security. We haven't felt the need to elevate that. What does that training involve?
We don't hold formal classes, but we try and keep people informed about things that are safe to do or not safe. For instance, they're instructed that, if they receive an e-mail from someone they don't know or someone they do know and it has an attached file they're not sure about, they should contact IT and let IT review it. We do get requests like that on [a] scale of one or so a week. Most of the time, there's no problem with attached files because our systems have usually handled anything that may be unsafe. As a final barrier to a breach, we like to have our associates be aware that they shouldn't willy-nilly open files that come attached to e-mail unless they're very certain about its source and what's contained in the file.

We also teach them about password security and keeping passwords known only to themselves. We tell them not to allow anyone to use their accounts because that creates a situation where a person can send and receive e-mail under their name.

Is there one thing that concerns you as a CIO more than others, whether it's a disgruntled employee or a person working from home being lax about security?
The main thing that concerns me is e-mail attached viruses. We do have people who work at home and use the VPN to come in. The way we have that configured, there's really no way for them to be lax when it comes to exposing our system. The big threats lately seem to come in the form of files attached to e-mails that might make it through to their desktops. They might execute that file and then cause problems. That's the thing that concerns me most. We rely on e-mail tremendously to communicate with our customers and our vendors, and we can't afford for it to be down for any length of time.

We probably have daily at least 50,000 e-mails processed between associates, their customers and vendors that we deal with. Of course, there's all the other e-mail that goes with that -- people talking to their friends, girlfriends, boyfriends, wives and husbands -- that aren't really business-related.

Do you have any way to quantify ROI?
That's difficult to measure. We spent x amount of dollars on it. What it does is prevent things from happening to us. So in order to measure that, we'd have to know how many times would we be infected and how much time would we spend dealing with these issues if we didn't have the software. Could you run through your selection process for us?
There are a number of different software products we use in antivirus. We changed to Sophos two years ago. We had a system at the time that, in terms of identifying and eradicating a virus, was fairly good. But managing it and keeping it up on a network our size was the problem. We went looking for an antivirus supplier that could solve that problem.

We wanted a company that focused on the business market rather than, say, someone at home using their computer to dial into AOL. That's where Sophos' focus is -- the business market. The tools they have for managing are top-notch and saved us an incredible amount of time. As a result, we felt there was less lag time between the appearance of a virus and when we were protected.

Is security something that you would consider outsourcing offshore?
We like to have control of it here. I don't think we would have as strong a feeling that our network was secure if it were managed offshore or even by someone down the street. What kind of advice would you give to a company your size searching for security solutions?
They should really do their homework and understand what their problems are, and look for solutions that deal with those problems. Additionally, they probably want to understand what it's going to take -- after they've installed the software in the system -- to administer it and keep security at the highest pitch they need. That's what drove us away from a previous antivirus [solution]. Can you take us back to when SoBig was coming out? What was going through your mind? Were you confident you were well protected?
We were. As soon as we heard any information about SoBig, I personally checked with the person involved with antivirus protection to make sure we were protected, and I was told that we were. There was the other threat that occurred just prior to SoBig where there were vulnerabilities in the operating system that we use. I made sure with security that we had applied the proper patches. Once I received that confirmation, I felt pretty certain we weren't going to be impacted by it.

The fact that we were impacted by the volume of SoBig e-mails that were coming in was something I hadn't thought of. Our system was prepared well, and we were able to identify where we were getting the e-mails from and take steps in the firewall to block and trap them so they wouldn't bother the e-mail system at all.


Best Web Links on IT security

Browse the shelves of security solutions in our Vendor Solution Center.

Dig Deeper on Enterprise information security management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.