Serious times: Unisys CISO talks tough
Public and private sectors both have threats
- By Henry Kenyon
- Aug 31, 2010
These are uncertain times in cyberspace. With constant attacks on federal government and civilian networks, security officers have their hands full. This is especially the case for large organizations with international footprints, which have to stay mindful of federal laws and the laws of individual jurisdictions where they operate.
Protecting intellectual property and sensitive data is another challenge facing companies and government agencies, said Patricia Titus, the chief information security officer at Unisys. With 30 years of experience, first in the Air Force and then as CISO for the Transportation Security Administration, she offers a wealth of insights about computer network defense.
As a global organization, Unisys conducts much of its work in Asia, the source of many cyberattacks on U.S. firms and government networks. Titus said CISOs must be mindful of adhering to a host country’s laws when their firms or organizations are operating there, but they also have to protect their vital data. The challenge for a CISO in these international situations is to maintain security while also managing to create revenue for the country and preserve U.S. national security interests.
One major burden in her role as adviser to the company’s CIO is being able to balance the operational and security components, she said.
“I want people to be efficient, but I don’t want to open this massive leak or hole in the network that might cause Unisys data to be exposed in some way, shape or form," she said. "So how do I meet the demands of a mobile workforce in foreign countries and yet feel that we’ve adequately secured the data — not only Unisys intellectual property, but our client data as well? How do I explain to the president of the company that he can’t take his laptop to China?” Besides educating staff, there must also be a system in place to monitor devices such as laptops when they move from country to country to ensure that malware is not being spread through the core of the network, she added.
Another major network defense issue is keeping mobile devices upgraded with proper patches and software. This is especially important when employees travel to areas with poor infrastructure where downloading upgrades can be difficult or impossible. She adds that most IT security professionals must deal with the issue of securing mobile devices on a daily basis.
Among the trends Titus said that CISOs should look out for is the consumerization of IT. Titus notes that despite the efforts of security officers to keep unauthorized data from leaving networks, the advent of new mobile technology is "getting in front of our ability to keep data from moving to places that we don’t know about,” she said.
Government agencies and firms must embrace these new technologies and update their policies and acceptable use agreements to include the proper use of wireless and mobile devices. “If you look at the laws that are currently in place, many of them date from the 1960s and '70s and they’re still applicable in today’s environment — even in cyberspace,” she said. To update policies, organizations must update with current technologies to tie them into the new rules.
“CIOs and CISOs had better wake up and realize that personal devices are being used to process sensitive data," Titus said. "What are they going to do about it? I think that’s a huge trend that’s only going to become more pervasive." She added that the government can put out edicts restricting the use of personal devices, but that comes with a cost to the efficiency of the government and its employees that leaders have to consider.
A better way to manage personal devices might be to push a software package to the device that is registered by the user, who signs an acceptable use agreement. This creates an agreement between the organization and the employee with the understanding that the device can be confiscated if there is sensitive data on it that is needed for an investigation. “You have to have all those legal pieces tied up,” she said.
This trend toward data moving to a variety of areas that CIOs must be more mindful of will become more widespread, Titus said. “The technology and capabilities are there and people are smart enough to get around these security protocols that we’ve put in place,” she added. An acceptable use agreement protects the organization by formalizing how personnel can use sensitive information on their personal devices and how to return that data when they no longer work for the agency or company.