Voice of Experience: Connecting the DotsBy Baselinemag | Posted 2004-10-01 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Pamela Fusco, Merck & Co.'s chief security officer, wants a single, centralized view of her security infrastructure so she can instantly size up what's happening in the network.
Merck & Co.
Chief Security Officer
Whitehouse Station, N.J.
Manager's Profile: Head of global information-security strategy and operations for the 60,000-employee pharmaceutical firm, which posted $22.5 billion in sales last year. She joined Merck in May after six years with Digex, a Web hosting company that is now a subsidiary of MCI.
Her Project: This summer, Fusco contracted with Ernst & Young to develop a security charter and review Merck's security infrastructure and practices. A key requirement emerged: Her team needed a unified, real-time view of Merck's security devices around the world, including Check Point firewalls and Symantec antivirus software. "Today you have to search through server logs, firewall logs, intrusion-detection logs," she says. "After correlating all that information, you then say, 'Did I miss something?' because your eyes glaze over."
Unsticking Vendors: Adopting a centralized security management software system (a project Fusco has code-named "Inspector Gadget") should also let the company more easily introduce security products from multiple vendors. For example, she says, "I wouldn't be stuck with Check Point's firewall management tools."
Securing Budgets: To show a return on security investments to upper management, Fusco says, "You have to put a price tag on the value of data: What would this data cost us if it were lost?" Beyond that, effective information-security management entails streamlining and automating processes. "So I can show I'm increasing the security of Merck but that I don't need to hire bodies to do that," says Fusco, who has a staff of 52.
Wide Awake: What keeps Fusco up at night? On the one hand, there are the things Merck needs to fix: "I won't tell you exactly, but generally they're about applying security policy technically to make sure the policy is being adhered to." Then there's the heartburn from the daily goulash of unpredictable attacks. Says Fusco, "What's Joe Schmuckatelli hacker going to have for me at 2 in the morning?"