Getting On Board With Security

Alstom Transport, a $6 billion French rail vehicle and systems manufacturer with an 18 percent market share in the global rail transportation market, had appropriate security for its worldwide IT infrastructure. It just didn’t have a formal program to manage, measure and continually improve its network defenses.

Operating in 60 countries with 26,000 employees around the world, Alstom realized that its position as the No. 1 company for high-speed trains and urban rail transport could be jeopardized by inconsistencies in its security posture. The first step was establishing a formal security program. To do that, Alstom recruited Nikk Gilbert as its security director in September 2005.

Gilbert, a 10-year veteran of the IT security industry who once worked for the U.S. Department of Defense, crafted the company’s first formal security program from this fragmented global effort. Baseline contributing editor Bob Violino recently spoke with Gilbert about the process he used to establish the Alstom security program and how he justifies investments in security.

What was the most challenging aspect of crafting Alstom Transport’s first security program?

From a technology perspective, it was the initial time spent to understand the layout of the global network, which was spread out across 60 different countries. From a business standpoint, it was trying to find out what part of information security people felt was important. That helped [determine] the real needs of the business to put together an information security program to meet Alstom’s specific need.

Was this program created in response to any particular security incidents?

Fortunately, Alstom hadn’t suffered any serious incidents. The program was created because Alstom had reached a high level of information technology and recognized the need to invest in information security as well. Clearly, you don’t want to have one without the other.

What are some of the key components?

The primary piece of the program is the IT security policy. Having a reasonable policy and the approval of upper management to implement the policy is the top priority. Without this executive buy-in, you’ll never get the program off the ground. Along with a well documented, well thought-out IT security policy, the normal technological protection template can be applied. Part of our template includes penetration testing, vulnerability assessments, desktop patching, server patching, antivirus/malware/spyware protection, intrusion detection system/intrusion prevention system (IDS/IPS)/firewall deployment and log correlation. These all needed to be deployed, rechecked and then closely monitored. In addition, we have been able to implement public key infrastructure (PKI), smartcard, single sign-on (SSO) and secure Wi-Fi.

So you’re taking a layered approach to security?

We’ve created a defense-in-depth protection structure. If an intruder gets through one level, it’s possible to catch [the person] at the next level and so on. By using strong policies and centralized IT management along with various layers of protective technology, we’ve tried to make it much harder for the bad guys to do their thing.

How is the security program working so far? Have you had any feedback from management or staff?

Our IT security policy has been validated at all levels. When building a good information security program it’s necessary to consider the customer service aspect as well. While the program does have to encourage security, it can’t obstruct business operations. Information security can be looked at as a business inhibiter, not a business enabler. Blending IT security with customer service improvements has been key to the success of the program.

Was it critical to have the support of senior management when planning and implementing the security program, and if so, why?

Before any information security program can move off the drawing table, senior management has to sponsor the program. Senior management is going to buy in and pay for the program. They are also going to put their stamp of approval on it so users understand its importance. Having this support is also important when communicating with other departments. Having the HR and legal departments backing you will be a big benefit. Once you receive this support, it’s important to continue to show the value of the program. Being able to show management the business metrics as well as a return on investment is vital. It’s not an easy road, but it can be traversed.

Page 2: Showing a return on security investment