Interview with GM security chief, Eric Litt
As the chief information security officer at General Motors Eric Litt admits that he isn't exactly starved for attention within the company these days. Globalisation, regulatory mandates and fast-evolving threats have put him at the forefront of GM's effort to integrate security into every aspect of its business. At the recent SecurE-Biz CxO Security Summit Litt talked about the need to build security into information infrastructures.
What's driving security at GM these days?
"I always say Sarbanes-Oxley and Mydoom are my best friends. Everybody reacts to that in surprise and asks me, 'How can that be?' Whether it's regulations or worms, the reality is that they focus attention on security at the board level and force us to do things, even though they can be painful and challenging."
What does "architecting security into information infrastructure" really mean?
"Many people are talking just about the technology when they talk about security. We need to look at things much more holisticly. That means the people, the organisation, governance, process and, lastly, technology.
"One of the other key points is that security has to be driven by the business need. It has to have a strong linkage to business processes. From a security perspective, to be successful, you need support [from] the board and the chief executive level down."
How do you go about doing all of this?
"We've built a model that is based on the threats faced by a business. What are the threats we are trying to protect against? What are the things we are mandated to do that are aligned with the threat?
"[Sarbanes-Oxley] is an example. It deals with access control. Do we understand what the requirements are? Are we doing the things we need to do to comply with the regulation? Once we complete the exercise, we know what to do. Then we put in a governance model, the people and policies in place, and last we look at the technology."
How do you know if the requirements are being met?
"The way we have organised ourselves, we have a core set that architect policies and standards and drive it down to the level of templates, which are detailed implementation requirements [for each business]. This is what we do centrally. Then we rely on the business to implement them.
"I score businesses against compliance with the directives we have given, and I make the score card visible to senior management. A red means a business has no solutions and no compliance in place. A yellow means you have a functional solution but no compliance. Green means you have a common solution."
What about outsourcers and third parties that you do business with?
"I look at all the resources that support a business function, whether they are GM-badged, outsourced suppliers or a joint venture. They are all part of my functional organisation.
"We are committed to scoring all our suppliers. We looked [at] about 10 different categories. How well do they understand the business - how well are they meeting our business needs? We look at their technology and their resources."
What are some of your biggest challenges in doing this?
"As an industrial entity, our environment has changed. We are in a global market, and one of our key internet drives is to get our organisation to act as one. That becomes increasingly complex to do as we get more integrated into the global community.
"In terms of the environment we operate in, worms and viruses are coming faster and faster. The time to exploit vulnerabilities is getting shorter. It means we need to move from a reactive model to a more automated and proactive security model."
What kind of organisational support and visibility do you have?
"I get plenty of attention, which is a very good thing. At GM, resources are not an issue. We give quarterly updates to our audit committee and at least monthly updates to other parts of our organisation. And at virtually every one of our CIO meetings, we talk about security."
What role can the government play?
"We believe the government plays a really important collaborative role. By mandating something, the government helps me to accomplish [some of] my goals.
"But there needs to be a balance. We need to make sure that we are not so consumed by the need to comply with mandates that we don't have time for anything else."
What can users do to ensure that software suppliers deliver more secure software out of the box?
"We believe in supply and demand. We believe the market should drive quality. Trying to legislate quality is very, very difficult. The best way to change a software supplier's behaviour is not to buy their product."
Jaikumar Vijayan writes for Computerworld
This was first published in June 2004