Securing your networks isn't merely about buying a firewall, monitoring your network, or scouring the Internet for news of the latest exploits. Your organization's IT team and even its non-IT employees play an equally key role in ensuring security, says Lloyd Hession, chief information security officer (CISO) for BT Radianz. He should know. For 5 years, Lloyd has overseen IT security at the firm, which provides a network linking the world's financial services providers with major financial firms worldwide. As CISO, Lloyd ensures that the network stays up and running 24 Ă— 7. Windows IT Pro senior editor Anne Grubb recently chatted with Lloyd about how he enlists the help of IT staff, end users, and technology in the never-ending job of keeping BT Radianz's network secure.

What IT security challenges does BT Radianz face?

Radianz hooks up the world's exchanges, financial information providers, and financial transaction services with all the major financial firms around the world. It's essentially a big IP extranet—the world's largest financial network. The value of the transactions sent over the BT Radianz network over 2 to 3 days can reach the GDP of the United States: $11 trillion to $12 trillion. And the security for that is absolutely critical. I worry primarily about things like availability, Denial of Service (DoS) attacks, worms, and viruses that can cause performance slowdowns.

Do you have a security plan that describes your overall security strategy and how you delegate IT security responsibilities?

We have an internal document, called Security Posture and Framework, which we share with some of our customers. It describes how we architect the network to be secure, the operational processes and disciplines that ensure the ongoing security of that environment, our organizational structure, how we handle incidents, and how we work with customers in the event of incidents. I'm quite used to being put under a microscope and explaining our \[security\] strategy; after all, if you're asking all these exchanges and financial firms to trust you, they're going to do their own level of due diligence. I tell them, look, we've picked the best-of-breed technologies and information services to inform us about the latest security vulnerabilities. I have to demonstrate—almost daily—that we're taking security seriously.

How large is your network security staff? What are their responsibilities?

I believe that one of the most effective ways you can handle security is that you have to get it into people's job descriptions, even when they aren't security professionals. So, for example, we have many people who perform an operational role in supporting and managing the network. It's absolutely critical that they understand that they have security responsibilities because, you know, if you're administering routers, many of the procedures have been put in place because of security issues.

So, when people ask me for a hard and fast number \[of IT security staff\], I typically say "41," which includes the number of people who have "security" in their title or have security as a significant portion of their responsibility. In reality, I do a disservice to the hundreds and hundreds of people in network operations centers whose jobs involve looking at screens that pop up security alarms and who communicate and escalate those alarms to a smaller group of technical security experts. I'd describe it as a distributed security organization, and I believe that makes it more effective.

I imagine that even smaller organizations that have more limited IT resources than Radianz could use this horizontal approach to security management.

You've touched upon a great point. Unlike BT Radianz, most companies can't afford to field a large central security organization. So to make sure they're delivering effectively on their security, they need to perhaps designate someone who sets a central \[security\] direction and communicates that to their systems administrator, their network engineers... the people who understand the technology. I strongly believe that you're better off taking somebody who understands the business's technology, somebody with a systems administration or network-engineering background, and teaching them the security issues, than taking a security professional, who has this wonderful security background but doesn't understand your business's technology.

What tools and products do you use to secure your network?

We use some tools that aren't typically considered security tools but have massive security benefits. We have to manage 40,000 routers. You can't manage those routers by hand. If I let people individually configure and administer a router, the chances of introducing errors would be too high. We can't say, whoops, a major exchange can't trade today because all our routers went down. So we have a special in-house expert system that's essentially a huge database of all the different configurations for the routers. When you want to make a change, you go through the expert system, which generates a configuration and pushes it out to the routers. If I suspected a router had been tampered with, I could compare its configuration with the known configuration in the database, and I'd know whether that configuration was hand-tuned—that is, not built by the expert system.

We also use carrier-class systems management tools—the type that large network organizations such as telcos use. For our internal, corporate network, we use Level 2 and Level 3 firewalls; Intrusion Prevention System (IPS) and Intrusion Detection System (IDS) devices; proxies; and spam, email, and spyware filters. Many of these tools aren't applicable to the production network that we offer customers, though.

Additionally, we use Symantec's DeepSight Threat Management System \[for the production network\]. DeepSight continually monitors the Internet for information about security vulnerabilities, attacks, and exploits and sends you alerts about those threats. DeepSight also tells you what you need to do to mitigate a specific threat. For example, you get an advisory about the SQL Slammer worm as well as the workaround to use (e.g., block traffic on port 1434, the SQL Server port) until Microsoft has released the patch. In short, it lets you quickly take the relevant information and make your own decision about where you're going to apply it in your environment.

Before we started using DeepSight, I was allocating two or three people to stay on top of security—reading all the security mailing lists, attending conferences, and prioritizing all the different alerts they were getting. My rationale for purchasing the Security Focus service, which Symantec subsequently acquired, was that I'd rather put my own people on dealing with real problems than have them spend all their time trying to research stuff when I can just buy the answers from someone else.

How do you involve your internal end users in your company's IT security plan?

If you've got only one security dollar to spend, spend it on awareness. Because, in a sense, your biggest potential threat is your internal people doing the wrong thing—downloading software that they're not supposed to download, running a file that has a Trojan horse in it. So anything you can do to make them aware of the security threats, to better communicate with them, means you'll probably have a lot fewer security problems down the road.

Users are also are potentially your best level of monitoring because if they see something suspicious, they'll report it. You've got all these people acting like individual IDSs. Fundamentally, you have to get people to acknowledge that security is their responsibility. We have a list of 14 key security principles that we want our employees to understand. And the number-one principle is that security is your responsibility. Everybody has the responsibility—to lock the doors behind them, to not let strangers walk in the building, to not leave confidential documents sitting out on their desk, to keep their eyes on their laptops.

What's the top security threat that Windows IT pros face today?

For most corporations, it's spyware. Most organizations got religion about putting in antivirus software. But many don't have \[adequate\] antispyware tools. I'm hearing from many people in small businesses that they're almost coming to a halt because of spyware. It's potentially costing them a small fortune to clean up their systems and recover the lost productivity.