By Bert Latamore
July 19, 2006
Alstom Transport is not exactly a household name. But its products are
well-known, particularly among travelers. They include the French TGV
high-speed trains and the Euro Star high-speed train that travels the
Chunnel under the English Channel, new high-speed Amtrak passenger trains
in California and new metro trains in Singapore.
This French-based, $16 billion gross company operates in 60 countries
including most of Europe, the People's Republic of China and several South
So nine months ago when Nikk Gilbert joined the company as IT security and
telecom director, he knew he was taking on a real challenge. He needed to
hit the ground running. Here are the key things he focused on to succeed:
1. Choose a good company to work for.
Before he interviewed for the job he researched it to be sure it was a
good company to work for. Alstom values its employees and proves that with
its actions. At the end of its last fiscal year, for instance, it gave
every employee several shares of stock as a bonus.
2. Get executive backing.
"I interviewed with the CFO and asked him point-blank what their level of
commitment was, what kind of budget and support I could expect," Gilbert
says. "I left knowing that senior executives knew they needed security and
that I would have the level of support necessary to get the job done.
Without that you are out of money, out of luck and probably on your way
3. Partner with HR and Legal.
A good rapport with these two departments is essential to success in the
security role, particularly in a multinational company such as Alstom.
Just keeping track of the privacy and data security regulations in more
than 60 countries worldwide is a challenge. Gilbert has to depend on HR
and Legal to advise him on the varying legal requirements he must meet in
4. Develop a rapport with users.
IT network security programs flounder when end-users refused to follow
them. "Security means inconvenience for users who are just trying to get
their jobs done," Gilbert says. "It is important both to remind them of
the importance of security and to minimize that inconvenience." Right now,
he says, he is in the pilot phase of implementing a smart card/SSO/PKI
system across the company because smart cards only require the entry of
one PIN rather than the seven or eight passwords users are often asked to
enter to access various systems. "We are showing our users that we care
about their problems and are working to make things as easy as possible
for them. We have determined that this will provide us with good security
without annoying people too much."
5. Know what you have.
An asset inventory is absolutely necessary and should include a network
diagram that shows the schematic locations of workstations, servers,
switches and routers as well as a list of hardware. "You may have the
budget and know the rules, but if you don't know what you have, you are
blocked," Gilbert says. "And when your network is spread out over more
than 60 countries, this becomes even more important."
6. Get the right tools.
The security officer for a small office can do things by hand. The
security officer for a multinational company is totally dependent on his
tools for basic activities such as PEN testing and vulnerability scanning.
"We picked Core Impact, and it just turned things around unbelievably,"
Gilbert says. "A lot of the tools out there detect the problems or find
the systems that require patching. With Core you can find the
vulnerability, execute on the vulnerability, and you own the system."
Core's tools are particularly helpful in convincing co-workers that they
have security problems "Instead of telling the e-mail supervisor he has a
vulnerability, I showed him his last three days of e-mail traffic. That
ends any attempt by the system administrator to pass the warning off as a
7. Review and update corporate security policies.
The security officer needs to know corporate policies concerning such key
issues as security and remediation procedures. Change management and
tracking logs are important. And Gilbert says one of the first things the
security officer should do is build a security dashboard that captures and
displays information including how many virus attacks are attempted, how
many outside probes hit the firewall, etc. Having those statistics in one
place is very useful, particularly when talking to senior management. The
continual issue for security is that ideally executives never see it. Good
security means nothing happens. So executives tend to forget the need to
continue to invest in strong security. Statistics that show all the
attacks that failed are a good reminder that the organization is getting
good value for its security investment.
8. Use strong authentication.
Finally, he says that strong authentication is "a good start on fixing the
problems." When the system knows the identity of everyone on the network
with a high degree of certainty, it can manage their access and shut out
unknown individuals, even those who log into the network from inside the
company. If the organization does not already have a strong authentication
system installed, building one should be a high priority of the first nine
"Really, when you come into a new situation you need to have a clear set
of priorities and hit the ground running," Gilbert says. "This list has
guided me in my first nine months, and we have gotten a lot done in a
short time following it."
Bert Latamore is a journalist with 10 years' experience in daily
newspapers and 25 in the computer industry. He has written for several
computer industry and consumer publications. He lives in Linden, Va., with
his wife, two parrots and a cat.
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.