Spend big or get little on security

 

Connecting state and local government leaders

Julie Lucas says she once considered computer security boring. Now, with a 12-year stint in the Navy behind her, Lucas is the general manager for security solutions at Enterasys Networks Inc. of Portsmouth, N.H.

Julie Lucas says she once considered computer security boring. Now, with a 12-year stint in the Navy behind her, Lucas is the general manager for security solutions at Enterasys Networks Inc. of Portsmouth, N.H.Before joining Enterasys in July, she had spent a year as information assurance practice director for Global Network Technology Services of Miami. The job, overseeing the design of the company's service offerings, was her first after a naval systems career.From 1996 to 2000, she was the Naval Computer Incident Response Team officer and guided NAVCIRT's worldwide monitoring and response to attacks on Navy and Marine Corps systems.Before that, Lucas was assistant director for data communications for the Pacific Fleet, director of the fleet's largest training center and computer repair shop, and responsible for the naval communications database.Lucas holds a bachelor's degree in computer and information science from Ohio State University and a master's in IT management from the Naval Postgraduate School.GCN senior editor William Jackson interviewed Lucas at a recent Washington trade show where she was a speaker.LUCAS: I was on active duty from 1988 to 2000, and from 1994 to 1996 I was fortunate enough to go to the Naval Postgraduate School in Monterey, Calif.I had become hooked on computer security at a 1991 seminar where I sat for two-and-a-half hours listening to a lawyer talk about security and about hackers. But I felt like I sat there for only 10 minutes.The lawyer said, 'If this intrigues you, go buy The Cuckoo's Egg.' I bought the Clifford Stoll book. I was not an avid reader at the time, but I read the whole book in two days'couldn't put it down. I was hooked 100 percent on computer security. I thought it was boring before that.So I took my master's in computer security and was fortunate enough to be selected the NAVCIRT officer on leaving the postgraduate school.LUCAS: He was an assistant district attorney out of Chicago, a very dynamic speaker and one of a handful of lawyers who were actually prosecuting hackers at that time. I got to meet him again when I was a NAVCIRT officer, and I told him, 'You had a major impact on my life.' He said, 'I hope it was positive.'LUCAS: Yes, I would say it was. It was intriguing to see a payoff from the practices and procedures. I got to meet a lot of very talented, dynamic people, many of whom I still keep in contact with. It was a great job for anybody in the military looking to expand computer security. I highly recommend any of the military's information warfare centers.LUCAS: I would say we took it very seriously. I'd attribute the successes to strong teamwork between the Navy, Marine Corps and Naval Criminal Investigative Service, as well as support from upper management.That government experience gave me a good foundation to build on. It gave me a good understanding of the processes and procedures, the real critical requirements, and how a computer incident can impact more than just operations.At Enterasys Networks Inc. we were already expanding our security offerings before Sept. 11. It has been seen as a strategic play for well over a year. Our plan has been to roll out a full set of services that would complement our standing products to cover the whole range of security.The awareness level about disaster recovery is increasing. People who had been saying 'This could never happen to me' are looking at their operations and saying, 'What if this does happen again? What if the power goes off? How could I keep running?'A few years ago, there were a couple of cases of companies that did the bulk of their business online. Their systems were broken into, and they went down and were losing large numbers of dollars every hour. They had to get back up and be operational quickly. This helped to create an overall awareness level where people realized they do have to plan for these events.LUCAS: I think the biggest difference is that you have more senior managers willing to write checks. They are starting to reprioritize their budgets and realizing that this is something they have to be prepared for.You should look at security as a form of insurance. As part of an information assurance assessment, we can either write from scratch or rewrite a disaster recovery plan.I use the fire analogy a lot. There is a list of requirements you go through to protect a building against fire, including putting in smoke alarms and sprinkler systems. They are analogous to your network intrusion detection systems and your firewalls, so that you can detect and react quickly when your network is attacked.Part of the response to a fire is having a fire marshal come in and do the root-cause analysis after the fire is out, and that's what computer forensics does.The Office of Management and Budget is now requiring agencies to use best practices for security and rating each agency on its security practices. We have several customers that have implemented our security products to tighten the reins. The National Security Agency is also mandating security practices for the Defense Department, and we are working with those agencies to ensure conformance.LUCAS: I think the needs are similar across the board; it's just a focus on your priorities.Probably the biggest difference we see from the government side is that it is more difficult for agencies to get resources. They have some definite hurdles when it comes to getting the dollars to implement the great plans.They've got the regulations'you will do this'but they're not getting the dollars to back it up.LUCAS: From where I sit, there has been a change, but not enough of one.LUCAS: That's a broad question. You can look at specific sectors, such as the civilian agencies, and they are way behind. And you can look at others that are further ahead.Now that I have been out of the military for a couple of years, I would say that the military, which is the part of government I'm most familiar with, was ahead of many companies in the commercial sector when it came to computer security.That's not to say that the military has everything perfectly in place, but I've been impressed since I've been in the commercial world at how much we had in place in the Defense Department two years ago.LUCAS: I was surprised at that. I don't know why DOD got that low a grade. Maybe it's the difference between where they would like to be and where they actually are. That goes back to the dollars and how much funding is provided for security.And you have to look at the distribution of the tools. It's not enough to put the best-of-breed products at the center of the system. Everyone has to have access to them.A few years back when I was on active duty, DOD had just gotten Zenith 248 PCs. There was a study of the contracting for those systems, and it turned out that well over half of the systems that were available were right around Washington.At that time I was out in Hawaii, and it was hard for us to get the systems because we were farther from Washington. So just having a contract for a technology does not mean it is available to everyone.You've got to look at the whole enterprise to find the weaknesses. That's probably where the grade of F came in.

What's More


Family: Two teen-agers

Military service: Navy, from 1988 to 2000

Leisure activities: Racquetball and farming

Motto: 'When in doubt, punt.'

Hero: Rear Adm. Grace Hopper

Julie Lucas, Security Underwriter













GCN: How did you get onto the Naval Computer Incident Response Team?









GCN: Who was the lawyer who got you hooked?



GCN: Was practicing and enforcing security at NAVCIRT as much fun as studying it?



GCN: NAVCIRT has a high profile. Do you think the Navy is out in front in this area?











GCN: Has Sept. 11 made a difference in what people are asking for and what they are willing to write a check for?











GCN: How do the government's disaster recovery needs differ from those of the private sector?






GCN: Do you see that changing at all?



GCN: What is the government's level of security awareness, and how does that compare with how well-prepared agencies in fact are?







GCN: A recent congressional report card gave DOD an F for security. Are Defense agencies really doing that badly?









X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.