Security is a change management job

Donald Kleinschnitz Jr., a self-proclaimed storage guy, came to Symantec Corp. of Cupertino, Calif., in 2003 from PowerQuest Corp., where he had been chief technology officer and senior vice president of storage products.Kleinschnitz served in the Navy and also worked at Hewlett-Packard Co. as general manager for scalable network storage and OpenView storage management. Before that, he spent 24 years at Storage Technology Corp. of Louisville, Colo.As Symantec's vice president for product delivery, his duties include oversight of technology in the enterprise administration business unit. Without a compatible approach to managing storage, systems and security, which have traditionally been separate administrative areas, he believes the enterprise will fall short.Kleinschnitz holds a degree in digital engineering technology and an M.B.A. from the University of Colorado.GCN senior editor William Jackson spoke with Kleinschnitz by telephone.KLEINSCHNITZ: Most of my Navy career was on Polaris Poseidon submarines, so IT security had a different flavor. It started with a guy with a gun as you entered the submarine. This was before satellites, so the communications systems were extremely secure. We went to a lot of effort to ensure we knew who we were talking to and the content was protected.The thing I remember most is that it was dead serious. There was a huge amount of effort put into the security technology on those submarines.KLEINSCHNITZ: In many ways, securing a submarine is easier. But the fundamentals of entry and access, the physical and electronic content of what comes in and leaves, are pretty much the same. How do I ensure that the people there are supposed to be there? How do I ensure that the people I'm connected to are the people I think they are, and how do I ensure the content I'm getting and sending is secure? Then how do I close down the connection, leaving no remnants of the information? If you view a submarine as a single Internet connection, there are a lot of similarities.KLEINSCHNITZ: At PowerQuest I spent a fair amount of time learning the systems side. I found myself taking a job at Symantec when it bought the company.The pivotal moment for me was sitting in an architecture meeting. I said, 'Now I know why they're backing up people's data,' to be able to recover from a potentially serious event. I had no notion then of the customers' stress from exploits.I had long thought convergence was coming between systems and storage management, and I had watched security from afar. Now I realize it is systems, storage and security that are going to converge.KLEINSCHNITZ: It's the degree to which vulnerabilities are showing up and the speed with which they are exploited. As code becomes more complex, the opportunities for vulnerabilities increase, and people are making careers out of exploiting them.Processing power is expanding substantially. Storage costs are eroding about 30 percent a year. It has gotten to the point where big files can be handled at really high speeds, and in an environment that is being exploited there is heightened awareness of the need to manage the total environment better.KLEINSCHNITZ: Anytime there is a change, a fair amount of disruption goes with it, akin to the time when IT organizations finally understood that the PC was not a toy and had to be managed.It's a similar situation now that people understand that damage from security problems is every bit as harmful as huge mistakes made by the CEO or the chief financial officer.Like any kind of organizational change, you start at the top. The CIO needs to be dead serious about security and the right organization. This is where a military analogy really works. I don't think there is a lot of difference between going to war and defending an enterprise against malicious attack.KLEINSCHNITZ: I think it is a matter of better integrating security throughout the enterprise, but the question is, how do you create that alignment? Naming a chief security officer is one way, not the only way.I think the CIO has to sit in a room with all the folks, and if they keep putting up stovepipes and cannot work together, then maybe the CEO needs a security officer or project leader.But the ideal situation would be making it clear that security is important to everyone. It's a lot like quality. At one time companies were assigning quality officers, but nowadays all employees pretty much have quality as part of their jobs.If I were a CIO I would ask everyone to tell me what the security implications are in their areas, and what part they are going to play in the solution. It's clearly a change management, team-oriented problem. Maybe having someone as head of security to drive that really hard is a good idea, but at the end of the day every one of the IT organizations has to know its part and demonstrate that it can participate adequately.KLEINSCHNITZ: My sense is that government is ahead of the curve in two places'awareness and need. It's easy to connect national security to security technology, but there are other motivations, such as the Federal Information Security Management Act. There isn't the same kind of direct pressure in the commercial sector.KLEINSCHNITZ: My sense is no, and I think it is because we are early in the process of recognizing the need for change. As we used to say in the Navy, somebody has to light a fire on the deck, and everybody will move to the other side.As we move into it, we are finding some deficiencies in current technologies. As vendors come up to speed we have to help out. We usually end up with customer discussions in three areas: patch management, asset management and recovery.KLEINSCHNITZ: Not in a glaring way. This is an electronic, transaction-based world, and I don't see a big difference between trying to make a secure connection to protect my livelihood or to guard national security. Of course national security is more critical, but it's not an order of magnitude different.KLEINSCHNITZ: We have to attack it on multiple fronts. The first thing we need to do better is build as common an operating environment as possible. But at the same time, it probably is impractical to think every machine in an enterprise is going to look the same.The second part is having an infrastructure that lets you deploy patches rapidly. The good news is, if there is a good infrastructure, a common operating environment, then it should stand up well in disruptive cases when a patch is needed. But you need a connection to every machine'servers, then desktops, a little more difficult. Notebooks, really difficult, and mobile computers, way difficult.KLEINSCHNITZ: You have to treat it like any change management challenge. Enterprises in the future are going to have two modes. Normal mode is managing new machines as they come in. Disruptive mode means that they're vulnerable to exploits. You want a system that takes you through the disruptive mode as quickly as possible.