Canadian Information Processing Society (CIPS)
 
 

CIPS CONNECTIONS

INTERVIEWS by STEPHEN IBARAKI, FCIPS, I.S.P., ITCP, MVP, DF/NPA, CNP

Top-ranking IT Authority and Senior Executive

This week, Stephen Ibaraki has an exclusive interview with the widely regarded, top ranking IT authority, and distinguished senior executive, Joseph Dell.

Joseph Dell, with a degree from Emory University, has more than a decade of experience within the network security arena providing both management and engineering expertise.

He is currently the Chief Technology Officer for Vigilar, Inc. headquartered in Atlanta, Georgia. He is responsible for providing strategic technological direction for the company while directly managing the nationwide team of technical experts. In addition to overseeing proposal and consultations, he is responsible for training and managing Vigilar’s team of Sales Engineers. Mr. Dell holds responsibility for evaluating new technologies, driving the technical creation of customized solution offerings, and focusing security solution sets on market trend analysis. Prior to joining Vigilar, he managed the VeriSign Professional Services Security Services division (formerly SecureIT). He not only provides vast security knowledge but also carries extensive experience with market leading technologies from vendors such as Check Point, Nokia, ISS and Cisco products.

Mr. Dell is a published author of network security whitepapers and industry regarded articles. In addition, he has delivered numerous speaking engagements nationwide. He holds the Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Microsoft Certified Systems Engineer, Certified Novell Engineer, Nokia Security Administrator and Certified Check Point Security Administrator (CCSA), Expert (CCSE) and Instructor (CCSI) certifications. He is in the midst of writing a technical book focused on Wireless LAN Security.

Discussion:

Q: Joseph, you are a highly respected IT and security authority and industry leading executive. We are fortunate to have you with us to do this interview—thank you!

A: Stephen, thank you for taking the time out to chat with me. 

Q: What first triggered your interest in computers?

A:  Well, it is funny you should ask that.  Just the other day I was just reflecting on the Leading Edge Model M that I used to program in BASIC on.  My 300bps modem and I took an interest in dialing FIDO anywhere we could and to this day the obsession has stuck.  Years ago we didn’t have information security, what we had was information in-security. I truly believe I was destined to learn about and be part of the information security world. Even back then, however, my hats were all white.

Q: Describe your work with VeriSign and useful lessons that you can pass onto our audience.

A: The SecureIT Services division of VeriSign focused on delivering training, products, and services in the arena of information security.  At the time, we defined information security as “firewalls” and “IDS” with the occasional “content filter”.  This strict focus on security allowed us to be both deep and wide in security technologies.  The most useful lesson was, quite simply, stay focused. 

Q: Can you describe your current work and your greatest current challenges?

A: As CTO for Vigilar, I focus not only on perimeter security, but in all areas of information security.  These areas include wireless security, identity management, intrusion prevention, information assurance, and information security management.  The greatest challenges are staying on top of all emerging technologies, determining from the existing customer base, and finding new prospects along with their needs and wants. By overcoming this challenge Vigilar has delivered the right products and services to be successful and have continued growth. 

Q: What are your top ten tips concerning security?

A: If only it was as easy as making a simple list.

1) Educate the end users because they are the weakest link.  This refers to both end-user security training as well as professional certification training.
2) Policy, Policy, Policy
3) Security controls should be implemented and followed to align with business practices, not vice-versa.
4) Assess yourself and do it continuously.
5) Just because a technology is “cool” does not mean that it has a place in business.
6) Look at the logs that you have been gathering.
7) Layer your security.
8) Don’t assume that technology can solve any business problem.
9) Watch out for regulation
10) Seek out security experts to help you wash, rinse, and repeat.

Q: What are the major strengths of your company?

A: Vigilar’s greatest strength is its ability to service a customer through the entire lifecycle of information security.  Our solutions are geared towards the specific needs of the customer, regardless of where they are in their implementation. Vigilar is committed to delivering the highest quality of service and our strong base of customers reflects our commitment.

Q: Where do you see yourself and your company in five years?

A: There are no national players in the information security space.  Many [in the late 90’s] have tried, but none have succeeded.  Let’s just say that the security industry does not have a national leader when whether it’s through organic growth and/or acquisition. At Vigilar we are committed to being that leader because we are committed to delivering leading and bleeding security products and services.

Q: As a widely respected senior administrator, what are your top tips for effective leadership?

A: 1) A happy employee is a productive employee.  Let people do what they want within the confines of what the business needs.
2) Do not mess with other people’s money.
3) Lead by example.
4) Respect is earned, so earn it.
5) Train your employees.  Whether they want it or not the technical people have a thirst for knowledge, so quench that thirst.  As for what to train on, employees like certification training.
6) If their eyes glaze over, it is time to take a break.

Q: With your innumerable successes, what additional lessons can you share?

A:  The two most challenging yet critical aspects of success are to focus and resolve.  The right vision without correct focus will yield frustration, and strength with diligence is not credible without focus. 

Q: With your varied and impressive background, can you share your top “amazing or surprising” experiences?

A:  I would like to say that I was surprised by one of my air travel experiences when the front wheels wouldn’t come out for landing, but we will save that for another time. I am always surprised at how little security policy actually gets implemented within corporations.  Most companies claim to have security policies but few go through the actual steps of following them.

Q: Do you have any humorous stories to share?

A: Many. However, you will have to attend one of my seminars to hear them, otherwise I would be giving away my best stand-up! 

Q: Please pick three topics from your extensive work experiences. Can you share three “special and very useful” tips in each topic area?

A:  I thought you said these questions were going to get easier…

In the area of Wireless:  

1) Treat wireless as untrusted.
2) Don’t trust WEP, MAC Filtering, or any other built in security controls in access points.
3) Remember that wireless is a “layer 2” problem and not a “layer 3” problem.

In the area of perimeter security:

1) Access control policies need to be granular for both the outside in, and from the inside facing out.
2) Worms and viruses come in from remote access connectivity; protect the inside from itself.
3) Layer your security.  The perimeter doesn’t exist anymore, so enforce security in multiple zones.

In the area of regulatory compliance

1) Do what is required to keep you out of jail.
2) Don’t assume that technology controls make up for policy deficiencies.
3) There may not be a case example yet, but you will be audited eventually.

Q: What are the five most important trends to watch, and please provide some recommendations?

A:  Trends come in all shapes and sizes.  The most consistent have been in the following areas:

1) Intrusion Prevention -Both host and network based intrusion prevention is being deployed to stop “zero-day” attacks and to prevent the spread of worms and viruses. 

2) Firewalls – Since the perimeter is dead, there are wire-speed devices that are being implemented at the core of the network to provide additional layers of security.  

3) SSL VPNs – If you haven’t looked at SSL based VPNs (also known as “clientless VPNs”), then you have missed one of the most impressive technology trends of the last two years.

4) Wireless – Everyone is deploying wireless, but few are deploying it securely.  What is the “correct” way to deploy wireless?  Well, I have a seminar or two for you to attend.

5) Assessments – This is the year of the assessment.  Whether it is for compliance or simply to gauge a level of security, companies are taking assessments seriously.  

Q: What are the five greatest challenges facing businesses today? What are their solutions?

A: 1) Worms and Viruses - Data Harbor Consulting reports that the worldwide cost of worms and viruses was $180 billion in 2003 compared to $45 billion in 2000.  The cost of the damage continues to grow at an extremely fast pace.

2) Lack of budget for security – Average corporate IT-security budgets are not keeping pace with the security strains.  The same report stated that in 2003 only 10% was dedicated to security compared to 2.5% in 1998. 

3) Internal threats

4) Mis-configured points of access into the network

5) Lack of understanding of the need for security 

The solution to all of these issues is education.  Once an individual is educated on the risks to information systems, they will have an understanding of acceptable risk within an organization and they will be better suited to make decisions on what assets to protect and which to ignore. That’s why Vigilar focuses on delivering both strategic and tactical consulting services.

Q: Where do you see IT in relation to business strategy and operations?

A: Implementation of IT should follow business strategy.  Operations should dictate what the needs of IT are, however not without consideration for security as a whole.  Security should not be an afterthought. 

Q: Any predications about the economy and future IT spending?

A: In the IT space as a whole, there is a growing acceptance that security costs money.  The ROI on security is like that on air-conditioning; it is difficult to justify and you expect it to be there all the time.  As security becomes more critical within organizations and as government regulation begins to mandate security practices, IT spending will increase. 

Q: What are your top recommended resources for both businesses and IT professionals?

A:  There are so many that I don’t know where to begin. 

1) Read all the trade magazines that you can get your hands on.
2) Get involved in the local ISSA, ISACA and INFRAGARD chapters.
3) Sign up for E-mail lists, there are more than enough to go around.
4) Take 30 minutes a week and scan through mailing lists and trade magazines that you have received, but not opened.  Using these 30 minutes a week wisely will help get you up to speed.

Q: What kind of computer setup do you have?

A:  As much as I’d like to tell you that I have a basement with 14 different computers, I have to be honest.  I have one IBM Laptop and six different hard drives with separate operating system images, such as: OpenBSD, FreeBSD, Mandrake Linux, Windows 2000, Windows XP, and Solaris x86.  The majority of my testing happens in VMware virtual machines where I can run multiple operating systems simultaneously on one computer.   

Q: If you were doing this interview, what three questions would you ask of someone in your position and what would be your answers?

A:  Excellent question. 

Q1: What drives you to get up every morning and do what you do?
A1: My drive comes from a desire to be the best of the best in the industry.  I also strive to educate people on a daily basis.  If I can teach a prospect something, then I’ve done my job.  If I can’t educate people, then what value is the knowledge stuck inside my head?

Q2: What is the one thing that you wish you’d done differently in your career that you haven’t done?
A2:  Given the experience I have, I wish I would have written more books.  I am frequently a trainer and guest lecturer, but I wish I would have put more ideas on paper sooner.  That would have allowed more knowledge transfer over the years in a quicker fashion.

Q3:  What do you do in your spare time?
A3:  I am an avid drag racer.  It is an expensive hobby, but that is why I stay in IT.  Yes, it is a nine second street car. 

Q: Joseph, thank you again for your time, and consideration in doing this interview. Your in-depth insights are of great value to our audience.

A: Stephen, It was my pleasure.