Preparing for Rising Security Threats

Tim Williams explains why it’s time for information security departments to stop playing catch up and prepare for the future

Just say “know.”

I’ve heard many people describe how IT security has evolved, and I think the best way to say it is that the field has shifted from “no” to “know.” The threats facing major businesses have increased substantially in velocity and sophistication.  We simply have to know—we have to understand not only the tech landscape but also the business pressures that are out there.

By gaining this knowledge, an IT leader can stop being an enforcer and start acting as an influencer. IT leaders influence business by understanding the risks and the role they play in mitigating those risks. It takes a lot of dialogue, and it requires trust that comes through a good relationship.

Balancing tact

Caterpillar, like most businesses, is a relationship business, and it’s important to develop that trust. I’ve been in the field for thirty-five years and came to this company in 2006. I’ve learned along the way that whenever you’re spending money and resources, you have to have a good business case. That’s certainly true today for tech leaders when it comes to security. We make formal presentations to the board, the executive management teams, and at the general manager level. It takes relationships at all levels of the business—getting out to manufacturing facilities, for example, to better understand the realities they face and what we’re asking them to do. You have to balance security, business, and operations.

Security is a team sport.

We stress to Caterpillar employees that we’re all in this together. Anyone who uses the Internet, like we all do, faces risks at home and at work. We’ve built a unique team that liaises with public relations and communications, and that team is focused purely on security. We do security testing, and we’ve brought in outside experts to help teach employees how to protect themselves at home. That gets a great response, because as employees learn steps that keep their families safe, they tend to transfer that behavior to the work environment. It will always be about people. We want to have the right tech strategy, but you have to bring that forward in conjunction with right employee behavior. You can have the best technology and best security in the world, but if someone clicks a link and gives away credentials, then all your work is lost.

We have great support from our executive leadership team, because they understand how critical this is to the overall success of Caterpillar. Guarding against unauthorized attempts to get into our networks is important to protect Caterpillar’s confidential information. Consider this: the average Internet-connected computer is attacked dozens of times per day—and we have thousands of Internet-connected computers. It underscores the importance of managing risk.

Understand the business.

As these threats shift, security leadership roles are shifting, too. The emphasis now is on business acumen. You have to really understand the world your company lives in, and you have to be able to explain complex technology and behavior in simple terms. A masters degree in computer science and an MBA are both becoming more necessary than in the past. Completing an MBA program was a turning point in my career because I found I could better emphasize and articulate the risks along with required programs and expenditures.

Stop looking to the past.

We have to keep moving forward as an industry. Everyone wants to chase the shiny, new technology that will protect us all from everything out there. Instead, we need to examine where the threats will be five years from now and start thinking about what we need to do to prepare. The industry has been looking in the rear-view mirror for far too long, and we need to get more predictive.

Part of that lies in collaboration. Caterpillar has had very good interactions with leading government authorities, locally and abroad. We’re finding that liaising with government is an indispensible part of understanding future attacks and learning what other companies experience; the business community needs this extra set of eyes and ears, as this has become an issue of national security.