This week, Stephen Ibaraki, I.S.P., has an exclusive
interview with the widely regarded, top ranking IT authority, and distinguished
senior executive, Joseph Dell.
Joseph Dell, with a degree from Emory University, has more
than a decade of experience within the network security arena providing both
management and engineering expertise.
He is currently the Chief Technology Officer for Vigilar,
Inc. headquartered in Atlanta, Georgia. He is responsible for providing
strategic technological direction for the company while directly managing the
nationwide team of technical experts. In addition to overseeing proposal and
consultations, he is responsible for training and managing Vigilar�s team of
Sales Engineers. Mr. Dell holds responsibility for evaluating new technologies,
driving the technical creation of customized solution offerings, and focusing
security solution sets on market trend analysis. Prior to joining Vigilar, he
managed the VeriSign Professional Services Security Services division (formerly
SecureIT). He not only provides vast security knowledge but also carries
extensive experience with market leading technologies from vendors such as Check
Point, Nokia, ISS and Cisco products.
Mr. Dell is a published author of network security
whitepapers and industry regarded articles. In addition, he has delivered
numerous speaking engagements nationwide. He holds the Certified Information
Systems Security Professional (CISSP), Certified Information Security Manager
(CISM), Microsoft Certified Systems Engineer, Certified Novell Engineer, Nokia
Security Administrator and Certified Check Point Security Administrator (CCSA),
Expert (CCSE) and Instructor (CCSI) certifications. He is in the midst of
writing a technical book focused on Wireless LAN Security.
Discussion:
Q: Joseph, you are a highly respected IT and security
authority and industry leading executive. We are fortunate to have you with us
to do this interview�thank you!
A: Stephen, thank you for taking the time out to chat with
me.�
Q: What first triggered your interest in computers?
A:� Well, it is funny you should ask that.� Just the other
day I was just reflecting on the Leading Edge Model M that I used to program in
BASIC on.� My 300bps modem and I took an interest in dialing FIDO anywhere we
could and to this day the obsession has stuck.� Years ago we didn�t have
information security, what we had was information in-security. I truly believe I
was destined to learn about and be part of the information security world. Even
back then, however, my hats were all white.
Q: Describe your work with VeriSign and useful lessons that
you can pass onto our audience.
A: The SecureIT Services division of VeriSign focused on
delivering training, products, and services in the arena of information
security.� At the time, we defined information security as �firewalls� and �IDS�
with the occasional �content filter�.� This strict focus on security allowed us
to be both deep and wide in security technologies.� The most useful lesson was,
quite simply, stay focused.�
Q: Can you describe your current work and your greatest
current challenges?
A: As CTO for Vigilar, I focus not only on perimeter
security, but in all areas of information security.� These areas include
wireless security, identity management, intrusion prevention, information
assurance, and information security management.� The greatest challenges are
staying on top of all emerging technologies, determining from the existing
customer base, and finding new prospects along with their needs and wants. By
overcoming this challenge Vigilar has delivered the right products and services
to be successful and have continued growth.�
Q: What are your top ten tips concerning security?
A: If only it was as easy as making a simple list.
1) Educate the end users because they are the weakest link.�
This refers to both end-user security training as well as professional
certification training.
2) Policy, Policy, Policy
3) Security controls
should be implemented and followed to align with business practices, not
vice-versa.
4) Assess yourself and do it continuously.
5) Just because a
technology is �cool� does not mean that it has a place in business.
6) Look
at the logs that you have been gathering
.
7) Layer
your security.
8) Don�t assume that technology can
solve any business problem.
9) Watch out for
regulation
10) Seek out security experts to help you wash, rinse, and
repeat.
Q: What are the major strengths of your company?
A: Vigilar�s greatest strength is its ability to service a
customer through the entire lifecycle of information security.� Our solutions
are geared towards the specific needs of the customer, regardless of where they
are in their implementation. Vigilar is committed to delivering the highest
quality of service and our strong base of customers reflects our commitment.
Q: Where do you see yourself and your company in five
years?
A: There are no national players in the information security
space.� Many [in the late 90�s] have tried, but none have succeeded.� Let�s just
say that the security industry does not have a national leader when whether it�s
through organic growth and/or acquisition. At Vigilar we are committed to being
that leader because we are committed to delivering leading and bleeding security
products and services.
Q: As a widely respected senior administrator, what are your
top tips for effective leadership?
A: 1) A happy employee is a productive employee.� Let people
do what they want within the confines of what the business needs.
2) Do not
mess with other people�s money.
3) Lead by example.
4) Respect is earned,
so earn it.
5) Train your employees.� Whether they want it or not the
technical people have a thirst for knowledge, so quench that thirst.� As for
what to train on, employees like certification training.
6) If their eyes
glaze over, it is time to take a break.
Q: With your innumerable successes, what additional lessons
can you share?
A:� The two most challenging yet critical aspects of success
are to focus and resolve.� The right vision without correct focus will yield
frustration, and strength with diligence is not credible without focus.�
Q: With your varied and impressive background, can you share
your top �amazing or surprising� experiences?
A: �I would like to say that I was surprised by one of my air
travel experiences when the front wheels wouldn�t come out for landing, but we
will save that for another time. I am always surprised at how little security
policy actually gets implemented within corporations.� Most companies claim to
have security policies but few go through the actual steps of following them.
Q: Do you have any humorous stories to share?
A: Many. However, you will have to attend one of my seminars
to hear them, otherwise I would be giving away my best stand-up!�
Q: Please pick three topics from your extensive work
experiences. Can you share three �special and very useful� tips in each topic
area?
A: �I thought you said these questions were going to get
easier�
In the area of Wireless:��
1) Treat wireless as untrusted.
2) Don�t trust WEP, MAC
Filtering, or any other built in security controls in access points.
3)
Remember that wireless is a �layer 2� problem and not a �layer 3� problem.
In the area of perimeter security:
1) Access control policies need to be granular for both the
outside in, and from the inside facing out.
2) Worms and viruses come in from
remote access connectivity; protect the inside from itself.
3) Layer your
security.� The perimeter doesn�t exist anymore, so enforce security in multiple
zones.
In the area of regulatory compliance
1) Do what is required to keep you out of jail.
2) Don�t
assume that technology controls make up for policy deficiencies.
3) There
may not be a case example yet, but you will be audited eventually.
Q: What are the five most important trends to watch, and
please provide some recommendations?
A:� Trends come in all shapes and sizes.� The most consistent
have been in the following areas:
1) Intrusion Prevention -Both host and network based
intrusion prevention is being deployed to stop �zero-day� attacks and to prevent
the spread of worms and viruses.�
2) Firewalls � Since the perimeter is dead, there are
wire-speed devices that are being implemented at the core of the network to
provide additional layers of security.��
3) SSL VPNs � If you haven�t looked at SSL based VPNs (also
known as �clientless VPNs�), then you have missed one of the most impressive
technology trends of the last two years.
4) Wireless � Everyone is deploying wireless, but few are
deploying it securely.� What is the �correct� way to deploy wireless?� Well, I
have a seminar or two for you to attend.
5) Assessments � This is the year of the assessment.� Whether
it is for compliance or simply to gauge a level of security, companies are
taking assessments seriously.��
Q: What are the five greatest challenges facing businesses
today? What are their solutions?
A: 1)�Worms and Viruses�- Data Harbor Consulting reports that
the worldwide cost of worms and viruses was $180 billion in 2003 compared to $45
billion in 2000.� The cost of the damage continues to grow at an extremely fast
pace.
2) Lack of budget for security � Average corporate
IT-security�budgets are not keeping pace with the security strains.� The same
report stated that in 2003 only 10% was dedicated to security compared to 2.5%
in 1998.�
3) Internal threats
4) Mis-configured points of access into the network
5) Lack of understanding of the need for security�
The solution to all of these issues is education.� Once an
individual is educated on the risks to information systems, they will have an
understanding of acceptable risk within an organization and they will be better
suited to make decisions on what assets to protect and which to ignore. That�s
why Vigilar focuses on delivering both strategic and tactical consulting
services.
Q: Where do you see IT in relation to business strategy and
operations?
A: Implementation of IT should follow business strategy.�
Operations should dictate what the needs of IT are, however not without
consideration for security as a whole.� Security should not be an afterthought.�
Q: Any predications about the economy and future IT
spending?
A: In the IT space as a whole, there is a growing acceptance
that security costs money.� The ROI on security is like that on
air-conditioning; it is difficult to justify and you expect it to be there all
the time.� As security becomes more critical within organizations and as
government regulation begins to mandate security practices, IT spending will
increase.�
Q: What are your top recommended resources for both
businesses and IT professionals?
A: �There are so many that I don�t know where to begin.�
1) Read all the trade magazines that you can get your hands
on.
2) Get involved in the local ISSA, ISACA and INFRAGARD chapters.
3)
Sign up for E-mail lists, there are more than enough to go around.
4) Take
30 minutes a week and scan through mailing lists and trade magazines that you
have received, but not opened.� Using these 30 minutes a week wisely will help
get you up to speed.
Q: What kind of computer setup do you have?
A:� As much as I�d like to tell you that I have a basement
with 14 different computers, I have to be honest.� I have one IBM Laptop and six
different hard drives with separate operating system images, such as: OpenBSD,
FreeBSD, Mandrake Linux, Windows 2000, Windows XP, and Solaris x86.� The
majority of my testing happens in VMware virtual machines where I can run
multiple operating systems simultaneously on one computer.���
Q: If you were doing this interview, what three questions
would you ask of someone in your position and what would be your answers?
A: �Excellent question.�
Q1: What drives you to get up every morning and do what you
do?
A1: My drive comes from a desire to be the best of the best in the
industry.� I also strive to educate people on a daily basis.� If I can teach a
prospect something, then I�ve done my job.� If I can�t educate people, then what
value is the knowledge stuck inside my head?
Q2: What is the one thing that you wish you�d done
differently in your career that you haven�t done?
A2: �Given the experience I
have, I wish I would have written more books.� I am frequently a trainer and
guest lecturer, but I wish I would have put more ideas on paper sooner.� That
would have allowed more knowledge transfer over the years in a quicker
fashion.
Q3: �What do you do in your spare time?
A3:� I am an avid
drag racer.� It is an expensive hobby, but that is why I stay in IT.� Yes, it is
a nine second street car.�
Q: Joseph, thank you again for your time, and consideration
in doing this interview. Your in-depth insights are of great value to our
audience.
A: Stephen, It was my pleasure.�