When someone mentions the U.S. Secret Service, chances are you think of the no-nonsense bodyguards who lay their lives on the line to protect the current and former presidents and their families. But what if someone were to suggest that the organization is one with which you should be collaborating to safeguard your computer systems and protect the physical security of your IT operation?
That suggestion is being advanced by Paul Masto, a 25-year veteran of the Secret Service who served on the details that protected President Reagan and the first President Bush, and who subsequently founded Universal Security Specialists, a security consulting firm in Las Vegas. I spoke with Masto last week at a workplace threat assessment, protective intelligence and deception-detection workshop in Las Vegas. It was enlightening to hear Masto speak of IT professionals as people whose responsibilities should include working with law enforcement, and specifically the Secret Service:
I would recommend that they contact their local Secret Service field office and find out if there's an Electronic Crimes Task Force in that district. There is in most of them, and they should make that connection-make an appointment and introduce themselves. In this day and age, since Sept. 11, the private sector and law enforcement have bonded together to form these Electronic Crimes Task Forces. There are certain resources, experience and assets in the private sector that we don't have available to us in the government sector, and vice versa. So by combining the two, it makes for a stronger program. Now, if, God forbid, something bad happens and there's a problem in the private sector, for that IT professional who already has established that liaison with the Secret Service Electronic Crimes Task Force, it's easy to pick up the phone and get a response. They can conduct an investigation and continue forward to resolve the issues.
Masto stressed the collaboration theme throughout our discussion, noting that companies need to cooperate not only with law enforcement, but with each other. He said that when he was assigned to the Secret Service field office in Las Vegas prior to retiring, he was involved in setting up the Electronic Crimes Task Force there. He said he would ask local IT professionals what security problems they were confronting, and whether those problems were common to all of the hotels and casinos. What he found was that these IT pros, who represented competing properties, would go golfing together, and in the casual atmosphere of the golf course would share their experiences because they had a common interest in solving the problems.
That collaboration clearly inspired Masto:
We had a great idea at the task force. We put a double-blind system into place whereby you could log on to this system and talk about a problem you're experiencing at your property. And one of your competitive properties would respond-he wouldn't know who you were, you wouldn't know who he was-and say, "Yeah, we dealt with that a couple of months ago-here's the fix for it." It continues to be a wonderful place where they can anonymously go and support one another. None of the operators of the hotels up and down the Las Vegas strip wants to see one of the other operators go down-it hurts everyone when it's taken down, and they're all vulnerable. So again, it's a collaborative, team effort, but in an anonymous sense so that nobody ever knows which place is having what problems.
Masto emphasized, moreover, that it's "critically important" for IT to have a seat at the management table that formulates security strategies and to deal with such problems as the insider threat. Again, he highlighted the collaborative nature of threat mitigation:
People with access who have a grudge or some perceived slight, or real slight against them, find themselves in a position where they're going to go in and do some damage. Again, it's not strictly an IT responsibility-it's about partnerships. You have to work in conjunction with the human resources people and the management of the company to make sure you have a strong program in place to do background checks, to get those psychiatric evaluations, to do those police checks. Have some monitoring system for drug use and abuse-random testing and so forth. If you have a strong core program, it becomes easier to monitor and maintain the integrity of the physical security of a property and IT security.