Since graduating from Auburn with my Bachelor of Science in Information Systems in 2001, I have had continuous opportunities to use my education and broaden my skills. I have held technical and managerial positions ranging from web application development to data warehousing to systems engineering. For the past three years I have managed a team of cybersecurity professionals while employed with Northrop Grumman Corp.
Northrop Grumman is aptly described as the largest family working toward a common goal. The cyber skills our company’s leadership and team members have taught me, along with the information technology foundation that I obtained over the previous 13 years, enable me to work through both a security and a business viewpoint as strategies are developed.
Although Northrop Grumman offers a broad portfolio of capabilities and technologies for applications from undersea to outer space and into cyberspace, ensuring these solutions meet the security requirements of the customer is only part of the equation. The internal tools, resources, and processes used to develop these solutions are at the foundation of security.
In recent years, cyber security vendors have done a tremendous job of developing products that address many of the threats that are used by the adversaries. However, there is no single product that can protect against every known threat. Deploying multiple products and solutions at various layers of the IT environment is absolutely the best approach, but the expense in software and labor to cover every area would be cost-prohibitive. Finding the right level of a layered defense, combined with demonstrating the value to your organization, is essential.
The three words that I use to help steer my planning are balance, utilization, and narrative.
First, balance your vendor suite of products with your company’s security requirements. Swapping out security products or purchasing new ones should never be done without first understanding your true security needs. These needs are unique, depending on the type of company, the data/assets to be protected, and the available budget. To mitigate the cyber threats your organization faces, you must take the time to thoroughly document your unique security requirements and then align the attributes of security products to meet those requirements.
Second, to achieve the efficiency demanded by today’s business environment, utilization of all your resources is key. Start by fully deploying and fully using the security products your organization has purchased. So many of the security products today have multiple modules and integrations with other products that can exponentially strengthen your security posture when fully applied. When a new security product is purchased, it’s easy to focus on the main feature of the product and potentially lose sight of the additional benefits the product may offer. Proper utilization of your security team is also a must. Fully employ their technical strengths, such as scripting or analysis, don’t waste time and energy with antiquated tasks, and support continuous improvement.
Third, know how to tell your security story, your narrative. Be able to clearly articulate the issues you see and the steps you will take to address those issues. Being able to tell your story will ensure executive leadership is fully aware of and supportive of your strategies. Knowing the technical aspects of cyber security and putting the right team in place are the first steps in addressing the issues. Too often security professionals fail to describe the value our strategies bring to the organization. It is vital that you communicate to executive leadership your analysis of the company’s needs and the strategies you’ve employed to meet those needs now and in the future.
Gary Vaughan ’01
Manager, End User Security
Northrop Grumman Corporation