22 Oct Rayovac’s IT team discusses network security, Sarbanes-Oxley and ROI myths
Rayovac Corporation and the brands it owns worldwide make batteries, lights and personal grooming products, including foil electric razors and a wide range of other products. The company employs about 5,000 people. Ben Bradley recently sat down for a chat with network engineer Mike Gutknecht; Brent Leland, director of business IT; and Rick Dempsey, CIO for Rayovac, to discuss the effect of Sarbanes-Oxley on IT processes, myths about ROI justification and the unanticipated benefit of Sarbanes-Oxley to IT budgets.
Ben Bradley: What is Sarbanes-Oxley?
Rick Dempsey: Section 404 of Sarbanes-Oxley (SOX) says that firms listed on U.S. stock markets must provide annual disclosures and quarterly updates to shareholders on the effectiveness of their internal controls. The executive office must see the details behind reported financial information and must know in real-time of any changes to business performance. In other words, if you aren’t secure, your controls are not effective.
Ben Bradley: Let’s start with some background on the problem? What was life like before Sarbanes Oxley?
Brent Leland: Prior to SOX, we behaved very much like every other company. We were proactive on some issues, reactive on others — such as security patches and vulnerabilities. If Microsoft issued a security bulletin, we would review the bulletin, then patch the systems that required patching.
Mike Gutknecht: Every IT guy in the world has an ideal picture of how systems should work for a given organization. Then, from that picture, you work backwards into budgets and other realities. Hiring a technical security expert was part of the “ideal” picture, but historically, was not valued by the business. With the advent of Sarbanes-Oxley, the focus on network and system security has increased and allowed Rayovac to come closer to realizing that picture. We have recently added a position that focuses on our system and network security from a technical perspective.
Ben Bradley: How do you define a significant security event?
Brent Leland: Public release of sensitive information, disclosure of financial data, system failure, anything that would impact P&L, release of customer information, vandalism of the website, anything that has PR value.
Ben Bradley: How do you define a vulnerability?
Brent Leland: Good question. For us, at first vulnerabilities were network attacks, poor patch management, corrupt data, etc. But with SOX, we discovered a new vulnerability — not being able to demonstrate the effectiveness of our controls.
Ben Bradley: What did you do when you first learned about SOX?
Brent Leland: When SOX was first announced, internally we went through an informal audit to identify all our controls (which controls were most important? Which controls will be impacted and which need to improve? Problem was, at the time, we didn’t know the scope of our own vulnerabilities and our CFO didn’t have time to pore over binders full of reports.
Brent Leland: To solve this problem, we identified an automated vulnerability assessment vendor, Beyond-IP, and asked them to show us our vulnerabilities. They ran more than 2,000 vulnerability tests and gave us a report that detailed every single vulnerability that they identified.
When you pick a VA vendor, you put tremendous faith in that vendor and their abilities. Beyond-IP, the North American distributor for Beyond Security, LTD, was an obvious choice. The solution they offer is backed by Securiteam.com, a large security portal, so we knew the service would be fast, timely and thorough – all critical since we’re talking about vulnerabilities.
Rick Dempsey: We showed a one-page summary report to the CFO and money became available. What the vulnerability assessment, the vulnerability tests and SOX did was focus us on how things should be done. The unanticipated benefit was that we were given the resources to improve our controls and network security. Corporate took it very seriously. It forced us to look inward at our processes and ask ourselves the question, “are our controls as good as they should be?”
Ben Bradley: Were they?
Rick Dempsey: Controls and processes can always be improved. The Sarbanes-Oxley effort focused our attention on this continual improvement.
Ben Bradley: How did you measure the financial impact of security vulnerabilities?
Rick Dempsey: Attaching a price to pay for securing your network is like purchasing insurance. The degree to which you invest in this insurance reflects your tolerance for risk. The Sarbanes-Oxley legislation has had an effect on Rayovac to lower it’s tolerance for risk and increase our spend to insure a secure environment.
Ben Bradley: How often do you now scan for vulnerabilities?
Mike Gutknecht: Before SOX, we’d do a scan every 18 months. We now have the ability to scan at any time. Regular VA scans are like having sonar on our own network. We always know what is going on around us.
Brent Leland: One of the unanticipated benefits of this network sonar is that we now know what devices are running on the network. We get an instant alert if someone, for example, sets up an unsecured rogue wireless network. For compliance purposes, we can now generate a monthly report that indicates what changes have taken place in the network topology over a specific interval, and accurately certify exactly what devices are on the network at a specific time.
Rick Dempsey: We have a better idea about the scope of our vulnerabilities which means we can assign an owner to fix each vulnerability. If you know you have a problem and you know the scope of the problem, it is much easier to fix the problem. With the right data, we can also manage the vulnerabilities over time.
Ben Bradley: So how do you prioritize vulnerabilities?
Brent Leland: We don’t. We prioritize our remediation process. We use combination of processes and tool that impact how we prioritize remediating vulnerabilities. First is a “H, M, L” (high, medium, low) vulnerability rating. This rating is assigned by our primary vulnerability assessment vendor. We also look at SAN’s top 20 list of vulnerabilities and a variety of other sources. We combine the severity of the vulnerability, the perceived likelihood of attack, and the importance of the system to be patched to develop a metric. This metric drives the prioritization of our remediation effort.
Ben Bradley: Have you done enough to prepare for SOX?
Rick Dempsey: Only time will tell. Everything will be borne out of case law in the next 5 to 10 years, so it will be a while before we know if we’ve done too much or not enough. I do know that, each month, I can say how many vulnerabilities we have, the severity of each vulnerability, the importance of the specific server that has the vulnerability and the general likelihood of the attack on that vulnerability.
Most important, I can clearly demonstrate that I am addressing my vulnerabilities over time. The goal, as I see it, is to demonstrate that our systems are tight and that we are proactively managing risk over time. We’re doing that.
Ben Bradley: What is the most difficult thing about network security?
Brent Leland: If you want to connect to the rest of the world, you can truly never be 100 percent secure. Accept it.
Ben Bradley is the founder of GrowingCo, Inc — (see www.growingco.com or see the Darwin article), a provider and facilitator of peer-driven intelligence, interactions and insight. He can be reached at firstname.lastname@example.org.