Caterpillar Uses Better Intelligence To Drive Security - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Information Management
News
4/29/2015
08:03 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Caterpillar Uses Better Intelligence To Drive Security

How strategy and a Capability Maturity Model are helping Caterpillar drive its information security transformation.

Plan X: DARPA's Revolutionary Cyber Security Platform
Plan X: DARPA's Revolutionary Cyber Security Platform
(Click image for larger view and slideshow.)

How do CISOs know whether they have sufficient funding? What are the best ways to measure progress? When results have been measured, how can successes and failures be communicated to the rest of the business?

These are questions that CISOs -- as well as any employee involved with information security -- face on a regular basis. They were central to a presentation given by Mike Zachman, deputy CISO of construction at machinery and equipment company Caterpillar Inc., at this year’s Interop Conference.

During his time at Caterpillar, Zachman was responsible for the global development and deployment of the company's information security program. He is currently leading the information security transformation for two of its high-risk business units. 

[The NSA, Surveillance, And What CIOs Need To Know]

In order to measure and communicate progress, demonstrate strategic alignment, and calibrate with program management, Caterpillar adopted a Capability Maturity Model. The model was developed by Ernst & Young using data from 3,500 companies. It helps the team at Caterpillar assess the maturity of its program, see where it stands in relation to its competition, and identify where improvements are needed.

The visualization of its transformational progress, depicted as a single graph on one slide, is an improvement over the pages of numbers and metrics that CISOs typically handle, said Zachman. While the model isn't meant to be extremely precise, it's designed to give a close estimate of how the company is improving and whether it's investing in the right areas.

Throughout Caterpillar's transformation, the model helped employees recognize that it was focused on several areas of information security, but not all of them. Its security maturity benchmark data can indicate improvements made over multiple years or reveal areas where components of its strategy fall short of the industry average.

After two years, Zachman demonstrated, there was a major difference in how the company had improved across multiple areas of information security. The chart also displayed the achievement of major accomplishments, such as times when Caterpillar documented its information security strategy, implemented mobile device management, and demonstrated improved vulnerability awareness through self-phishing exercises.

(Image: geralt via Pixabay)

(Image: geralt via Pixabay)

Zachman noted that it can be tempting for security professionals to put all of its security data into a series of slides, a methodology that seems more fitting given the amount of work that goes into information security. However, creating a more holistic view of progress is easier to understand and communicate.

Caterpillar's model has also helped demonstrate progress throughout the business.

"If you use a consistent model, it does give you the capability to talk to others who may not be information security professionals and give them something to understand," Zachman explained. As many in the field are aware, information security can be difficult to explain to an executive management team or board of directors.

If done well, a Capability Maturity Model like the one employed by Caterpillar can identify areas of strength and weakness while establishing a baseline for future success. However, it doesn't replace the necessary mountains of operational metrics throughout the organization, Zachman noted. People working in critical areas like configuration management and policy compliance need more detailed information to know that they are effectively doing their jobs.

Interop Las Vegas, taking place April 27-May 1 at Mandalay Bay Resort, is the leading independent technology conference and expo series dedicated to providing technology professionals the unbiased information they need to thrive as new technologies transform the enterprise. IT Pros come to Interop to see the future of technology, the outlook for IT, and the possibilities of what it means to be in IT.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly22
50%
50%
Kelly22,
User Rank: Strategist
5/5/2015 | 5:21:54 PM
Re: Collaborating to increase security
@tzubair If you're talking about an industry-wide collaboration (among construction companies, electric companies, etc.) to share data, I agree that it could benefit all parties involved. The trouble, I think, is obtaining and organizing that data takes a lot of effort and resources. Caterpillar purchased its data from Ernst & Young, which was a much more efficient way of getting the information it needed to determine its place in the market. That way it could evaluate progress and plan for improvement in less time.
Broadway0474
50%
50%
Broadway0474,
User Rank: Ninja
4/30/2015 | 12:07:14 PM
Re: Collaborating to increase security
tsubair, I might have misread the article, but I thought part of the benefit of this model was that it did allow you to use other organization's data --- to benchmark your own progress. That aspect (if true) would probably really help in the discussions with senior leadership. Here's where we are at, relative to our peer group or relative to similarly sized organizations in other industries.
tzubair
50%
50%
tzubair,
User Rank: Ninja
4/30/2015 | 3:44:51 AM
Collaborating to increase security
@Kelly: While it seems exciting that Caterpillar is using intelligence to enhance security, the reliability would mostly be on the existing data within the organization. Would it not work better if they were to collaborate with other organizations and use their data as well? I think when it comes to security, all organizations are under threat and they maintain a log of security attacks on them. If all organizations can collaborate and share that information, it would generally help everyone become more secure. What are your thoughts on this?
Slideshows
Reflections on Tech in 2019
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  12/9/2019
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll