EarthLink: Security from the Inside: A dialogue with EarthLink’s Lisa Ekman and Lisa Hoyt from Secure Business Quarterly

by rthieme on July 15, 2003

EarthLink: Security from the Inside

A dialogue with EarthLink’s Lisa Ekman and Lisa Hoyt

In a recent conversation with Lisa Ekman, Vice President

of Infrastructure Operations, and Lisa Hoyt, Director of

Information Security, Richard Thieme explored EarthLink’s

comprehensive long-term approach to security, including

the necessity of selling security internally to executives,

engineers, and the entire corporation.

How Security Evolved at EarthLink

In the “old days”— the sixties, seventies, and eighties —

information security was seldom perceived as integral to

business operations. The application area was king of the

information systems arena. Security positions were not

viable IS positions. Applications developers had all the

status and clout. The term “infrastructure” wasn’t even

used. Anything in the back-end was out of sight and

therefore out of mind. So long as things worked, no

one cared.

Times have changed. Security is a more integral part of

the development cycles of internal business applications

and network operations, and infrastructure is now

understood to be essential to a business.

Because EarthLink was always a tech-savvy company full

of technophiles who understood the network

infrastructure, there’s always been a certain level of

appreciation for the importance of good security.

EarthLink’s rapid growth over the past six years has

caused the company to confront business decisions that

required reevaluating the intrinsic importance of security

and the necessity to be agile in response to rapid growth

— facing questions like: How are we going to scale? How

will we sustain and secure our current business and at the

same time grow to where we want to grow? How can we

use the best, most current technology to our advantage?

How can we do all of this while being cost-conscious?

In addition, although awareness of security has always

been at the forefront at EarthLink, that doesn’t mean

that everyone understood the issues, which sometimes

created a challenging work environment. Security

professionals had to educate all levels of the corporation

to ask the right questions. Is it a security issue? A network

problem? A server problem? An application problem?

As a result of these efforts, non-security departments are

now more cognizant of the fact that security

professionals are partners working with them as team

players, rather than adversaries trying to stop them from

doing things.

Security isn’t just how a company defends against attacks.

Lisa Hoyt emphasizes that security is an enabling

technology in an acquisition-and-merger type

environment. (EarthLink has acquired other companies

and is often mentioned as a takeover target itself.)

Having predictable, repeatable, secure ways to connect

databases, applications, companies, and sites enhances

both perceived and real value.

Security is also increasingly going to be a marketplace

requirement. For example, if you want to accept a

Visa® credit card in the future, you will need to have an

information security infrastructure in place, or they

won’t do business with you. Hoyt believes that the SEC

will soon exert similar pressure on companies to have

information security solidly in place. Like auto

manufacturers providing seat belts and air bags once

consumers demanded a higher level of safety, the

marketplace will demand that networks be secure,

and businesses will have no option but to comply with

those demands.

Selling Security Internally

Leaders like Hoyt and Ekman, while responsible for

security and infrastructure, also have to make sure that

everyone — including leaders with hierarchical authority

beyond theirs — buys into it. Employees must perceive —

not merely believe — that security is in their own best

interest. In figuring out how to win people over, Ekman

and Hoyt found that one particular selling strategy,

“FUD” (fear, uncertainty, and doubt), doesn’t work at all.

“Luckily, we do not need that kind of tactic to get support

at EarthLink,” says Hoyt. “Crying wolf may get the first

firewall, but over the long run, you need a more wellrounded

perspective. If you cry that the sky is falling and

then there isn’t a catastrophe, it’s a one-trick pony. In

addition, you need to discuss how security enables the

business model. If you’re just talking about the guy

outside with the gun, it’s a limited worldview.”

Even if it does work, it doesn’t work well enough, adds

Ekman. “FUD only buys you a little bit. It never gives you

the whole enchilada.”

And besides, Hoyt adds, EarthLink is a young, tech-savvy

company. You can’t frighten them about the Internet.

So how, then, do you sell this product called computer

security to the company as a whole? Some solid numbers

would help. Unfortunately, they’re pretty hard to come

by. The metrics just aren’t there yet to demonstrate the

return on security investment.

“We would prefer to have more data to use as a selling

point,” Hoyt says. “We looked at things like the CSI/FBI

crime survey to try to get some per-incident cost statistics,

so if we had a breach we would know what we were

looking at, but there is really not a lot of firsthand ROI

information. Those that have it seldom share it in the

public domain.”

Risk analysis for information security is more qualitative

than quantitative. But that’s not fatal. Ekman and Hoyt

believe that there is enough factual information available

so that they can make their case even without hard

numbers — by sketching out the Big Picture.

Those who exclusively insist on hard numbers to make this

analysis miss the Big Picture. Companies that employ this

approach tend to value data on a granular level, Hoyt

says. If a single credit card number represents a penny’s

worth of risk to reputation, and you have a million of

them, then you know how much control to apply.

If a company really wants to generate numbers for their

own business case, first they must assign value to their

data, then run it through a risk analysis. But then they

have to consider the intangible risk analysis questions:

How much is a two-dollar drop in your stock worth?

Evaluating security risk today, Hoyt concludes, is more

wizardry than accounting.

From a risk management point of view, companies

benefit from a small amount of ROI in the form of

reduced premiums for security insurance. Over time that

will grow, particularly after insurance companies pay out

large settlements, but in the meantime insurance

companies will need to adhere to high standards for

security audits.

Working with the Culture

EarthLink is admittedly a “geek culture.” Geeks tend to

resist authority. They prefer to be left alone to solve

technical problems in their own way. In Hoyt’s six years at

EarthLink, she has developed a good working relationship

with both administration and the engineering team

because she approaches them on an equal footing,

asking: How can we provide security to support whatever

you’re trying to do? “Negotiation and education breaks

down that wall of ‘I’m a geek and I know everything so

leave me alone,’” says Hoyt, “and replaces it with, ‘We’re

all EarthLink employees trying to provide the best services

we can provide.’”

None of that works, however, Ekman emphasizes, unless

you have full understanding and support from higherups.

If the CEO, the president, or the CFO does not have a

clear understanding of the benefits of security or why this

intangible expense is needed, then whatever you do is

futile. “If you don’t have that buy-in and don’t educate

senior management so you can get the help you need or

pay for the expenses you will incur, you cannot begin to

accomplish your goals,” says Ekman.

More CEOs recognize that security is intrinsic to

organizational effectiveness, but there’s still a long way

to go. CEOs and CFOs think about the world in different

terms than security professionals do. That’s why effective

communication is essential.

Ekman says that when senior executives think about

security, they tend to jump to analogies of disaster

recovery and forensic investigations. Executives often

want to get down to the bottom line, but in security, the

bottom line is always a shade of gray. Because it’s difficult

to evaluate a benchmark and get key metrics per area or

per industry, the kind of facts that executives want to hear

are often not available — and so they compare the

possibility of a network security breach to that of a

natural disaster like an earthquake. But security, Ekman

says, is totally different. Security is online, instantaneous,

24/7. It’s never just after the fact.

The best conversations about security result in

measurable goals or objectives for which people can be

held accountable — the nuts and bolts: how to do it, who

is going to do it, and by what date. “Awareness” is

transformed into deliverable action items, making the

security initiative discrete — and doable.

Executives need to understand that information security

is a daily process, not a Big Bang. It is about educating the

workforce and consistently reevaluating exposure to risk.

Security is a strategic conversation that should be

apparent in all areas of business development.

EarthLink’s Security Infrastructure

So what specific security tools and techniques does

EarthLink employ? They use multiple levels of firewalls

and intrusion detection systems. They do extensive host

hardening and use the secure gateway model for access

control to eliminate security events that happen by

“accident” or through default. And they use a lot of open

source and custom tools, rather than follow a specific

product line, to ensure that the security enterprise is

aligned, to the finest level of detail, with their own

security standards.

Protecting sensitive customer billing information from

misuse and disclosure is a top priority. Because EarthLink is

an Internet company with multiple Internet access

points, internal and business applications must be

separated from external services. EarthLink has several

layers of isolation between how customers connect to

Web servers, how Web servers store files, and how

credit card information is stored in databases and in file

servers. Administration access is severely restricted and

tightly controlled.

For all the emphasis on external connectivity, however,

EarthLink is very aware that intrusions and disruptions

can come from inside the network. Policies and

procedures that protect the company from itself are

inseparable from enterprise-wide expectations of a high

level of responsibility and accountability.

“Our core values and beliefs are alive and well at

EarthLink,” Ekman says. “They’re based on common sense

as to what constitutes responsible, mature adult behavior.

We trust and respect our employees, and they live up to

the level of responsibility implied by that trust.”

EarthLink restricts access to critical sets of information on

a need-to-know basis. Access controls and physical

security controls support limited visibility into key systems

— credit card information is not visible, for example, to an

application updating someone’s billing information. And

notifications on servers state that monitoring may be

conducted during an investigation or during regular use

of a system. But it is essential that internal security does

not create an antagonistic relationship between security

architects and the user base. Here is where the company’s

ethic of collective accountability is critical, because it

means that employees recognize that these practices

serve the end of creating a secure working environment.

Employees are not the enemy, but if they want to work at

EarthLink, they must accept the safeguards.

How Do You Start?

What advice do Ekman and Hoyt have for companies

planning their security investment strategies? Start early.

If you can only get one firewall on your network, start

with that. Build on that foundation rather than trying to

implement everything after the fact.

“You have to stay focused,” Ekman says. “You have to be

aggressive. You have to stay earnest. There is a fine line

between getting the job done and not making enemies.

The bottom line is, stick to the facts, stick to the mission,

and stick to accountability.

“To do this right,” she concludes, “is an art.”

Lisa Ekman is Vice President of Infrastructure Operations

at EarthLink.

Lisa Hoyt is Director of Information Security at EarthLink.

Richard Thieme, a freelance writer who speaks and

consults on the human dimensions of technology,

facilitated this dialogue.

Copyright Secure Business Quarterly, an @stake publication, 2001. All Rights Reserved

Reprinted by permission.

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: