This documentation is archived and is not being maintained.
TechNet Radio An Interview with Alan Levine of Alcoa
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.
Every week, TechNet Radio covers the latest trends and technologies in the world of IT, and provides interviews with real IT professionals who work in the field. Alan Levine, Chief Security Information Officer for Alcoa Inc., the largest aluminum producer in the world, recently sat down with TechNet Radio to discuss digital identity and malicious software.
Host: Alan, why don’t we begin by you introducing yourself?
AL: I’ve been with Alcoa for nine years. I was invited in to create a global structure for information security for the company. It was a bright choice at that time to globalize its security efforts, given how global we were becoming. We now have manufacturing locations in 40 countries and we employ well over 100,000 people.
Host: What are the hot topics today?
AL: One of the hottest topics is digital identity—whether it’s the function of digital provisioning, automated request processing, direct URL processing, or the workflow around all of that so the approval is properly signed off on. The notion that I know who you are or I can determine what you should be able to do or not do—that’s an evolving science. It’s not just a science, it’s an art.
Host: Do you feel like you’re fighting the same issues you were fighting 10 years ago or have you put those to bed and are you now facing new issues?
AL: Absolutely put those to bed. The first time I thought of myself as a security person was back in 1985 when IBM rolled this thing into a machine room called "Rack F" and said here’s the new way you’re going to manage the mainframe. Then the questions were very, very different. They were about managing the integrity and availability of a particular box, a particular set of data that was sitting on that box, and a very finite collection of applications. Today, everybody is connected to everybody. In 1985 spam was something in a can; there was no such thing as spyware unless the KGB or the CIA was inventing it, and a virus was something that gave you a cold. These things have all changed over the years.
Host: How do you manage the new technology? Do you evaluate it in isolation or against the environment as a whole? I mean, yours is a very complex environment.
AL: That’s an excellent question, and I will be the first to tell you that for myself and for the colleagues I know who are information security folks, this has caused a lot of angst. Over time, as threats have risen, we have created solutions to identify these threats. The next threat came along, and we created the next solution for that threat. And so we ended up with a lot of siloed solutions for what are now in a sense integrated threats. My ideal state is that we reevaluate what we do with those silos and find ways to integrate them—not to address a new threat, but to simplify how we address existing threats.
Host: What about your personal approach to things everybody else complains about? You’re putting out fires constantly, not really thinking of the big picture. How do you manage that?
AL: My experience has been that you put out some fires and they teach you the lessons that you need to come up with the next tactical response, which then leads you to the lessons that you need for the next strategic response. Fighting fires in a vacuum without having a Monday morning meeting to figure out the root cause of what happened and whether you approached the situation properly—maybe that’s the wrong way to fight the fire. But to fight the fire and then to learn from the experience, extrapolating it to a tactic, to a strategy—I think it’s all directly related. You can make the opposite mistake, doing strategy in a vacuum, creating this wonderful nirvana of technology and security that does not enable you to put out the next fire.
Host: Or isn’t relevant to fires?
AL: Not relevant to relevancy. I think they have to be connected. You have to see everything that you do everyday as a building block to everything you need to do over time. In information security, you can’t succeed or prosper unless you’re constantly learning.
Host: So learn to love your pager?
AL: Well, learn to love to turn it off.
This interview is adapted from TechNet Radio. For the complete audio of the interview, visit Microsoft TechNet Radio.