Safe at Home: CISOs on Security for Home PCs and Networks

CISOs are always pushing computer security policies. We asked three of them to forget the policies and show us how they handle security on their own home computer systems.

March 01, 2005 — CSO — Once upon a time, home life and work life were completely separate for most employees. Well, that's what they tell us, anyway. Whether that's a true story or a fairy tale, it's clearly not the case today. More and more employees do some or all of their work from home. And they use those same home computers to surf, shop and bank on the Net. And for instant messaging. And to download music files and games and heaven-knows-what-all. Andthis is the killereven when Jack the Accountant knocks off for the evening, often Jack Jr. hops into the desk chair and fires up the browser. So whatever scumware Jack Jr. dredges up off the bottom of the Web may very well get dropped onto the corporate network the next time Dad logs in.

Of course, every sane organization has a corporate policy in place regarding what employees should and should not do with their computers, mandating not just antivirus software but a host of other protections. But anecdotal evidence suggests, ahem, less than 100 percent compliance. A good number of workers fail to implement all those mandated safeguards, in some cases because they lack technical expertise, and in others perhaps because they simply think the threats aren't as threatening as security wonks would like them to believe.

So CSO thought it would be valuable to look at how CISOs handle the computer security needs of their own homes. We asked three infosecurity leaders for a highly detailed list of the security products and practices they actually usenot because policy compels them but because these are the tools and steps they consider necessary to keep their own computers safe. The three responses that follow represent a range, from mildly cavalier to extremely thorough. (Only the guy in the middle of that range, Dan Lohrmann, CISO of the state of Michigan, opted to let us reveal his identity.) CSO readers will find their responses valuable as pass-along material for corporate employees, who can identify the setup similar to their own and note how that CISO approaches home computing security.

1. CISO of a Fortune 500 transportation company
Straightforward Setup, Simple Solutions

Our first CISO, whose company requested anonymity, has a fairly simple home computing setup: two computers, which are not networked to each other. His kids are away at college, so there are no teenagers downloading and IMing on his systems.

These factors create a situation in which the CISO is comfortable using fairly limited security technology. However, he's religious about certain key measures: cautiously configured firewall software, frequently updated antivirus and antispyware programs, and great caution with e-mail.