Northrop Grumman’s Timothy McKnight on Security and Identity Management

Timothy McKnight likes to say that he’s doing his job if he’s getting dumber–in other words, if he’s trusting his staff members to advise him and make tactical decisions, so that he can focus on the company’s overall security strategy.

Of course, as the CISO and VP of the defense contractor Northrop Grumman, McKnight actually needs to be pretty smart. A former special agent for infrastructure protection, corporate espionage and foreign counterintelligence at the FBI, McKnight’s number-one concern now is helping protect his company–and therefore the U.S. government, Northrop’s biggest customer–against governments that are looking to steal intellectual property and gain a competitive advantage over the United States. To do this, McKnight has set up a special intelligence group, focused on identity management and PKI, and worked to develop a business-focused staff.

McKnight recently spoke with CSO’s Katherine Walsh about the challenges of leading security at one of the largest U.S. military defense contractors and providers of IT for the federal government.

CSO: Protecting the information assets of Northrop Grumman is obviously critical, given its position in the world. Do you treat the R&D data you need to protect and the personally identifying information (PII) of your employees the same way?McKnight: Not in all cases. There is a baseline amount of security across the entire enterprise. We have very significant layers of defenses within our network both internally and externally. There are certain businesses within Northrop Grumman that want their crown jewels for R&D completely walled off with thin clients or other security measures.  Some environments within the company deal with PII more than others. It depends on the circumstance.

CSO: Can you tell me about the formation of the Cyber Threat Analysis Intelligence Group and its role at Northrop Grumman?

McKnight: That team’s focus is on the nation-state threat, which the DoD is now terming the “advanced persistent threat.” These are well resourced, highly targeted attacks at corporations and governments [by groups] that are looking primarily to steal intellectual property and gain competitive advantage. The Cyber Threat Analysis Intelligence Group is made up of techies and people with government analyst backgrounds. Their job is to focus on the technologies that are considered the crown jewels of Northrop Grumman. They look at the technologies we provide for the government, who the biggest threat to those technologies is, who needs them the most, how they [may be] targeting that information and what can we do to protect against it. That group is deploying customized solutions to handle all of that.CSO: What is the importance of training and employee awareness relative to all the other security initiatives you have to focus on? McKnight: It’s interesting because I don’t struggle with that, but it’s something I think about a lot. We’re trying to do more targeted training for different types of users, so that system administrators get special training, people who handle PII get special training, and our executives and their admins do as well. We’re trying to raise the employee awareness level because we realize the potential for them to be exploited by social engineering or spear phishing, to name a couple scenarios. We’re starting to recognize that some of the security solutions are not addressing some very simple ways to get into networks.CSO: What do you perceive your risk of insider threat to be? McKnight: It really depends on your definition of that, but we know it’s important. It’s a significant threat to the government and our company. The nation is bleeding intellectual property; the U.S. dollar is suffering. The Cyber Threat team is positioned to help us focus on the insider threat. CSO: What are some of your initiatives in the identity management space? McKnight: That’s our biggest program, and it has been for a couple years. Right now our focus is on smart card one-time password roll outs. We’re rolling out a PKI solution specialized for Northrop Grumman. We’ve also built an external PKI company called Certipath with a few other companies: It’s the world’s first federated PKI for the industry. We’ve found that the smart cards or PKI ID management solutions have provided significant protection against well-resourced attacks like the advanced persistent threat. We’ve deployed that to all our internal users who maintain critical systems, and all our application folks (about 2,000 users in all). Over the next couple of years we will roll it out to the entire company as a one match system, where it will provide both physical and logical access to the network.  CSO: What is the future of your role at Northrop Grumman, or the CISO role in general? McKnight: Ten years ago law enforcement and government types were moving into the role of the security officer, but most of the hires I’ve made in the past 5 years have been people with MBAs or backgrounds in auditing and finance. The role is definitely changing, and the people entering into the field are very different than they were a decade ago. At Northrop Grumman, the role is becoming more focused on risk management. CSO: What’s the advantage to having a business background rather than a technical one?McKnight: There are advantages to both. If someone has knowledge of the technical and the business, that’s fantastic. But there are challenges too. I recently promoted one of our lead technical people into a sector information security officer role. The first thing I told him to do was to step away from the keyboard. It’s really no different from any management role, where you have to learn to transition away from involvement with everything (in this case the very technical things) to letting your people make some of the decisions. It’s a big challenge. I always tell my people that I’m doing my job if I am getting dumber: I mean that in the sense that I’m allowing my people to advise me, and I’m doing the things that I feel are important for the company–such as talking to our CFO or CEO about risk, working on a budget, designing the capital plan for infosec and recruiting new talent. It’s a balance.CSO: Is there one security threat in particular that keeps you up at night?McKnight: It’s absolutely country-sponsored attacks. For us as a company and what we do in the national security space, it’s that advanced persistent threat. We see signs that a digital Pearl Harbor-like scenario is more realistic today than it was five years ago, due to the inner connectivity of all these networks and the global nature of IT. It’s such a low-entry cost for any country or terrorist group. It’s asymmetric; you can do it from anywhere. We need to invest more in protecting against this.