[Editorâ€™s Note: SIWâ€™s â€œAt the Frontlineâ€ shares an interview with Security Technology & Designâ€™s â€œBack Pageâ€ interview. This monthâ€™s issue features an interview with Erik Goldoff, the IT systems and security manager for food retail specialty franchised store Honeybaked Ham. The interview appeared in the February 2006 issue of ST&D on page 60.]
Name: Erik Goldoff
Title: IT Systems & Security Manager
Company: Honeybaked Ham
HQ: Norcross, GA
Years at Company: 7
Previous Position: 8 years as Computer Specialist with Centers for Disease Control
ST&D: What keeps you up at night?
What keeps me up at night is what I don't know. We've taken a lot of security measures-we are an ethical company and we do always try to do the right thing. There's a lot of stuff that's done in terms of bastion. We're not what they call a bagel network-hard on the outside and soft on the inside-but there are still issues on the inside to make sure things are done properly. So beyond the technology there's still the user education. We keep trying to push that security is not an event, it's a process. And it's tough to keep security in everybody's mind because in a lot of cases security is seen as an impediment to performance. They want to know, "Why can't I keep my password on a Post-It note on the monitor?"
ST&D: So what do you do to educate users about security requirements?
We've got some training that goes with HR in new hire packets. We have an intranet available for employees only-it's not a publicly accessible site-that has a lot of educational material, a lot of what we call tips and tricks. There's a lot of stuff I've learned to bring down to layman's terms out of technology speak, because most people kind of glaze over (when you try to explain things in technology terms). So as an example, way back in 2001 we were trying to tell people how much data we were backing up in gigabytes. And to a lot of people gigabytes is just a word. So we told them that if you copy all the data to floppy diskettes and make a stack out of them, that stack is taller than the Westin Peachtree Plaza Hotel.
Also, we try to explain to people not what to do but why. If you go into a store and you see a video camera directly over your head, you may think you're being spied on, up until the day somebody comes to the store that wants to rob you. Now that impediment has just become a safety protection. I think education is an ongoing process, because even for the IT side, the threat vector always changes. Anti-virus isn't as much an issue now as spyware is. Who knows; in another year it may be everyone's little smart telephones.
ST&D: Your intranet tips and tricks page-is it regularly visited?
It's regularly visited by a specific group, and there are some things that we do to play a little psychology. For instance, we put up a general-purpose terminal server. We didn't announce it with instructions about how to use it. It has great benefit, but for this one, we leaked it to a couple of people on the inside and said, "You know what? We're not going to give you a VPN connection because of security. But why don't you try this thing instead?" And somebody comes into the office the next day and tells the person next to them, "You know what? I used this terminal server and it was great!" And all of a sudden we've got a lot of people wanting to know how to get on the terminal server, and we put the instructions on the tips and tricks page. We don't make them use it; we kind of put the availability out there.
ST&D: You're responsible for protecting your company's and employees' information and the information of your customers online, correct?
If it's data, it falls under our role, regardless of the source. That's one of the things that complicates the issue. Because it comes in from each retail location there are a number of different sources there, as well as franchises, as well as the Web and call center. So instead of having data from one spot that's easy to guard, there are a large number of locations with a variety of topological connections.