Gray, who worked for the Federal Bureau of Investigation for 20 years, was involved in the pursuit of Mafia Boy, the Canadian hacker who crippled major Internet sites in 2000. He now works for Cisco, speaking to senior-level decision makers at the executive level who may not yet understand the importance of network security in an organization.

“It’s about getting buy-in from corporate on mahogany row,” he said. “I’m not a sales guy, I’m not a threat to them ”“ I talk to them about vulnerabilities, what we’re seeing, best practices  — that sort of thing. They understand that kind of stuff as long as it’s explained to them in a fashion they can understand at their level. We try not to talk about ROI — that stuff is passé, they need to know what’s happening today.”

And Gray’s experience in law enforcement means he can talk about security from both the physical and IT perspective, something Cisco has recognized as an important element in talking to their customer base.

In March, Cisco announced it had acquired Sypixx Networks, which offers network-centric video surveillance software and hardware that enable existing analog video surveillance systems to operate as part of an open IP network. The acquisition means Cisco can deliver video surveillance as part of a converged environment.


“We just created a physical security group headquarted in San Jose where we’re starting to tie in all the biometrics and physical smart cards and watching what’s happening on the network, not only from an IT perspective, but from that physical perspective as well which I think is great because I do see a convergence between IT and physical security. From walking in the front gate, signing into the building, flashing your card, logging into your computer ”“ you need to know everything that’s going on in the network and not because we’re spying on people. It’s because at the end of the day we know how to go back and find the root cause of a problem,” he said.

Gray said executives and their security departments need to understand that threats change every day and must be monitored. “We need to focus on the threats that come to us and understand something bad is going to happen to your network— that’s a given. We need to prepare for that eventuality. They want to crack your network — that’s the Holy Grail.”

With half the malware in circulation designed to steal data, not damage computers, Gray said malware authors have shifted their focus from a few years ago when the intent was simply to bring down a system. Now the threat is even greater to an organization because proprietary information can be stolen, often with no one knowing until it’s too late.

“Most individuals that download malware onto their networks aren’t going to know that it’s there until the bad guys decide to fire it up and use it,” he said.

Malware is software designed to infiltrate and damage a computer system.
Many communication tools used today, such as Instant Messaging (IM) can be magnates for malware. Gray says there are about 400 million people using IM every day in the world, sending between five billion and six billion in one day.

“How many of those contain downloadable malware?”

Gray said he doesn’t see a good business case for using outbound IM because it can serve as a vehicle for the transmission of malware.

“I don’t mind internal instant messaging,” he said. “At Cisco we use internal IM only and we block all out-bound IM. It’s a great tool for talking and collaborating internally but it’s not good stuff going out-bound because you don’t know what’s going out-bound with it or what’s coming in-bound with it because it’s not malicious until it executes.”

Gray emphasized the importance of explaining to employees why policies are created around things such as IM usage and not writing about the company on a personal blog.

“If you don’t have a blogging policy, please get one. Employees are releasing proprietary data on them and we are seeing employees fired every day because of it,” he said.

“A lot of (policies) can be draconian, but this goes back to the issue that this is not their computer ”“ they can do whatever they want at home but this is a business tool. As soon as we learn that we will be much better off,” he said. “Many websites you can download malware without any active intervention on your part. We have to understand why acceptable use policies.”

Gray recommends companies have a blog policy with strong wording cautioning employees about writing about the company they work for. He also recommends someone in the company be responsible for monitoring whether anyone in the company is keeping a blog that might be used as a vehicle to slam a boss or the organization as a whole.

“All you have to do is Google your company name followed by ”˜blog’ and you’ll be amazed. I was at a bank recently and I Googled the bank’s name and blog and the first blog that came up was titled “this bank sucks” ”“ now that may be a disgruntled customer or it could be an employee so you need to check up on what people are saying,” he said.