Security Strategies

Amoroso Shares His Security Obsession

When Ed Amoroso retired as AT&T's chief security officer last March, he actually became more obsessed with cybersecurity.

In fact, Amoroso spent much of the past six months personally writing a three-volume set of cybersecurity guides aimed at chief information security officers and their teams, laying out what he believes enterprises must do to avoid the next round of attacks -- attacks he believes will be highly destructive hits against critical infrastructure.

Today, Amoroso's new security advisory firm, TAG Cyber LLC , is making those three volumes available for download here at no cost. The 48 security firms with whom the former AT&T exec worked, and which are sponsoring his work, are also releasing the report this morning.

In an exclusive interview with Light Reading, Amoroso says making this information available for free is "an operating principle" for him, in light of his concern that enterprises aren't getting security right today and are vulnerable to future attacks that will go beyond theft of data and intellectual property to become more destructive in nature.

"Any rational, competent observer of cybersecurity would say we are past the point where we have to do something meaningful and significant immediately," Amoroso tells Light Reading. "And that is why I have been working 18-hour days to get this out. I feel like I have something to say and this is the best framework to say it."

He also is conducting an online course -- starting this week with 200 pilot students -- in which he'll go into greater depth on what enterprises need to be doing. Amoroso is hardly new to the teaching aspect of this, having been an Adjunct Professor of Computer Science at the Stevens Institute of Technology, an affiliated instructor at NYU and a senior advisor at Johns Hopkins University, all during his tenure at AT&T.

Explode, offload, reload
At the heart of Amoroso's approach is a three-step strategy he dubs "explode, offload and reload."

"I have been thinking about a methodology that I think is the right one for teams to follow and it underpins all three of the volumes," he says. "First, it means breaking up your infrastructure and distributing it; second, virtualizing the pieces of the infrastructure; and third, upgrading the security around those pieces."

That last piece can be accomplished working with any number of high-quality security vendors on the 50 separate cybersecurity controls that need to be addressed, Amoroso says. These controls include traditional tools such as firewalls and anti-malware tools but also newer things including security analytics, network monitoring and deception.

Next page: No more perimeters

1 of 2
Next Page
cnwedit 9/15/2016 | 10:20:55 AM
Cast of Characters One of the advantages of having been head of security at AT&T for so long is that Amoroso knows everybody in the industry and the instructors for his series of classes is a who's who of experts from dozens of companiies. Sometimes, who you know is as important as what you know. 
Joe Stanganelli 9/14/2016 | 1:21:24 PM
Re: State of Security Affairs @Carol: Apt observation.  I think being heavily involved (and competent!) in InfoSec for a living naturally makes one either one of two things: Perpetually nervous or perpetually calm.

And both personalities have their place, I think.
Joe Stanganelli 9/14/2016 | 1:17:42 PM
"Retired" "Retired," indeed.

Clearly, his passion is showing through here.  And it's great publicity for his new/modified career path.

The 3-volume guide looks dense and in-depth at first glance.  Looking forward to delving in more carefully.
EUSPML 9/13/2016 | 5:17:15 PM
It's a healthy obsession In the midst of the industry chaos driven by network transformation, extended global supply chains, vendor and operator consolidation tinged by the ever opportunistic "bad actors" hovering in the periphery, there needs to be a calm and clinical approach to providing a baseline ("you are here") Cyber Security entry point and risk management pathway which is a benefit to vendors, operators, enterprises and service companies which leads to an ecosystem of better informed stakeholders.  Ed has done a great job of framing it up!

Cyber Security is a race against a risk that never ends.  Run smart.



cnwedit 9/8/2016 | 2:24:35 PM
State of Security Affairs Amoroso is one of the calmest people I know and yet what he lays out about the state of enterprise cyber security is truly scary. For a while there, we were hearing of a major security breach every time you turned around.

I hear of fewer now but I don't know that it's because fewer are actually happening or if they now happen so often they don't make headlines.