Written by LAN he
Edit | chart
Yaojiang always has an old friend, Chen Haoming, the information security director of HNA Group (once).
When Yao Jiang always talks about him, he always regrets.
Eighteen years of professional experience in information security is really amazing. How can I get the word "failure". Companies in the first half of their careers will go public when their forefoot leaves (for example, Qiming and Taiyue). In the second half of their career, the world's top 500 companies, which wanted to stick to the stability, were also magically changed and forced to face a new choice.
In HP's most tough department, eight leaders survived, but were forced to leave due to the merger of business in China by Ziguang.
In order to avoid Party B's gunsmoke and return to Party A's castle, accumulate grain and build defense, HNA Group has made major strategic adjustments, focusing on its main business and keeping fit.
Looking back on my career, it seems that every period of my career is to enter the frontier, cut through thorns, open up a situation, be strong and strong, and leave the business chastity day. To put it better: the pioneering spirit is commendable; but it seems more like the predecessors who planted trees.
In his own words, "maybe that's life."
But in the interview, we saw not only his ups and downs, but also the love and perseverance of information security veterans for this cause.
Because of a set of books "mistakenly into its way"
In the summer of 2000, like all the new people who came to Beijing for development, they were confused and crowded. In the vigorous and complicated it market, they struggled to find their own career entrance and came to the bookstore unintentionally,
When he saw the information security series published by Qiming star, he seemed to be electrified. Maybe this is his own direction, and he was ecstatic. In the next year, these books did not leave his desk.
Sometimes, he really wants to succeed. After the Spring Festival next year, when the new year's talent fair of Beijing International Exhibition, he just threw a resume, and was hired successfully. This company is Qiming star, the company he is thinking about day and night, so he came in.
Just as Qiming Xingchen has just set up the pre-sales department, which focuses on IDS, missed scanning and anti-virus, Chen Haoming carries 2U IDS equipment in his hands and runs around the country's major railway stations and airports. He is often called by passing passengers, "young man, how to read a real word in the door" (it takes a lot of courage to use strange words as product names, but when the company and products come out In fact, it is also the promotion and dissemination of Chinese culture.)
We have been selling our safety products diligently for nearly four years, and have successfully entered important customers such as the government, finance, and central enterprises. At the same time, we have helped Qiming to open up the market in Shenzhen.
When he was about to sign a new labor contract in 2004, Chen Haoming saw the options in his eyes, but he still felt that he should go out and look for new challenges. At this time, Taizhou Taiyue is building a security team to seek development in the field of information security, so he chose to leave.
"The donkey kicked the brain"
In Taiyue, Chen Haoming is mainly responsible for pre-sales and consulting work, positioning information security integrated service provider. At this time, Qiming is well-known in the industry, and Taiyue is not known for its safety, and it has no safety products. It needs to pay more attention to communicate with customers, or even improve. Usually, hundreds of pages of solutions for customers are typed word by word, not "Ctrl + C" as everyone in the industry calls it "Ctrl + V", no way, because the boss requires that the technical score must be the first.
In this way, under the ultimate pursuit and backpressure of the company, the security team has grown rapidly and quickly become one of the company's important support businesses.
I remember that one year, the winning rate of Taiyue safety project was 100%. Seeing the boss's demand for profits, Chen Haoming decided to take the initiative to promote the company's information security product autonomy, SOC and 4A products were launched one after another, and gradually entered the market. Unable to stay idle, he suddenly became interested in ISO27001, led the team to cross the river by feeling the stones, and finally completed the first ISO27001 consulting project in the domestic energy industry. (in those days, the profit of safety consulting was still very high.)
In the four years of Taiyue, Chen Haoming witnessed the transformation of Taiyue's safety from scratch, from integrator to professional safety product and service provider, and everything is developing in a good direction. However, his heart seems to be emptied.
The next year, Taiyue went public, but it was a pity that he didn't wait for the day of blossom and fruit. I remember that day when I left my job, my boss said, "from an economic point of view, your decision is that your brain has been kicked by a donkey.
After two years of hard-earned youth, Chen hopes to go to a bigger platform to really understand the whole picture of it, and it giants have become his direction of efforts.
The legend of eight leaders
In 2007, Chen Haoming came to HP as he wished. HP was the largest IT company in the world, but he found that compared with other IT businesses, there was no special department for information security in China. Before the probation period, he was the only one who knew about security in China. God!!! Is this another time to reinvent?
In order to survive, we can't think about it at all. We will directly turn the question into a positive sentence, and immediately start to run customers, find projects, and make lists. This time, we will develop more thoroughly and fight alone!
At first, HP had no security products, so it had to do some consulting projects. It is also a time to catch up with the hottest time of security consulting, gradually take down several consulting projects, with sufficient project momentum, directly make a performance commitment with the leadership, and set up the information security department. (in HP, if there are projects, there will be people. If there are people, there will be achievements. If there are achievements, business departments can be established.). Under HP's enterprise management mode, he began to understand the business way, from a security technology expert to a technology-based business manager.
After two years, with the information security team, Chen Haoming has helped the securities industry, insurance industry, automobile enterprises, as well as a number of manufacturing, energy enterprises and operators to complete the national standard security management system.
With the gradual introduction of customers and good project reputation, Chen Haoming began to develop targeted security solutions and integration solutions according to the different needs of customers' business.
Based on his understanding of customers' needs, he has his own unique logic on the future trend and judgment of security. He described that in the beginning, HP's information security team was like a traditional Chinese medicine doctor - diagnosis, prescription, and a consulting fee, which I didn't care about. Later, gradually mature into a comprehensive general hospital, no matter encounter any problem, can give the overall solution.
In this regard, Chen Haoming led a team of less than ten people, and the revenue of each year in the future was no less than 5 million dollars. The team was responsible for finding customers, pre-sales, implementation, acceptance, customer service and response. Although the work is not easy, but also the complacency of its place, despite the continuous change of leadership, but still happy with it.
Just when Chen Haoming felt that he could retire from HP and have a promising future, HP sold its business in China to Ziguang and established a new joint venture company, Ziguang Huasan, known as Xinhua San.
It's too difficult for different corporate cultures to integrate with each other. The old HP people, including Chen Haoming, have no hope for this. HP's way has gone deep into their blood. They really don't want to experience its collapse and demise.
After eight years of working at HP and eight leaders, Chen Haoming left. Life is like a roller coaster, with too many ups and downs.
Party B to Party A
In 2016, HNA prepared to build the security department, and the leaders found Chen Haoming, hoping that he could make arrangements for this matter.
Chen Haoming thought:
"De, or the life of development"
In fact, there is a relationship between Chen Haoming and HNA. Previously, his team has helped HNA with information security consulting and planning projects.
However, in the past four years, the business form of HNA has undergone tremendous changes - from the past main business of aviation to a large enterprise integrating multiple business forms, including aviation, logistics, hotel and finance.
This poses a huge problem for safety management: the safety requirements of different formats are different, such as aviation, finance, strong supervision and high compliance requirements; however, the safety level and requirements of enterprises involving traditional industry formats are generally low.
Under such a system with different levels, it is really challenging to have a comprehensive security management.
Just when Chen Haoming was not easy to overcome the pressure and was full of ambition to do a big job, he found that in the past ten years of safety work experience, he had never really thought about the problem from the perspective of Party A. But when he really carried out the safety work as Party A, he realized that the safety awareness of Party A and Party B was totally different. Party A always considers that the business will not happen, the exemption, the controllability of safety events and the embodiment of business value. In the absence of time, Party A will wait for you to consult, plan, implement and rectify step by step.
And the safety risk of Party A is always changing dynamically. The reason for the change may be the regulatory requirements, the adjustment of business strategy and the concern of leaders. Even said, when he was Party B, he thought that the serious security risks sometimes may not touch them in the enterprise.
For Party A's safety, we must dynamically put the view of risk into our mind.
After a period of transformation of Party A's and Party B's thinking, Chen Haoming gradually adapted to Party A's working mode, and constantly explored and began to have his own way and method, especially suitable for large multi format enterprises.
According to Chen Haoming, security is a huge complex system, which should be simplified for Party A. first of all, it assets are divided into three categories: Data Center infrastructure, application and data, office and terminal. Respectively manage the risks, vulnerabilities and security events of these three types of assets to form a clear three horizontal and three vertical management matrix. All daily security management activities are based on this model.
These three types of assets can also be understood as those on the court: the front court (application and data), the middle court (data center infrastructure) and the back court (office and terminal), the security strategy of the enterprise should be flexible in the front court, strong in the middle court and stable in the back court.
He summed up ten experiences to share with you:
1. For the daily safety operation and maintenance management of the enterprise, great efforts must be made to monitor and respond, and remember:
Monitoring and response are greater than defense;
2. The person in charge of enterprise safety must pay attention to all kinds of safety logs and records, and build a strong event traceability ability;
3. The establishment and improvement of information security management process and mechanism is far more important than product deployment;
4. If an enterprise wants to truly implement its internal information security compliance and audit, it should be managed by an independent internal department;
5. Information security is the responsibility of the enterprise owner. As the person in charge of security, we should not only promote the awareness of security responsibility to every corner of the enterprise, but also let everyone at every level of the enterprise bear their own responsibilities;
6. The information security management department of large-scale enterprises, which is not only the supervision department but also the service department, should also spend a lot of energy to build the information security service platform, and provide professional and standardized security services for all units with the centralized cloud platform;
7. The information security management work should be able to achieve quantitative assessment, which should not only set the assessment for oneself, but also for others;
8. Large enterprises must establish their own information security penetration testing mechanism, or build their own penetration testing team, or give it to SRC, white hat, and regularly conduct red blue confrontation;
9. The enterprise is not afraid of security incidents, but should improve in the incidents, improve the security defense system in response to the incidents, improve the information security management system in the incident disposal, and continue to improve and continue to improve; the occurrence of security incidents is not terrible, the terrible thing is that there is no use of incidents for rectification;
10. For large-scale enterprises with multiple business types, we should consider to focus on the big, let go of the small, and divide and govern them.
Say it's important, do it's secondary, don't be busy
Does party a pay no attention to safety? The answer is definitely important. Chen often found that it seems that many people like to talk about "safety", but many times, they fail to put the so-called emphasis on specific tasks, processes and people.
More enterprises are: speaking important, doing secondary, busy do not.
Therefore, as the person in charge of safety of Party A, in addition to doing a good job in safety construction, we should also think about how to effectively connect the organization.
Chen Haoming said that in the past, when he was in Party B, he was usually in contact with the CIO, CSO or security administrator of Party A. It was easy to talk about security with this group of people. As long as the accumulated technical ability is fully demonstrated and the price is reasonable, then the business will become.
But when he really started to do security work in Party A, he found that when it comes to different business departments, different business personnel and different leaders, if there is no event driven, there is no way to let others recognize the security issues and risks he said. Even some people don't understand that the security team is always looking for something.
To be honest, security, which accounts for only one thousandth of the total business in an enterprise and does not produce efficiency, has no place in fact. Therefore, Chen Haoming can only think of ways to communicate with the leaders so that the leaders can understand the whole process of safety, pay attention to risks and implement safety measures.
He remembers one interesting thing:
At the beginning of the establishment of SRC team, everyone in the security department was also full of energy, and felt that it was a matter of special sense of mission and achievement to help enterprises find various application system vulnerabilities and save the possible huge losses.
Until one day, when Chen Haoming reported a vulnerability with tens of thousands of market value in the external SRC market to the company's management, he didn't get high attention and rapid response, which made him realize that we didn't really realize the value and risk of system vulnerabilities.
He knows that the security that no senior executives attach importance to is a false proposition! No matter how difficult it is, we must do it first.
So he came up with a way to select several important application systems of the company, record the consequences of using this vulnerability to attack the system into a video, and show it to the management, so that the leaders can intuitively realize that if the vulnerability is used as shown in the video, the loss will be very heavy.
In this way, the information security vulnerability was reported to the high-level office meeting, and the vulnerability repair became an administrative instruction, which was included in the assessment and entered into the normal operation.
The core of Party A's security is to adapt to corporate culture and administrative management, and integrate information security management into it!
So, if you want to ask Chen Haoming what he has gained in his two years with Party A, I think one is how to do security with Party A, the other is how to adapt to Party A's corporate culture to do security.
Tieding's back pot man
When it comes to whether HNA Group's fitness and slimming will have an impact on information security, if the security team is cut or downsized as a result, will HNA's security capability be greatly reduced.
After many ups and downs, Chen became indifferent. It's like "never owned, never regretted." although it's bitter, it's still necessary to laugh in the sad days.
Fortunately, although HNA has changed a lot from the whole enterprise, safety work and corporate culture will not be affected too much. In Chen Haoming's words, it is "what to do and what to do".
As for the internal security capability of HNA, as Chen Haoming said, the security work has not been weakened as a result, so it will not be so exaggerated as said on the Internet.
However, when it comes to the safety work in the aviation industry, Chen Haoming still has to lament that data is the biggest headache for any enterprise.
Every enterprise wants to achieve its own development and business growth, but the relationship between data security and business development is the reverse. Many enterprises are in the first step of data protection, they can't go out.
This step is called "drawing sensitive data view". However, if the enterprise scale is large and the total amount of data is difficult to estimate, it is very difficult to map sensitive data. First of all, the data is scattered in various places. Secondly, a series of work such as data protection, desensitization, transfer based on sensitive map and unstructured data based on big data will also involve more complex technical issues.
As the security director of the aviation enterprise, Chen Haoming feels much lucky because the data use is relatively conservative. As long as the internal access control and desensitization of the enterprise are done well, the information security of users can be effectively protected.
If we want to evaluate the safety capability of Party A's enterprises, Chen Haoming thinks that, in addition to Internet companies, banking and other financial industries do the best, followed by operators, aviation and transportation industries, should be behind them. Why? In fact, there is an interesting phenomenon here, because the security protection capabilities of enterprises are basically driven by events and businesses:
Banking information security problems occurred first, and operators began to pay more attention to the privacy protection of users after the exposure of 3.15 a few years ago. Until now, when the data becomes more and more valuable assets, the hotel and aviation industry, which stores a lot of user information, has become the prey in the eyes of the black industry.
With the promulgation of network security law, gdpr and personal privacy protection law, enterprises are facing more and more regulatory pressure. Major enterprises will continue to strengthen data control and security in policy and technical means.
Two years' journey, Chen Haoming not only felt Party A's security, but also fully understood the difficulty of each enterprise's security director from the outside and the inside. Information security still has a long way to go in China.
He gradually became familiar with the difficulties of Party A's safety personnel, and learned how to adapt to Party A's safety management mode, from communication, handling affairs, adjusting his own way to overcome the points that need to be broken.
But the only constant is the determined identity of backpot man.
The boundary between Party A and Party B is becoming more and more blurred
During the conversation with Chen Haoming, we talked about a topic that both parties are very interested in: whether the products of those start-ups and innovative security companies can be accepted by enterprises.
As a matter of fact, as enterprises develop to today, almost all enterprises with some fame or relatively large volume are struggling with the same problem - which products should be purchased and which should be researched by themselves.
In fact, the innovative products of many innovative security companies are often overlapped with the things that enterprises are prepared to research. Do these products work for enterprises? Yes, but it seems less obvious. Can you do it yourself? Yes, it's just a matter of hands and time.
In such a state of choice, unless the product itself has certain advanced technology and can combine the scene well, Party A is likely to choose to use it on the premise of time constraints. If the combination of scenes is not high enough, and Party A needs to spend more time waiting for customization under the banner of "customization", then in Chen's opinion, it's better to do it by himself.
Therefore, if an innovative safety company does not have the industry nature and the combination of scenarios, it will certainly not move Party A's heart.
At the same time, this group of people in Party A's safety team have been ready to move, and we are also discussing whether the technology deposited by ourselves for so many years can be transformed into products and capabilities for external transportation. You should know that Party A understands the needs better than Party B, and takes its application as a practical scenario and a successful case. Anyone can believe this persuasion.
In this way, the boundary between Party A and Party B will become more blurred, and the impact on innovative security companies will become more and more serious.
As for Chen Haoming, he began to think more about how to transform the information security department from a cost center in the past to a profit center in the future. As the function of information security management, can it be promoted to be both management and service, while management, establish a service platform in the interior to provide security services for subordinate enterprises, and then realize operation and profit with a reasonable charging mode.
Because he thinks that even as Party A, it is necessary to have the perspective of Party B and convey Party A's safety ability to the outside world through Party B's thinking. Only the integration of Party A's and Party B's thinking is the whole of safety. No matter safety management or output safety capability, it needs to be taken care of by Party A and Party B in the whole life cycle, so it can be regarded as a relatively objective and complete safety concept.
So how can party B do it safely? Chen said the MSSP model may be the future trend.
From the perspective of Party A, if the security of the architecture is more and more standardized, then it can indeed be outsourced. Not only save money,
Moreover, Party B has more experience and resources in this field, and the management process and method will be better and more professional. As long as the SLA is signed, the final result of the assessment can be achieved. No matter how complicated the problem is, there is no need to worry about it. Party B will naturally help solve it. And Party A should spare time and put more experience on data and application.
To put it bluntly, whether it is an Internet enterprise or a traditional enterprise, security needs two legs: Based on the underlying security products and mature network layer products, they can be purchased, but the demand that is closely combined with the actual scene still needs to be developed by themselves, and the enterprise must have a security research and development team.
Chen Haoming told me that the safety management mode of domestic enterprises should be changed, and it is time to change.
Since 2001, Chen Haoming has been in this small circle for 18 years. Over the years, he has played various roles in security and participated in various decisions, but every time he buried the seeds and left after bearing the fruit.
For him, it may be all unrealized savings, but it may just be experience.
Standing at the 40 year old node, he agrees with Ma Yun's saying that "you should be good at what you are 40 to 50 years old". All he has done is to continue to use the accumulated experience and understanding of the industry in the future.
At the same time, he also wants to take advantage of Anzai platform to bless the companies he has served with his heart and sweat: Qiming Xingchen, Shenzhou Taiyue, China Hewlett Packard, HNA Group, whose business is booming and developing healthily. I also thank every boss and leader, as well as colleagues and comrades in arms who have worked together, for their support and help.
Tomorrow's Day is very simple, for the company or the industry's customers, as long as you can share your ability, it's enough.
Looking at Chen Haoming, I think of a sentence in Odyssey: "when the sun rises gradually, it leaves the gorgeous sea, rises to the copper sky, shines on the immortal gods and mortals, and hangs on the fertile sky."
The fool who never enjoyed a moment's return, but still tirelessly on this journey, may be the closest to the sun.
I am Lanhe, the first small swordsman of lanxige, ye bubashi's junior attendant, a primary school student of science and technology media, and your little angel. I'm not sociable. If you don't mind, you can try your luck with the micro signal Guoduo 1992120.
"Recommended reading"
Network security new media alliance is jointly initiated and established by new media or self-Media focusing on network security industry, including security, e-security, freebuf, kanxue forum, digital security, security village, network security vision, Ranger security network, a black book, etc., and supported by China information security consultant. It is a non-profit non entity new media contact coordination and cooperation mechanism.
People ∣ hot spots ∣ interaction ∣ communication
For contribution and business cooperation, please reply the key words in the background