AT&T's Chief Security Information Officer Ed Amoroso recently spoke with Network World senior editors Denise Pappalardo and Ellen Messmer about his job heading up security for one of the largest telecom companies in the world, as well as the topics of patch management, intrusion-prevention systems and worm attacks.

What are your job responsibilities?

In just about every Fortune 1000 company there is somebody, somewhere worried about infrastructure security, hackers, or about laptops that aren't patched properly. That's a job function that typically falls to the chief security information officer [CSIO]. I have a fairly sizable team that works on all of the above. There are four divisions, each with about 100 people and a different set of responsibilities.

What are some key issues your team addresses?

Because our business is networking, the infrastructure we protect is pretty large. We have a lot of IP networking, circuit switching, Layer 2 frame relay, managed services and outsourcing that all comprise the infrastructure that we need to protect. When a router vendor puts out a patch some users might say, 'Well, we don't have to worry about that one.' We rarely have that experience. Every problem, every issue, every patch, they all have to be attended to.

Are you also responsible for development of AT&T's security service offerings?

That's the second piece, cybersecurity, and it's embedded in our world. The concept of providing security services and integrating them and bundling them with our telecom, managed and professional services we offer is pretty obvious. It's a very nice sort of integration because in some sense I wear the cap of not just providing the service, but I'm also of a pretty typical buyer. I can tell in 3 seconds whether something that we're considering or proposing is worth bothering with because I know darn well if it's going to help reduce the burden on my budget or if it's going to help me sleep better at night. Sometimes I watch service announcements come out and I say, 'Gosh, what must they be thinking?'

Can you give us an example?

They are not always product announcements. One idea that we saw was the idea that when a spam comes out, you spam the spammer. That's a notion that has come out of universities for a long time.