Author Archive

Electric Gadgets, Space Junk and Cyber Security: Purging Obsolete IT Controls

As we in IT security scramble to put more and better controls in place to combat a changing array of cyber threats, we as an industry are facing an interesting dilemma: How do we assess the usefulness and value of all the controls we have deployed over the years and continue to have in place?

After all, as I talk to people across the cyber security industry, I almost never encounter anyone who can tell me a story about having turned off a security control once they turned it on.  Yet, with the changing threat landscape, we clearly need to be adding new security technologies and processes to our already substantial arsenal.

Changing Security Behaviors: How Marketing Savvy Can Break Patterns

Data-hacking hound dogs beware. EMC recently got a little help from Elvis in battling cyber criminals.

The “King” was at the center of an integrated marketing campaign our Global Security Operations ran this spring to encourage IT users to avoid clicking on suspicious email links that could lead to phishing attacks on our company’s data.

The several-week advertising effort featured a videotaped parody of the Elvis Presley song “Suspicious Minds,” in which ITers acted out why users shouldn’t click on “Suspicious Links,” It also featured a security awareness contest.

The campaign resulted in more than double the number of users reporting phishing attempts via suspicious emails. It also substantially increased the number of users going to our security awareness site, which we call FirstLine in recognition of the fact that the actions of IT users are the first line of defense against cyber-attacks.


Striving To Be Less Necessary: Developing Future Security Leaders Is Crucial

I would no doubt turn a few heads if I said, “I’m trying really hard to get to the point where I make no decisions and do no work.” But the fact is, if I ever got to that point as Senior Director for EMC’s Global Security Office, I would be an extremely effective leader by developing my team to lead without me.

I don’t expect to get to that state of leadership obsolescence any time soon. However, I know that a crucial part of being a leader in today’s new Information Security paradigm is working to develop future leaders in our organizations. And one of the hardest things about leading is developing leadership skills in others because as you do, you frankly become less necessary.

Those are some of the points I explored in a workshop about Developing Cross Functional Leadership Skills at the 2014 RSA Conference in San Francisco.

While I am sure that many of the conference attendees will be there to learn new technical skills to be better leaders, these skills are only one of many ways leaders gain power and influence in their organizations.


Security Rules To Live By: Using Your Best IT Judgment

In the world of cyber security, we have reached the point where we feel the need to codify security behavior by telling people what to do and what not to do. But sometimes I wonder if security policy should rely on a much simpler approach—the notion that  people already have a sense of right and wrong and should be encouraged to use their best judgment.

Certainly, security policies are complex. There are many of them and they are scattered around all over the place. But so is the law. And when was the last time you had to pick up a law book to know what’s right or wrong? In most societies, the law stems from basic commandments. Most of us have those principles drilled into us from when we are young. So we might not know specific laws, but we have a sense of right and wrong.

When I grew up in Glasgow, Scotland, my mother would use a phrase that would drive me insane. When she’d tell me I couldn’t do something I wanted to do and I’d ask why, she would say “that’s not the done thing.” I’d always wonder what this “done thing” was. The done thing was, of course, what was normal for society to do.

It seems like we sometimes forget that people have a sense of right and wrong when it comes to behavior in the workplace. One well-known exception is retail giant Nordstrom which, up until several years ago, used a 3 by 5-inch card as its “employee handbook.” It listed “Rule #1: Use your best judgment in all situations. There will be no other rules.” There was another paragraph inviting employees to ask their managers questions at any time. (Nordstrom still urges employees to use their best judgment but does now hand out a more detailed handbook with rules and legal requirements.)


Happy Cyber Security Awareness Month: Getting Free-Thinkers To Pay Attention

If you’re like me, you think about cyber security all day, every day. You may even dream about it. It’s why I’m an IT security professional (and probably not the most interesting guy you’ll ever meet).

But since most people have other things on their minds most of the time, it takes a special effort to get them to focus on the importance of IT security. That’s where National Cyber Security Awareness Month—which occurs every October—comes in.

While setting aside a month to promote cyber security may not seem like the most hard-hitting tool to tighten security for your organization, it actually is a great opportunity to do just that. That’s because more than ever cyber security is all about peoples’ behavior and raising awareness is one of the best ways to have an impact on that.

What we have come to realize in IT security is that policy, compliance and governance alone won’t achieve cyber security for your organization unless people take those policies and rules and use them to make the right security decisions. The reality is that whether it’s people in their homes or in the workplace, we depend on individual behaviors to safeguard IT security—or anything else for that matter. If you don’t lock your door, people can walk straight into your house. If you leave your car unlocked, there’s a greater chance it —or something in it— will get stolen.


2013 RSA Conference Shows Risk Management A Growing Priority

The 2013 RSA Conference provides a terrific venue for industry leaders to share and communicate, but one topic, I couldn’t help but notice a dramatic rise in interest: Risk Management. Over the past three RSA Conferences, I have seen our Risk Management seminar increase from a peer-to-peer session of 25 people two years ago to more than 800 people at this year’s session — and with good reason.

The idea of risk management resonates deeply within the industry, including the need and practice of risk management and the desire to bond security, data analytics and the business. A well-rounded discussion was generated from the audience that focused on a number of pivotal ideas of risk management: What does risk management mean to an organization? How does an organization measure success? How can an organization work more collaboratively to push back against threats?

Risk Management and the Business

As we in security continue to study and execute the science behind risk management, we understand more and more that it cannot be managed in a bubble. Risk management, to be truly effective, must move into the business. Ultimately, the security organization cannot accept the notion of an impenetrable or perfect system as a matter of doing business. By evangelizing risk management into the business, we create a new sense or priorities and responsibilities in which non-security and non-IT business users assume risk management as their own.

When this occurs, perspective is gained on how other units respond to risk, even down to financial management and financial risk. In that regard, risk management no longer lives in a vacuum and advocates begin to pop up throughout the organization. These advocates will expand the network of risk management and operate in a way that bolsters an organization’s security posture. That was an important message from this year’s RSA Conference.


Communicating Risk Management in the Face of Constant Threats

In the face of an ever-changing security landscape that presents constantly unique threats, an enterprise’s defense must be robust and complete with multiple layers of prevention and defense strategies.

While enterprises may arm themselves with the most technical controls possible, a critical element to a proactive defense is communication. When we speak about communication, we refer to a strategy that goes far beyond messages to your employees about the latest security guidelines being handed down. The key to communication is removing the perception that the security organization is an obstacle to doing business.

At EMC, we have moved to empower people by breaking down barriers of communication between IT and the business. Through this approach, we have found success broadening the responsibility of risk management and changing the core behaviors of individuals that results in a stronger security posture and overall defense.


Changing Our Information Security Culture: EMC’s New Collaborative Approach to Reducing Risk

What do corporate IT security and healthcare have in common these days? Both are undergoing a cultural shift in which customers are being asked to take responsibility for their own well-being.

Just like getting individuals to focus on proper diet, exercise and screening efforts can help prevent health problems and keep everyone’s medical costs down, so can getting IT users to embrace proper security practices help prevent costly security complications for employees and the company they work for.

At EMC, this realization is driving a major transition in our approach to security. We are evolving from a centralized global security team that dictates regulations to the business units that consume IT without their input – to a dispersed security force that works with the business to understand their needs and create policies and standards that the business can live with.

Last year, our Global Security Office (GSO) began a multi-year effort to transform its security approach.

Posted in Security | Comments Off on Changing Our Information Security Culture: EMC’s New Collaborative Approach to Reducing Risk

Follow Dell EMC


Recent Tweets

You asked, we delivered. Our Future-Proof Storage Loyalty Program has expanded, thanks to your feedback. See the be… about 18 mins ago
RT @DellEMCServers: The PowerEdge R740xd has earned the first-ever @storagereview Editor's Choice award! Take an in-depth look at this pow… about 1 hour ago
All-Flash solutions are not created equal. @PrincipledTech evaluated VMAX and others in head-to-head tests of handl… about 6 hours ago