The Changing Mobile Worker: Balancing Productivity and Security

Stambaugh-headshotKen Stambaugh — Director, Global Client Computing, EMC IT

As an IT veteran, I have observed and helped drive tremendous change, not just in the technologies we use but how we use them. Among the more dramatic shifts has been the definition of being a mobile worker.

When I was a mainframe programmer in the late 80’s, being “highly mobile” meant I could log in at any mainframe terminal in the office, do my programming, submit my jobs to the queue and do my (internal only) email. Later, I had two desks in two different buildings and mobility became driving between them multiple times each day.  Virtual Private Network (VPN) technologies allowed me to be on call and dial in (literally via a phone-line) from home rather than having to get to the office.pullquote

The Internet made mobile work more bearable, but it still required a laptop or desktop.  By plugging my blackberry into my PC as a modem, I could work on the train to my office in Boston.

Continue reading

The CIO and the CISO: Evolving Security Together

VicIn an ongoing video series, EMC Chief Information Officer Vic Bhagat and EMC leaders discuss the changing landscape of IT. From maturing partnerships with the business to redefining IT to be more contemporary, Vic and his guests explore how the industry is evolving to maximize agility and improve responsive times to business demands.

The latest edition of the Coffee in the Café with Vic Bhagat featuresDave-Martin---Headshot2 EMC Chief Information Security Officer Dave Martin, who offers a look into how EMC is taking a new approach to data protection — leveraging the latest in analytics and other predictive tools – while maintaining a positive, more functional user experience.

Continue reading

Electric Gadgets, Space Junk and Cyber Security: Purging Obsolete IT Controls

Doug headshot2By Doug Graham — Senior Director, Global Security Office, EMC IT

As we in IT security scramble to put more and better controls in place to combat a changing array of cyber threats, we as an industry are facing an interesting dilemma: How do we assess the usefulness and value of all the controls we have deployed over the years and continue to have in place?

After all, as I talk to people across the cyber security industry, I almost never encounter anyone who can tell me a story about having turned off a security control once they turned it on.  Yet, with the changing threat landscape, we clearly need to be adding new security technologies and processes to our already substantial arsenal.
Continue reading

Building the Security Team of Today and Tomorrow

Dave-Martin---Headshot2By Dave Martin — Vice President and Chief Security Officer

Technologies such as mobile, social networking, analytics and cloud computing are changing the security landscape, and security technologies are rapidly evolving to address that change.

It’s not just the technology that needs to change, however: security teams need to change as well.

EMC has evolved and must continue to evolve our security team to effectively combat the threats of today and tomorrow. The core skills essential to expand include business engagement and awareness; a consultative approach; the ability to sell or “market” security; and creative control design for the mobile and cloud-enabled world of tomorrow.

Continue reading

Changing Security Behaviors: How Marketing Savvy Can Break Patterns

Doug headshot2By Doug Graham — Sr. Director, Global Security Organization, EMC IT

Data-hacking hound dogs beware. EMC recently got a little help from Elvis in battling cyber criminals.

The “King” was at the center of an integrated marketing campaign our Global Security Operations ran this spring to encourage IT users to avoid clicking on suspicious email links that could lead to phishing attacks on our company’s data.

The several-week advertising effort featured a videotaped parody of the Elvis Presley song “Suspicious Minds,” in which ITers acted out why users shouldn’t click on “Suspicious Links,” It also featured a security awareness contest.

The campaign resulted in more than double the number of users reporting phishing attempts via suspicious emails. It also substantially increased the number of users going to our security awareness site, which we call FirstLine in recognition of the fact that the actions of IT users are the first line of defense against cyber-attacks.

Continue reading

Balancing Privacy and Productivity

VicBy Vic Bhagat — EMC Chief Information Officer

As if we didn’t have enough examples this year, the “Corporate Boards Race to Shore Up Cybersecurity” article in The Wall Street Journal reinforced one of our greatest challenges as CIOs and CISOs. How can we enable our business to be more agile and successful, while minimizing risks and protecting our company, intellectual property and customers?

Previously, everyone used the same kind of computers on the same corporate network in the same offices. Alas, those days are gone. Today, we aren’t just defending against denial of service attacks – we are vigilantly protecting our companies from more organized, persistent threats to infiltrate our environment and exfiltrate our intellectual property. On the flipside, we must mitigate risks with a more mobile, global and social workforce that expects their IT capabilities at work to mirror the IT experience they have in their personal lives.

Continue reading

How To Increase Confidence in IT? Foster Better Communication with the Business

Today, enterprises are facing more cybersecurity threats and risks than ever before, demanding more resources from both IT organizations and their associated businesses. Yet, the confluence of decision making from the business and the financial, technological and security requirements from IT remain a source of conflict for many organizations. They key to reaching a resolution? Communication, says Dave Martin, EMC’s Chief Security Officer, who offered five tips to getting started in his recent blog for Forbes Magazine.

The 2013 Global IT Trust Curve Survey, published by EMC and RSA, dives deeper into the hurdles facing IT and business leaders.  Also check out a previous blog from Doug Graham, Senior Director, Global Security Office – Risk Management at EMC, who discussed Communicating Risk Management in the Face of Constant Threats.

Securing the Cloud: Work With Users to Build Best Practices

By Steen Christensen — Director of Information Security, EMC Global Security Organization

In today’s rapidly changing IT world, business users in your organization are going to seek the agility and increased capabilities of the cloud whether or not your IT operation sanctions it. So your efforts to provide IT security in the cloud need to start with embracing that fact and working to build secure practices from there.

In EMC’s Global Security Organization, we found that the best way to secure the cloud is to actually become a part of it rather than trying to fight it. As a part of the solution, you can build better, secure offerings that will allow you to protect your data and get a better experience for the user.

For the past nine months, GSO has been identifying shadow IT applications (or business-managed IT) in the cloud using a security monitoring appliance, RSA NetWitness, in conjunction with increased security analytics.  This gives us a comprehensive view of our network traffic, including shadow IT.  And rather than blocking those shadow users from continuing their cloud-based operations, we work with them to provide IT-controlled solutions that will still serve their business needs in a secure way.

Continue reading

Striving To Be Less Necessary: Developing Future Security Leaders Is Crucial

By Doug Graham, Senior Director, Global Security Office – EMC IT

I would no doubt turn a few heads if I said, “I’m trying really hard to get to the point where I make no decisions and do no work.” But the fact is, if I ever got to that point as Senior Director for EMC’s Global Security Office, I would be an extremely effective leader by developing my team to lead without me.

I don’t expect to get to that state of leadership obsolescence any time soon. However, I know that a crucial part of being a leader in today’s new Information Security paradigm is working to develop future leaders in our organizations. And one of the hardest things about leading is developing leadership skills in others because as you do, you frankly become less necessary.

Those are some of the points I explored in a workshop about Developing Cross Functional Leadership Skills at the 2014 RSA Conference in San Francisco.

While I am sure that many of the conference attendees will be there to learn new technical skills to be better leaders, these skills are only one of many ways leaders gain power and influence in their organizations.

Continue reading

2013 Global IT Trust Curve Survey: The Impact On Today’s IT Decision Makers








Today, EMC and RSA announced the results of the first-ever Global IT Trust Curve Survey. Through a survey of 3,200 IT and business decision-makers in 16 different countries and 10 industry sectors, EMC took the pulse of C-suite audiences and their awareness and opinions of EMC Trust IT — Advanced Security, Continuous Availability and Backup & Recovery.

Continue reading

The Era of Protecting By Enabling: Securing Enterprise File Sync

By Dave Martin — Vice President and Chief Security Officer

IT managers today are on the forefront of information delivery services. Users are demanding highly available and secure data transfers that are flexible enough to serve them on the road and multiple devices. The days of traveling physically to a secure location to access a file are fast becoming extinct.

Technology transformation has a major impact on how and where we share information, so it’s natural to expect it to also impact how we provide trust for that information. We stay connected across more devices than ever, in more places. It no longer makes sense to apply old methods of static controls and expensive locks, which mimicked our approach to security of physical locations, in a fast-paced, widespread environment. Traditional methods applied to modern data flows ultimately hinder even authorized processes and builds bottlenecks, which prompts users to seek out other service providers.

That is why new and more complete enterprise solutions have been developed to meet the requirements of the end-user as well as IT and Security; they are flexible enough to enhance whatever users have, wherever they are, and make enterprise file sync and sharing (EFSS) easy yet trusted. Better service means more visibility and control while delivering automated and safe EFSS. Users gain the access they demand and IT reduces risk, once the following three key elements are present:

Continue reading

Security Rules To Live By: Using Your Best IT Judgment

By Doug Graham, Senior Director, Global Security Office – EMC IT

In the world of cyber security, we have reached the point where we feel the need to codify security behavior by telling people what to do and what not to do. But sometimes I wonder if security policy should rely on a much simpler approach—the notion that  people already have a sense of right and wrong and should be encouraged to use their best judgment.

Certainly, security policies are complex. There are many of them and they are scattered around all over the place. But so is the law. And when was the last time you had to pick up a law book to know what’s right or wrong? In most societies, the law stems from basic commandments. Most of us have those principles drilled into us from when we are young. So we might not know specific laws, but we have a sense of right and wrong.

When I grew up in Glasgow, Scotland, my mother would use a phrase that would drive me insane. When she’d tell me I couldn’t do something I wanted to do and I’d ask why, she would say “that’s not the done thing.” I’d always wonder what this “done thing” was. The done thing was, of course, what was normal for society to do.

It seems like we sometimes forget that people have a sense of right and wrong when it comes to behavior in the workplace. One well-known exception is retail giant Nordstrom which, up until several years ago, used a 3 by 5-inch card as its “employee handbook.” It listed “Rule #1: Use your best judgment in all situations. There will be no other rules.” There was another paragraph inviting employees to ask their managers questions at any time. (Nordstrom still urges employees to use their best judgment but does now hand out a more detailed handbook with rules and legal requirements.)

Continue reading

Happy Cyber Security Awareness Month: Getting Free-Thinkers To Pay Attention

By Doug Graham – Senior Director, Global Security Office – EMC IT

If you’re like me, you think about cyber security all day, every day. You may even dream about it. It’s why I’m an IT security professional (and probably not the most interesting guy you’ll ever meet).

But since most people have other things on their minds most of the time, it takes a special effort to get them to focus on the importance of IT security. That’s where National Cyber Security Awareness Month—which occurs every October—comes in.

While setting aside a month to promote cyber security may not seem like the most hard-hitting tool to tighten security for your organization, it actually is a great opportunity to do just that. That’s because more than ever cyber security is all about peoples’ behavior and raising awareness is one of the best ways to have an impact on that.

What we have come to realize in IT security is that policy, compliance and governance alone won’t achieve cyber security for your organization unless people take those policies and rules and use them to make the right security decisions. The reality is that whether it’s people in their homes or in the workplace, we depend on individual behaviors to safeguard IT security—or anything else for that matter. If you don’t lock your door, people can walk straight into your house. If you leave your car unlocked, there’s a greater chance it —or something in it— will get stolen.

Continue reading

2013 RSA Conference Shows Risk Management A Growing Priority

By Doug Graham, Senior Director, Global Security Office – Risk Management

The 2013 RSA Conference provides a terrific venue for industry leaders to share and communicate, but one topic, I couldn’t help but notice a dramatic rise in interest: Risk Management. Over the past three RSA Conferences, I have seen our Risk Management seminar increase from a peer-to-peer session of 25 people two years ago to more than 800 people at this year’s session — and with good reason.

The idea of risk management resonates deeply within the industry, including the need and practice of risk management and the desire to bond security, data analytics and the business. A well-rounded discussion was generated from the audience that focused on a number of pivotal ideas of risk management: What does risk management mean to an organization? How does an organization measure success? How can an organization work more collaboratively to push back against threats?

Risk Management and the Business

As we in security continue to study and execute the science behind risk management, we understand more and more that it cannot be managed in a bubble. Risk management, to be truly effective, must move into the business. Ultimately, the security organization cannot accept the notion of an impenetrable or perfect system as a matter of doing business. By evangelizing risk management into the business, we create a new sense or priorities and responsibilities in which non-security and non-IT business users assume risk management as their own.

When this occurs, perspective is gained on how other units respond to risk, even down to financial management and financial risk. In that regard, risk management no longer lives in a vacuum and advocates begin to pop up throughout the organization. These advocates will expand the network of risk management and operate in a way that bolsters an organization’s security posture. That was an important message from this year’s RSA Conference.

Continue reading

Communicating Risk Management in the Face of Constant Threats

By Doug Graham, Senior Director, Global Security Office – Risk Management

In the face of an ever-changing security landscape that presents constantly unique threats, an enterprise’s defense must be robust and complete with multiple layers of prevention and defense strategies.

While enterprises may arm themselves with the most technical controls possible, a critical element to a proactive defense is communication. When we speak about communication, we refer to a strategy that goes far beyond messages to your employees about the latest security guidelines being handed down. The key to communication is removing the perception that the security organization is an obstacle to doing business.

At EMC, we have moved to empower people by breaking down barriers of communication between IT and the business. Through this approach, we have found success broadening the responsibility of risk management and changing the core behaviors of individuals that results in a stronger security posture and overall defense.

Continue reading

EMC Security Chief Highlights New Strategies to Meet Big Impact IT Trends for 2013

New, advanced technologies continue to provide a faster, more agile environment. But those technologies – cloud computing, mobile platforms, Big Data and social media – can widen the exposure companies face to potential security threats.

To help companies remain proactive in their security measures, the latest Security for Business Innovation Council (SBIC) report titled, “Information Security Shake-Up: Disruptive Innovations to Test Security’s Mettle in 2013,” offers a forward-looking analysis of the new enterprise threats in 2013, and recommendations for how security teams can limit risk.

The report also examines four strategic steps enterprises can leverage to strengthen their security programs, including: How to boost risk and business skills, court middle management, tackle IT supply chain issues and build tech-savvy action plans.

You can learn more about the SBIC Trends Report 2013 by viewing the following video featuring EMC Vice President and Chief Security Officer Dave Martin. We have also discussed related topics in previous blogs on this site, which combined with Dave’s video and the new report, will offer a full picture of security innovations we’ve explored at EMC.  

Keeping the Bad Guys on the Run: Working Together to Neutralize Cyber Threats

By James Lugabihl, Senior Manager, EMC Critical Incident Response Center, EMC IT

Threat intelligence is king. The more you have, the better positioned you are to protect your organization from cyber attacks.

But staying on top of threat intelligence to fight these sophisticated attackers requires a new, collaborative approach to security—one that most companies and organizations haven’t embraced as yet. We need to be able to continuously share information on the latest cyber attack techniques on malware and email campaigns beyond our own networks in order to defend against an onslaught of external and internal threats. We need to “talk” to each other to warn against the latest tactics.

Getting beyond “defend” mode

Most companies are still in “defend” mode, using the traditional firewalls and other perimeter-based tools to guard their networks and data. While you don’t want to get rid of those old war horses, your company does need to expand its capabilities to defend against and respond to the more sophisticated threats. By tapping into what other organizations are seeing in terms of attack techniques, tactics and procedures (TTPs), you can detect such threats much earlier and minimize damage.

I manage the Critical Incident Response Center (CIRC) at EMC, tasked with defending the company’s revenue stream and future market value from cyber threats. At EMC, we believe we have been able to achieve a uniquely high level of incident response capability using much of our own cutting-edge information security technology.

Continue reading

Changing Our Information Security Culture: EMC’s New Collaborative Approach to Reducing Risk

By Doug Graham, Senior Director, Global Security Office – Risk Management

What do corporate IT security and healthcare have in common these days? Both are undergoing a cultural shift in which customers are being asked to take responsibility for their own well-being.

Just like getting individuals to focus on proper diet, exercise and screening efforts can help prevent health problems and keep everyone’s medical costs down, so can getting IT users to embrace proper security practices help prevent costly security complications for employees and the company they work for.

At EMC, this realization is driving a major transition in our approach to security. We are evolving from a centralized global security team that dictates regulations to the business units that consume IT without their input – to a dispersed security force that works with the business to understand their needs and create policies and standards that the business can live with.

Last year, our Global Security Office (GSO) began a multi-year effort to transform its security approach.
Continue reading

Big Data Takes On Security

When it comes to IT security, we are at an opportunistic intersection.  Each and every day, we hear more and more about how the increasingly complex and aggressive threat landscape is impacting the security of companies around the globe.  However, Big Data strategies and technologies are rapidly approaching the intersection and arming us with the analytics we need to more proactively assess risk and identify threats.

As a leading global technology company, EMC has wholeheartedly embraced Big Data to get ahead of this.  If you’re interested in learning more, EMC is also hosting a webinar on “Using Greenplum to Deliver Big Data Analytics” on Tuesday, Sept. 18th @ 11am PT.  Sign up here:

It’s A Different IT Security World


By Ramesh Razdan, Senior Director of EnterpriseServices and EMC Distinguished Engineer, and Steen Christensen, Director, Information Security

Like just about everything else in today’s socially networked universe, enterprise IT security has evolved dramatically in recent years.  Security teams are charged with safeguarding vital information in a world connected by a continuous and rapid exchange of an ever-expanding deluge of information. And among those logging on are a growing number of cyber criminals launching continuous and sophisticated threats to organizations worldwide. Investigations have become extremely complex with the need to be able to analyze data with context and speed.

No longer can organizations rely on traditional perimeter security and firewalls to protect their vital information assets. Nor can they effectively combat today’s sophisticated cyber criminals by analyzing threats after the fact. In fact, those that think they can in today’s complex cyber world are just sticking their heads in the sand.

Thankfully, Big Data tools and platforms have evolved to meet these new threats head on, armed with real-time data gathering and high speed security analytics.
Continue reading