Changing Our Information Security Culture: EMC’s New Collaborative Approach to Reducing Risk

What do corporate IT security and healthcare have in common these days? Both are undergoing a cultural shift in which customers are being asked to take responsibility for their own well-being.

Just like getting individuals to focus on proper diet, exercise and screening efforts can help prevent health problems and keep everyone’s medical costs down, so can getting IT users to embrace proper security practices help prevent costly security complications for employees and the company they work for.

At EMC, this realization is driving a major transition in our approach to security. We are evolving from a centralized global security team that dictates regulations to the business units that consume IT without their input – to a dispersed security force that works with the business to understand their needs and create policies and standards that the business can live with.

Last year, our Global Security Office (GSO) began a multi-year effort to transform its security approach.

Changing our security culture

It is a substantial cultural change that will take time. After all, the traditional IT model that has been in place for years allowed the business to expect IT to do everything for them. IT delivered their desktop, delivered the applications at the back end, and basically provided their entire IT environment. Not surprising that business users saw GSO as being totally responsible for IT security. In the process we became a hindrance to the business.

As times are changing—and with the business having more choice of procuring IT services from a sea of public cloud (SaaS) providers—the old security model doesn’t work. Since more and more often, users are making decisions on what type IT services they consume, they also have to be aware of the potential risks those choices are going to bring to the IT environment. If a business unit is going to outsource customer management, for example, it needs to consider the security risks and compliance needs that come with that move.

This shift in user autonomy underscores some longstanding inherent flaws in the old security model to begin with. Among them is the fact that you can’t force the business to comply with policies and standards, which they don’t understand or agree with. In fact, at EMC we found that it had become acceptable to the business to work around some security policies so that they could do business freely—which tells me the policies were wrong.

In the past the engagement between the business units and the security team was pretty much that of mutual mis-understanding. The business would make requests for IT services, the security team would identify risks and send back a series of “No’s” and the business would often do it anyway because they had revenue or customer satisfaction at stake. From their polarized positions, each saw the other as the root of the problem. The security team thought the business was making bad decisions because it didn’t understand security policies. The business, in turn, thought the risk team was wrong because of their lack of understanding of business needs.

Now I know that people aren’t showing up for work at EMC intending to make bad decisions. The reality is they’re making the best decisions they have with the current information that’s available to them. And if you have two sides that each think the other is making a bad decision, there’s a communications problem.

A new collaboration

Our new approach to security seeks to resolve this by creating a collaborative relationship between GSO and the business. We must to get closer to the business units so we can understand what their needs are. In turn, the business needs to understand our security requirements and to take responsibility for preventing security breaches just as individuals need to understand the value of preventive medicine in the healthcare system.

To do this, we have decentralized our risk team, assigning Business Security Managers (BSM’s) to each business unit to work with them directly on security issues. We have also appointed a Governance, Risk and Compliance (GRC) Council with representatives from across the businesses and GSO, which meets monthly on security issues. The GRC council reports to the executive-level Management Risk Committee that, in turn, reports to the company Board of Directors.

Among our goals is to create security controls that are “built-in” and easy to understand and use rather than our previous “bolted-on” measures that were difficult, sometimes even arbitrary, and disruptive to our customers. Think of anti-lock breaks (ABS) in the automobile industry, for example. All cars these days are required to have them and consumers don’t really notice the built-in safety feature because it doesn’t hinder their driving experience. Going forward, our BSM’s will work with the business to build-in security features as we create new products and services.

In the meantime, representatives from GSO, IT and the business units recently collaborated to update and enhance EMC’s security policies, standards, guidelines and procedures.

We are also enlisting the help of champions throughout the business to help us promote awareness and acceptance of security practices. They will help us spread the word that everybody at EMC truly has some responsibility for securing their environment.

The right amount of security is the minimal amount needed to have an acceptable level of risk. Without IT security, we of course could not do business in the market. EMC’s value is our intellectual property, which must be protected – that’s paramount. What’s more, our customers require assurance that we are protecting their information.

On the other hand, much like the parent who might want to keep their child in a bubble to keep them absolutely safe, we know that there are some risks inherent in doing business in today’s world.

We want to find this balance through a cooperative relationship between our risk team and the business. Because, ultimately, when IT security is driving the business, the tail is wagging the dog. If our business customers are making security work for them, then they are wagging the tail.

Much like the healthcare industry is enlisting individuals in safeguarding their own health, we hope to inspire everyone at EMC to step up and promote improved security for the enterprise. It’s a collective responsibility and a sign of maturity.

About the Author: Doug Graham