Communicating Risk Management in the Face of Constant Threats

In the face of an ever-changing security landscape that presents constantly unique threats, an enterprise’s defense must be robust and complete with multiple layers of prevention and defense strategies.

While enterprises may arm themselves with the most technical controls possible, a critical element to a proactive defense is communication. When we speak about communication, we refer to a strategy that goes far beyond messages to your employees about the latest security guidelines being handed down. The key to communication is removing the perception that the security organization is an obstacle to doing business.

At EMC, we have moved to empower people by breaking down barriers of communication between IT and the business. Through this approach, we have found success broadening the responsibility of risk management and changing the core behaviors of individuals that results in a stronger security posture and overall defense.

If your enterprise is in the early stages of defining its security organization, or you are looking to redefine your security organization, how do you communicate it out to the rest of the business? How do you empower people to take on security as an individual imperative?

From an IT perspective, it means fresh tactics that expand responsibility beyond IT. AT EMC, we initiated the role of business security managers (BSMs), where we proactively work with business leaders to identify which risks could be exposed.

Through the BSMs, and series of committees and organizations within EMC, we have expanded our defensive walls into the business environment. No longer does EMC IT attempt to build barriers and climb over them to put out the fires. Our new approach has provided EMC IT with a view of the entire risk and threat horizon. We now have a three to four times the partners out in the business actually practicing risk management. Being able to tap into those teams has enabled EMC IT to make more informed decisions and better respond to threats.

Working Backward to Fight against Threats

Though we have the BSMs in place, we haven’t taken our eye off the ball when it comes to incident response capabilities. The BSMs have contributed to greater transparency throughout the enterprise and an increase in our knowledge base of how we tackle and treat risk. As a result of this effort, we are witnessing tremendous growth in our security capabilities. Not only are we stopping the threat activity, but our wider communication network mitigates risk to the entire enterprise.

In the security world, we operate under the principles of detect, delay and deter to stop a threat from breaching our facility. We target the identity of the threat, delay its intrusion into our organization and penalize the bad actor and deter the behavior from recurring in the future. We want to act in a way that will fail to deliver a good return on investment for the attackers and leave them deterred to try another attempt.

With the increase in threats growing as well as their sophistication, we knew we had to expand our focus throughout the enterprise. Risk management is going through and taking a systematic approach to confronting threats across the organization.

In a sense, our approach at EMC has been a form of behavior modification. Risk management is not just about limiting service or cracking down on bad behavior. Risk management must incorporate new partners from outside the IT organization.  Your IT department may serve as a tall, impenetrable door. However, without sharing the knowledge and tools throughout the business, an enterprise will lack those critical tools that prevent threats from slipping through the defense.

I’ll be discussing this strategy more in depth at the 2013 RSA Conference on February 25th at the “Risk Management: The Perspective of the Business Stakeholder” breakout session.

EMC is also presenting the following sessions at the RSA Conference too:

  • “Advancing Information Risk Practices” (Feb. 25th) hosted by Julie Fitton – Sr. Manager, Office of Risk Management at EMC
  • “Advancing the SOC: Agile, Intelligent and Context Aware” (Feb. 26th) hosted by James Lugabihl – Sr. Manager, EMC Critical Response Center
  • “Mobile Risk Management” (Feb. 26th)  hosted by Dave Martin – EMC Chief Security Officer
  • “Sharing Indicators of Compromise: An Overview of Standards and Formats” (Feb. 27th) hosted by Chris Harrington – Consulting Security Engineer at EMC

More information about the 2013 RSA Conference, including a complete list of speakers, events, news items and media can be found here.

About the Author: Doug Graham