The five minute CIO: Dave Martin

12 Oct 2012

Dave Martin, chief security officer for EMC's Global Security Organisation

Dave Martin, chief security officer for EMC’s Global Security Organisation, explains why IT doesn’t always have to say no.

What does your role involve, from a security standpoint, what systems and people are you responsible for?

I have global responsibility for EMC and RSA’s security and it’s not just information security and risk management, I also own travel safety, fraud, diversion and loss management.

A lot of what you’re hearing from CIOs you’ll find echoed from me. They’re getting huge pressure to deliver business value, to provide mobile solutions and I think that traditionally, security has been perceived as ‘no, you can’t do that’. We’re fooling ourselves if we think you can say no; you can’t.

So as you start to shift that paradigm and in the shorter-term pressure around mobile, you get the [question], ‘here’s my Android pad and I want to be able to get to the HR data’ and I’ll go: ‘Let me come back to you on that. Hmm, no.’

And others come with an iPad on 3G and they want to look at sales data and it’s ‘yes’. So you get a very arbitrary approach where you’re taking everything one at a time.

How did you deal with that?

What we’ve done is get back to: how do I stop having one-on-one project-level conversations looking arbitrary, sometimes looking like blocking where it seems we don’t know what we’re doing?

We went back to basics: let’s put the cool thing that everyone wants over here [to one side] and let’s just have a conversation about data. We have a data classification set, so we brush that off and maybe we tune it up a little bit.

Now that we all agree that data has different levels of importance, what kind of controls should be there for the different levels?

When did you start to look at that – were you ambushed as a lot of others were by the BYOD trend or given that you’re in the industry did you see it coming?

We definitely saw it coming and we’ve been involved in this over the last two years.

We’ve left the cool sexy device over to the side, let’s not all get fixated on that. Let’s just agree that some data’s important, some data’s not, what are the controls that should be there for each layer. Then I go away and I figure out how do I deliver those controls today, how might I do it in a more transparent, more portable way – what’s my roadmap?

And then because I have this roadmap, when someone walks up it’s kind of like at an amusement park. You have to be 1 metre tall to ride the ride.

How easy or difficult was it to put that in place, that process, did it take a long time and what lessons were learned?

I think that it’s hard because this data classification had to be dusted off. We had it because everyone should have it, but how well is data as an asset really understood, and who’s the owner?

Quite often, we’re perceived to be the people that secure EMC. But that’s 50,000 people and we’re a team of 120. That’s not going to work.

As much as I try, I don’t really understand what really is the business value and more importantly, I might say no to something because I don’t understand what’s on the other end of the lever, which could be, ‘I could make a billion dollars if you said yes to this’. OK, I’m going to try a lot harder than if it’s a ‘nice to have’.

The biggest problem was getting my people to start to understand what’s the impact to the business value of saying yes or no, and finding ways to say yes. And then also getting a true understanding of what the value is.

That speaks to a key struggle that you see in IT, where there’s not always an understanding of what the business does. Is that a problem?

We’re shifting our team’s approach to do that. Clearly, my budget’s never going to be twice as big unless we suddenly become four times as large as a company, so how do I extend and get more people accountable and responsible and aware of security?

So I funded some people who sit in the business units to do security. I’ve started to see them hiring people who don’t report to me. They’re working with risk, I’m seeing risk getting discussed and resolved in the business unit.

At first I was saying ‘OK, this is weird’, because these people are making decisions about security and risk and I’m here, not saying anything. And then you start to realise, maybe this is how it’s meant to be. I’m in a much better position. I can consult, I’ve got tools, I can explain the information and the threats side. They understand the business side. I should truly be there to help.

It’s an interesting approach – letting the business look after itself and you taking a consulting role rather than swallow whole all of the business drivers and the complexity of the organisation.

The big change is, it’s not just all about enabling them; it’s also them bringing back central management. We have to be able to report back to our enterprise GRC [governance, risk and compliance] council. This is a decision that’s made, sometimes it’s in minutes, it might be an important decision that’s been accepted, mitigated or deferred.

You never want a core security team to go fix business process. Half the time, when we fix business process we bolt on all these ugly security attachments and bumps in the wire and extra alligators in the moat, when in reality if they just actually fixed the process in a more sane way, with guidance from us with the tools we have, we can make it more transparent. And if it’s transparent security, people will use it.

The push and pull is, too much security and users will rebel: they won’t want it. Too little security and your job becomes a nightmare. How do you find that balance?

It’s constantly questioning yourself. A control that you put in three years ago: did that have an undesirable consequence?

I would rather see people even using consumer cloud-like tools on the network – because they’re going to use them – and have an educational discussion, be able to report out, rather than try and block everything that won’t be effective.

Even if they find a way around my network controls, they’ll be tethered on 4G and doing it anyway. That’s the unintended consequence of ‘well that’s crazy, I should block it’, and then what behaviour does that cause?

If you can’t provide an enterprise a secure way of doing it, then they’re still going to do what they were doing no matter what you tell them, and unless you’re very good at educating them on threat and you have very responsible people – which most of the time you do, but sometimes you don’t …

Do you see that education as being a big part of your role?

We’ve gone from the one-time-a-year, 45-minute Q&A and now you’re secure so you can check the compliance box that I’ve educated you, we’re trying more and more to be more transparent about risk … And then we also try to get closer to the point of risk.

To make a corny analogy, if you pick up the scissors off your desk and start to run down the corridor, I want there to be a pop-up: here are the statistics for people running with scissors and did you know we offer rubber scissors and all these different things you should be using. I want to get to that point.

An information security example is, for some of the more risky areas of the internet, we actually have a splash page with text that no-one ever reads, and then they click a button. Which is actually an effective layer of defence but we’re transforming that to actually using it as a place to put statistics.

Was it expensive to put that kind of process in place to be able to have an evidence-based conversation with people about their behaviour?

It’s not radically expensive and if nothing else it’s allowed me to shift resources. Being able to able to look at that and analyse maybe a data loss prevention event – an analyst can see the surrounding context to that event and see that this isn’t just some mundane malware.

Certainly it’s not cheap but to survive effectively in this kind of threat environment, you can’t have what you had before.

But, I’m spending the same amount of money on this kind of defence as I was three to five years ago. I’m just able to do so much more now and make high-value analysts so much more efficient.

How do you sum up the ease or difficulty of your role now, given the nature and complexity of the security threats out there?

This job is evolving, there are new threats, the infrastructure is changing, the business around us is changing. When I came to EMC, essentially we were a products company and now we have so much service, software and even consumer-facing technologies.

The big advantage in my role is that we have a security products company. I can grab an engineer and say ‘look what happened today, you have to help us fix that’. The ability to use thought leadership and steer the future product direction is huge.

It’s different; it’s not easier, it’s not harder. It certainly never was an easy job.

Gordon Smith was a contributor to Silicon Republic