Network World: EMC CSO Shares Lessons from Protecting Storage Giant

As if Roland Cloutier doesn’t have enough of a challenge protecting a business the size of EMC, consider that the US$11 billion storage and information management company also bought security pioneer RSA last year. How bad would that look if EMC suffered a major breach?

Cloutier, who is CSO of EMC’s Global Security Organization, told a group of other high level IT executives earlier this month at a Center for Information Management Studies seminar at Babson College in Wellesley, Mass., that such pressure forces EMC to have a superior business protection plan. Part of that includes encrypting every EMC laptop, turning them into paperweights in the hands of anyone other than the owner.

Cloutier shared lessons with the audience learned from his time at EMC and before that in law enforcement and other security-related jobs.

He emphasized that security can be valuable to a business beyond keeping IT systems up and running.

“I challenge the theory that [security] is a necessary evil and I believe that if you do security well as part of your business processes that you will become a more competitive company,” Cloutier said.

Security affects businesses in many ways, he says, from the downstream impact on customers to the ability to comply with regulations such as the Sarbanes-Oxley Act.  

For EMC, the downstream impact of doing security well or not is on the security of its customers’ networks. One threat would be criminals trying to make changes to the manufacturing process for the software code to gain a backdoor into EMC products, Cloutier said.

EMC puts lots of emphasis on making sure its 40,000-plus employees are appropriately credentialed, part of its strategy for addressing workplace violence prevention, including defense against terrorism. Cloutier said 65% of all terrorist acts globally over the past three years were targeted at businesses, not governments. Offering protection is key to making employees happy and enabling them to work in countries where other companies might not feel comfortable having people work.

Another lesson shared was that forming a converged security organization — one that includes both physical/corporate security and information security — will pay off.

The benefits include having a common strategic vision and centralized metrics (many of which EMC has designed itself after looking at standard ones that don’t quite fit its business model) that can be used to spot trends across the organization. In the past, for example, the corporate investigations team spent lots of time investigating intellectual property theft and requested information from the IT team, but wouldn’t say why. Now, by working together, the IT team can see if people are leaving the company with IP and put a stop to it, Cloutier said. The consolidation also enabled EMC to eliminate redundant efforts, such as in forensics.

He said the downsides are stepping on toes (such as the former police officer colliding with the lifelong IT person who doesn’t want the ex-officer touching any firewalls).

Technologies that Cloutier is high on include application security, which basically comes down to proper coding; data-leakage prevention products (“these are low touch, high impact”); and security event management/security information management (“We have 10 terabytes on SIM that we can use’).

Learn more about security information management products from our Security Information Management Buyers Guide.

By Bob Brown, Network World (US)