Tuesday, November 06, 2012

Liberty Mutual Insurance Melds Regulatory Compliance and Security Awareness to Better Protect Assets, Customers, and Employees

Transcript of a BriefingsDirect podcast on how Liberty Mutual Insurance has adopted a new, heightened security posture that permeates the applications development process.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Dana Gardner: Hello, and welcome to the next edition of the HP Discover Performance Podcast Series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your moderator for this ongoing discussion of IT innovation and how it’s making an impact on people’s lives.

Dana Gardner
Once again, we're focusing on how IT leaders are improving performance of their services to deliver better experiences and payoffs for businesses and end-users alike.

I'm now joined by our co-host for this sponsored podcast, Raf Los, who is the Chief Security Evangelist at HP Software. Welcome back Raf. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Rafal Los: Glad to be back, Dana.

Gardner: And where are you joining us from today, where is your travel taking you?

Los: Well we are at the HP Protect 2012, here in beautiful Nashville, Tennessee where the sun is shining and the birds are chirping country music.

Gardner: We have a fascinating show today, we're going to learn how Liberty Mutual Insurance is building security more deeply into its business, and with that, I’d like to introduce our special guest, John McKenna, Vice President and Chief Information Security Officer for Liberty Mutual.

Welcome to the show, John.

John McKenna: Glad to be here.

Gardner: You're both at the HP Protect show in Nashville, so let’s focus on security a bit. Why is security so important to your business now, and in what ways are you investing?

McKenna: It’s pretty clear to us that the world has changed in terms of the threats and in terms of the kinds of technologies that we're using these days to enable our business. Certainly, there's an obligation there, a responsibility to protect our customers’ information as well as making sure that our business operations can continue to support those customers.

John McKenna
So, as I said, it's the realization that we need to make sure we’re as secure as we need to be, and we can have a very deep discussion about how secure we need to be.

In addition to that, we have our own employees, who we feel we need to protect to enable them to work and get the job done to support our customers, while doing so in a very secure workplace environment.

Gardner: You started off by saying that things are different. You recognized that. How do you generally think things are different now than, say, four or five years ago?

McKenna: I'll start with just the technology landscape itself. From mobility platforms and social networking to cloud computing, all of those are introducing different attack vectors, different opportunities for the bad guys to take advantage of.

Reducing the threat

We need to make sure that we can use those technologies and enable our business to use them effectively to grow our business and service our customers, while at the same time, protecting them so that we reduce the threat. We will never eliminate it, but we can reduce the opportunities for the bad guys to take advantage.

Los: John, you talk about for your customers. From a security perspective, your customers are your external customers as well as internal, correct?

McKenna: We absolutely have our internal customer as well. We have partners, vendors, agencies, and brokers that we're doing business with. They're all part of the supply chain. We have an obligation to make sure that whatever tools and technologies we are enabling them with, we’re protecting that as well.

Gardner: John, Liberty Mutual, of course, is a large and long-time leader in insurance. Tell us about the breadth and depth of your company. I imagine you're quite dispersed, as well, as with many different lines of services. Help us understand the complexity that you're managing, when it comes to bringing security across this full domain.

McKenna: We're a global company in the Fortune 100 list. We have $35 billion in revenue and we have about 45,000 employees worldwide. We offer products across the personal and commercial lines products, or P&C, and life insurance products. We’ve got somewhere in the range of 900-plus offices globally.

So we have lots of people. We have lots of connections and we have a lot of customers and suppliers who are all part of this business. It’s a very complex business operation, and there are a lot of challenges to make sure that we're supporting the customers, the business, and also the projects that are continually trying to build new technology and new capabilities.
In the past, security was really something that was delegated and was an afterthought in some respect.

Gardner: Raf, when we talk about what’s different in companies, one of the things I'm noticing that I think is pretty important when it comes to security, is that in the past, security was really something that was delegated and was an afterthought in some respect.

But I'm seeing a lot of companies now that, when they're planning new products and services, start asking those questions right-away. Is this something we can deliver securely? Should we bring this product to market in this way, when security concerns or privacy concerns are something that we need to consider for our brand, and our employees’ and our supply chain’s protection?

It seems to me that security is now a thought right at the very beginning of planning for new services. Is that the case in your travel?

Los: That’s what I'm seeing, and there's still the maturation that’s happening across the enterprise spectrum where a lot of the organizations -- believe it or not, in 2012 -- are still standing up formalized security organizations.

Not a given

So security is not a given yet, where that the department exists, is well-funded, well-staffed, and well-respected.You're getting to that state where security is not simply an afterthought or as it was in an organization in my past job history a decade ago or so. In those types of companies, they would get it done and the say, "By the way, security, if you take a look at this before we launch it, make sure it’s given virtual thumbs up. You’ve got about 20 minutes to go."

Raf Los
If you can get away from that, it’s really about security teams stepping up and demonstrating that they understand the business model and that they're there to serve the organization, rather than simply dictate policy. It’s really a process of switching from this tight iron-grip on control to more of a risk model.

It's sort of a cliché, but IT technology risks understanding acceptance and guidance. I think that’s where it’s starting to win over the business leaders. It’s not that people don’t care about security. They do. They just don’t know they do. It’s up to us to make sure that they understand the context of their business.

Gardner: John, is that ringing true for you at Liberty Mutual, where there is a more concern and thought put into security as you're bringing products and services to market and as you're considering what new products and services to bring to market?

McKenna: It absolutely is. It goes from the top on down. Our board certainly is reading the headlines every day. Where there are new breaches, their first question is, "Can this happen to us?"
As we're rolling out new capabilities, we have a responsibility to protect the brand and the reputation.

So it certainly starts there, but I think that there absolutely is an appreciation at our strategic business units, the leadership, as well as the IT folks that are supporting them, that as we're rolling out new capabilities, we have a responsibility to protect the brand and the reputation. So they're always thinking first about exactly what the threats and the vulnerabilities might be and what we have to do about it.

We’ve got a lot of programs underway in our security program to try to train our developers how to develop application, secure coding practices, and what those need to be. We’ve got lots of work related to our security awareness program, so that the entire population of 45,000 employees has an understanding of what their responsibilities are to protect our company's information assets.

I will use a term used by a colleague that Raf and I know. Our intent is not to secure the company 100 percent. That’s impossible, but we intend to provide responsible defenses to make sure that we are protecting the right assets in the right way.

Los: That’s very interesting. You mentioned something about how the board reads the headlines, and I want to get your take on this. I'm going to venture a guess. It’s not because you’ve managed to get them enough paper, reams of paper with reports that say we have a thousand vulnerabilities. It’s not why they care.

Quite a challenge

McKenna: Absolutely right. When I say they're reading the headlines, they're reading what’s happening to other companies. They're asking, "Can that happen to us?" It's quite a challenge -- a challenge to give them the view, the visibility that is right, that speaks to exactly what our vulnerabilities are and what we are going about it. At the same time, I'm not giving them a report of a hundred pages that lists every potential incident or vulnerability that we uncovered.

Los: In your organization, whose job is it? We’ve had triangulation between the technical nomenclature, technical language, the bits and bytes, and then the stuff at the board actually understands. I'm pretty sure SQL injection is not something that a board member would understand.

McKenna: It's my job and it's working with my CIO to make sure that we are communicating at the right levels and very meaningfully, and that we’ve, in fact, got the right perspective on this ourselves. You mentioned risk and moving to more of a risk model. We're all a bit challenged on maturing, what that model, that framework, and those metrics are.

When I think about how we should be investing in security at Liberty Mutual and making the business case, sometimes it's very difficult, but I think about it at the top level. If you think about any business model, one approach is a product approach, where you get specific products and you develop go-to-market strategies around those.

If you think about the bad guys and their products, either they're looking to steal customer information, they are looking to steal intellectual property (IP), or they're looking to just shut down systems and disable services. So at the high level, we need to figure out exactly where we fit in that food chain? How much bigger risk are we at at that product level?
It's working with my CIO to make sure that we are communicating at the right levels and very meaningfully.

Gardner: I've seen another on-ramp to getting the attention and creating enough emphasis on the importance of security through the compliance and regulation side of things, and certainly the payment card industry (PCI) comes to mind. Has this been something that's worked for you at Liberty Mutual, or you have certain compliance issues that perhaps spur along behaviors and patterns that can lead to longer-term security benefit?

McKenna: We're a highly-regulated industry, and PCI is perhaps a good example. For our personal insurance business unit, we've just achieved compliance through QSA. We’ve worked awfully hard at that. It’s been a convenient step for us to address some of these foundational security improvements that we needed to make.

We're not done yet. We need to extend that and now we're working on that, so that our entire systems have the same level of protections and controls that are required by PCI, but even beyond PCI. We're looking to extend those to all personal identifiable information, any sensitive information in the company, making sure that those assets have the same protections, the same controls that are essential.

Gardner: Raf, do you see that as well that the compliance issues are really on-ramp, or an accelerant, to some of these better security practices that we've been talking about?

Los: Absolutely. You can look at compliance in one of two ways. You can either look at a compliance from a peer’s security perspective and say compliance is hogwash, just a checkbox exercise. There’s simply no reason that it's ever going to improve security.

Being an optimist

Or you can be an optimist. I choose to be an optimist, and take my cue from a mentor of mine and say, "Look, it's a great way to demonstrate that you can do the minimum due diligence, satisfy the law and the regulation, while using it as a springboard to do other things."

And John has been talking about this too. Foundationally, I see things like PCI and other regulations, HIPAA, taking things that security would not ordinarily get involved in. For, example, fantastic asset management and change management and organization.

When we think security, the first thing that often we hear is probably not a good change management infrastructure. Because of regulations and certain industries being highly regulated, you have to know what's out there. You have to know what shape it's in.

If you know your environment, the changes that are being made, know your assets, your cycles, and where things fall, you can much more readily consider yourself better at security. Do you believe that?

McKenna: It's a great plan. I think a couple of things. First of all, about leveraging compliance, PCI specifically, to make improvements for your entire security posture.
Because of regulations and certain industries being highly regulated, you have to know what's out there. You have to know what shape it's in.

So we stepped back and considered, as a result of PCI mapped against the SANS Top 20 cyber security controls, where we made improvements. Then, we demonstrated that we made improvements in 16 of the 20 across the enterprise. So that's one point. We use compliance to help and improve the overall security posture.

As far as getting involved in other parts of the IT lifecycle, absolutely -- change management, asset management. Part of our method now for any new asset that's been introduced into production, the first question is, is this a PCI-related asset? And that requires certain controls and monitoring that we have to make sure are in place.

Los: That one question probably kicks off more security conversation than you would ever have before.

McKenna: Right, absolutely agree with you.

Gardner: I'm also looking at this larger theme of what's different now than, say, five years ago? I often hear that the types of threats are different. You mentioned the types of bad guys are different. We often hear now more about nation-states being involved rather than college students being mischievous.

I know it’s going to vary by company to company, in vertical industry by industry, but do you sense that you're dealing with a different type or higher level of sophistication when it comes to threats now, John?

Level of sophistication

McKenna: We're certainly dealing with a higher level of sophistication. We know that. We also know that there is a lot we don't know. We certainly are different from some industries. We don't see that we're necessarily a direct target of nation-states, but maybe an indirect. If we're part of a supply chain that is important, then we might still get targeted.

But my comment to that is that we've recognized the sophistication and we've recognized that we can't do this alone. So we've been very active, very involved in the industry, collaborating with other companies and even collaborating with universities.

An effort we've got underway is the Advanced Cyber Security Center, run out of Boston. It's a partnership across public and private sectors and university systems, trying to develop ways we can share intelligence, share information, and improve the overall talent-base of and knowledge base of our companies and industry.

Gardner: Raf, rising sophistication of security threats.

Los: This is something that's been building. When we started many years ago, hacking was a curiosity. It moved into a mischief. It moved into individual gains and benefits. People were showing off to their girlfriend that they hacked a website and defaced it.
There are entire cultures, entire markets, and strata of organized crime that get into this.

Those elements have not gone away, by the way, but we've moved into a totally new level of sophistication. The reason for that is that organized crime got involved. The risk is a lot higher in person than it is over the Internet. Encrypting somebody's physical hard drive and threatening to never give it back, unless they pay you, is a lot easier when there is nobody physically standing in front of you who can pull a gun on you. It's just how it is.

Over the “Internet,” there is anonymity per se. There is a certain level of perceived anonymity and it's easier to be part of those organized crimes. There are entire cultures, entire markets, and strata of organized crime that get into this. I'm not even going to touch the whole thing on activism and that whole world, because that’s an entirely different ball of wax.

But absolutely, the threat has evolved. It's going to continue to evolve. To use a statement that was made earlier this morning in a keynote by Bruce Schneier, technology is often adapted by the bad guys much faster than it is with good guys.

The bad guys look at it and say, "Ooh, how do we utilize it?" Good guys look at a car and say, "I can procure it, do an RFP, and it will take me x number of months." Bad guys say, "That’s our getaway vehicle." It’s just the way it works. It's opportunity.

Gardner: So not only more sophistication, but more types of attacks and let’s say a speedier time to risk.

Los: It’s less risk and more reward, and that’s what everybody who's “bad” wants.

Insurance approach

Gardner: I want to go out on a limb a little bit here and only because Liberty Mutual is a large and established insurance company. One of the things that I’ve been curious about in the field of security is when an insurance approach to security might arise?

For example, when fire is a hazard, we have insurance companies that come to a building and say, "We'll insure you, but you have to do x, y and z. You have to subscribe to these practices and you have to put in place this sort of infrastructure. Then, we'll come up with an insurance policy for you." Is such a thing possible with security for enterprises. Maybe you’re not the right person, John, but I am going to try.

McKenna: It’s an interesting discussion, and we had some of that discussion internally. Why aren’t we leveraging some of the practices of our actuarial departments, or risk assessors that are out there working our insurance products?

I recently met with a company that, in fact, brokers cyber insurance, and we're trying to learn from them. This is certainly not a mature product yet or mature marketplace for cyber insurance. Yet they're applying the same types of risk assessments, risk analysis, and metrics to determine exactly what a company’s vulnerabilities might be, what their risk posture might be, and exactly how to price a cyber insurance product. We're trying to learn from that.
The fact that you don’t have the metrics is one side of this. It’s very difficult to price.

Gardner: So, Raf, an interesting concept.

Los: Yeah, it is. As you were talking, I kept thinking that my life insurance company knows how much they charge me based on years and years and years and years of statistical data behind smokers, non-smokers, people who drive fast, people who are sedentary, people who workout, eat well, etc. Do we have enough data in the cyber world? I don’t think so, which means this is a really interesting game of risk.

McKenna: It’s absolutely an interesting point. The fact that you don’t have the metrics is one side of this. It’s very difficult to price. But the fact that they at least know what they should be measuring to come up with that price is part of it. You need to leverage that as a risk model and figure out what kind of assumptions you're making and what evidence can you produce to at least verify or invalidate the model.

Los: On the notion of insurance, I can just think of all the execs that have listened to that, if it’s that insurance,saying, "Great. That means we don’t have to do anything, and if something bad happens the insurance will cover it." I can just see that as a light bulb going on over somebody’s head.

Gardner: It’s not the way it’s going to work. What’s going to happen is, if you don’t do that, you won’t be able to get insurance and the companies that have insurance and that have best practices are going to win in the market. So I don’t think that’s too much of a risk, because that’s not the way any other insurance works either, right John?

McKenna: That’s exactly right, yeah.

Los: I do hope it goes that way. That’s really a good driving force though.

McKenna: Again, we're just trying to learn from it, to understand how we should be assessing our own risk posture and prioritizing where we think the security investment should be.

What's the benchmark?

Gardner: If you take lots of risks, you pay more for insurance. The only question is what you benchmark against. What is good enough? Or do you benchmark against peers and how readily will your peers share data with that insurance company? That’s a dangerous topic.

Gardner: I'll just offer one insight on that -- the log data. If you're an insurance company, you want to find out what the posture of a company is, you have access to big data analysis, and you get access to the log data, you might have a good opportunity to provide more of an empirical view on a company’s posture than they are able to do, and therefore create a value-added service. But that’s just an off-the-cuff observation.

McKenna: I think the challenge is, as Raf mentioned, whether we have the data or the evidence. We have years and years and years of history around vehicle accidents, etc. We don’t necessarily have all the correlations of data with log data and security data that would enable us to paint those historical patterns and understand them.
Most of our security decisions, whether it’s investment or risk tolerance levels, are really rooted in a business position.

Los: That’s what I’d be worried about. The causality between, if you do this, take this kind of risk, this is the likely outcome. I'm not sure we completely understand causality quite yet.

Gardner: Let’s move on to one other area before we close off, and that would be other future-of-security trends or possibility. We brought one into the fold, which is this notion of insurance, but is there anything else for you, John, that’s interesting or hopeful in terms of the future of security and risk avoidance?

McKenna: In part this may be why I was put in this position. I have less of a technical security background and more an understanding of our business and how to make business decisions. We're getting much more direct engagement of our business partners or business units in helping us to assess risk and make decisions.

That is something that we're still continuing to work on and we’ve seen some progress there, very good progress. I think we'll see even more progress, so that in fact, all of our, or most of our security decisions, whether it’s investment or risk tolerance levels, are really rooted in a business position.

Gardner: Raf, last word to you, any other concepts for you coming down of interest in terms of where this is heading?

Away from the silo

Los: Security is moving in this direction already, but I think it’s going to continue to move away from being a silo in the enterprise. It's something that is fundamental, a thread through the fabric. The notion of a stand-alone security team is definitely becoming outdated. It’s a model that does not work. We demonstrated that it does not work.

It cannot be an afterthought and all the fun clichés to go with it. What you're going to start seeing more and more of are the nontraditional security things. Those include, as I said, like I said change management, log aggregation, getting more involved into business day to day, and actually understanding.

I can't tell you how many security people I talk to that I asked the question, "So what does your company do?" And I get that brief moment of blank stare. If you can’t tell me how your company survives, stays competitive, and makes money, then really what are you doing and what are you protecting, and more importantly, why?

That’s going to continue to evolve, it’s just going to separate the really good folks, like John, that get it from those who are simply pushing buttons and hoping for the best.
Security is moving in this direction already, but I think it’s going to continue to move away from being a silo in the enterprise.

Gardner: I'm afraid we’ll have to leave it there, and with that let me please thank our co-host, Rafal Los, the Chief Security Evangelist at HP Software. Thank you so much.

Los: Thanks for having me again.

Gardner: And I’d also like to thank our supporter for this series, HP Software and remind our audience to carry on the dialogue with Raf through his blog and also the Discover Performance Group on LinkedIn.

I’d also like to extend a huge thank you to our special guest, John McKenna, Vice President and Chief Information Security Officer for Liberty Mutual. Thanks so much, John.

McKenna: Thank you. This was fun, enjoyed it.

Gardner: And you all can gain more insights and information on the best of IT performance management at www.hp.com/go/discoverperformance. And you can also always access this another episode in our HP Discover Performance podcast series on iTunes under BriefingsDirect.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your co-host and moderator for this ongoing discussion of IT Innovation and how it’s making an impact on people’s lives.

Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP

Transcript of a BriefingsDirect podcast on how insurance company Liberty Mutual has adopted a new, heightened security posture that permeates the development process. Copyright Interarbor Solutions, LLC, 2005-2012. All rights reserved.

You may also be interested in:

Monday, October 22, 2012

Heartland CSO Instills Novel Culture That Promotes Proactive and Open Responsiveness to IT Security Risks

Transcript of a BriefingsDirect podcast on the need to recognize the inevitability of a security threat and devise ways to respond quickly and openly.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Dana Gardner: Hello, and welcome to the next edition of the HP Discover Performance Podcast Series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your moderator for this ongoing discussion of IT innovation and how it’s making an impact on people’s lives.

Dana Gardner
Once again, we're focusing on how IT leaders are improving performance of their services to deliver better experiences and payoffs for businesses and end-users alike.

I'm now joined by our co-host for this sponsored podcast, Raf Los, who is the Chief Security Evangelist at HP Software. Welcome, Raf. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Raf Los: Hey, Dana. Good to be back.

Gardner: Where are you calling in from today?

Los: Well, we are in beautiful Nashville, Tennessee, the birth place -- and currently on the birthday -- of Mr. Jack Daniel.

Gardner: Well, we have a fascinating show today, because we’re joined by a gentleman from Heartland Payment Systems, where they're building better security-as-a-culture into their operations and business strategy. With that, I'd like to introduce our guest, John South, Chief Security Officer at Heartland Payment Systems, based in Princeton, New Jersey. Welcome, John.

John South: How are you doing, Dana?

Gardner: I'm doing great. Prior to joining Heartland in September of 2009, John held leadership roles in information security at Convergys and in Alcatel-Lucent. He has also spent several years in Belgium and Paris, leading Alcatel European information security operations.

Furthermore, John is an adjunct professor at the University of Dallas, where he teaches digital forensics; and with Dr. John Nugent, he has co-founded the university’s Information Assurance Program. That program, incidentally, has been designated as a National Security Agency (NSA) Center for Excellence since it began in 2002.

What's more, John has been an active member of the US Secret Service North Texas Electronic Crimes Task Force since its inception in 2003. And he's the founding president of the FBI’s North Texas InfraGard Program.

Let's talk a little bit about your tenure, John. You've been at Heartland Payment Systems for several years now. You’re talking about changing culture and instilling security, but you got there at a pretty tough time. Why don't you tell us a little about what was going on at Heartland when you arrived?

South: Dana, certainly 2009, when I joined, was one of turmoil and anxiety, because they had just gone through a breach. The forensics had been completed. We understood how the breach had taken place, and we entered a period of how to not only remediate and contain that and future breaches, but also how to make that security consistent and reliable in the future.

Cultural problem

It was not only a technical problem, but it became very quickly a business and a cultural problem that we also had to solve. As we took the elements of the breach and broke it down, we were able to figure out technically the kinds of controls that we could put in place that would assist in shortening the gap between the time we would see a future breach and the time we were able to respond.

John South
More importantly, as you pointed out, it was developing that culture of security. Certainly, the people who made it through the breach understood the impact of the breach, but we wanted to make sure that we had sustainability built it into the process, so that people would continue to use security as the foundation.

Whether they were developing programs, or whatever their aspect in their business, security would be the core of what they looked at, before they got too far into their projects. So, it's been an interesting couple of years for Heartland.

Gardner: Just for background for our listeners, in early 2009, something on the order of 94 million credit card records were stolen due to a SQL injection inserted into your data-processing network. I’d also like to hear more about Heartland Payment Systems, again for those of our listeners who might not know. I believe you’re one of a handful of the largest credit card processors in the U.S., if not the world.

South: We are. Right now, we’re number six in the US, and with consolidation and other aspects, that number floats around a bit. We're basically the pipeline between merchants and the banking system. We bring in payments from credit cards and debit cards. We handle payroll, micro payments and a number of other types of payroll channel or payment channels that we can then move from whatever that source, the merchant, to the appropriate bank that needs to handle that payment.

It's a very engaging process for us, because we’re dealing with card brands on one side, banks on another, and the merchants and their customers. But the focus for Heartland has always been that our merchants are number one for our company.
The way they handled the breach was just an extension of the way they always thought about our merchants and our customers themselves.

That's the approach we took to the breach itself, as you may know. We’ve been very open with the way we work with our merchants. In fact, we established what we call The Merchants Bill of Rights. That was part of the culture, part of the way that our executive team thought all along. So, the way they handled the breach was just an extension of the way they always thought about our merchants and our customers themselves.

Gardner: Raf Los, we’ve seen a variety of different ways companies have reacted to breaches of this magnitude, and even for things smaller and everything in between. Most of the time, the reaction is to put up more barriers, walls, or a perimeter, not only around the systems, but around the discussion of what happens to their systems when security can become an issue. So, why is Heartland’s case different, and why do you think it's interesting and perhaps beneficial in how they’ve handled it?

Los: Dana, first, there are two ways that you can take a monumental impact like this to your business. You can either be negative about it, and in some cases, try to minimize it, keep the media from it, keep your customers from getting the full information, and try to sweep it under the rug.

In some cases, that even works. Maybe the world forgets about it, and you get a chance to move on. But, that's one of those karmic things that comes back to bite you. I fully believe that.

Phoenix transformation

What Heartland did is the poster child for the phoenix transformation. John touched on an interesting point earlier. For them, it was a focus on the merchants, or their customers. The most important thing wasn’t the fact that they had a data breach, but it was the fact that a lot of their merchants were impacted. The people they did business with were impacted. Their reputation was impacted.

Their executives took a stand and said, "Look, we can do this the easy way, try to get out of it and scoot, and pretend it didn’t happen. Or, we can take responsibility for it, step up, and take the big kick in the pants in the short run. But in the long term, we'll both earn the industry’s respect, the respect of our customers, and come out of it with a transformation of the business into a culture where, from the people that lead the company down to the technologist, security is pervasive." That's gutsy, and now we know that it works, because they did it.

Gardner: It's my understanding that it only took them a couple of months after this breach to issue a statement about being in compliance with payment card industry data security standard (PCI DSS) and returning to Visa's list of validated service providers. So you had a fairly quick response to the major issues.

I'd like to hear more, John, about how the culture has changed since that time, so that others might learn from it, not only the openness benefits, but how the culture of security itself has changed?

South: Dana, you made a very good point that going back to becoming compliant under the eyes of PCI and the card brands took six weeks. I have to plug the guys in the company for this, because that was six weeks of some people working 20-22 hours a day to bring that about.

There was a huge effort, because it was important for us and important for our customers to be able to have the reliance that we could stem this thing quickly. So, there was a lot of work in that period of time to bring that together.
There was a huge effort, because it was important for us and important for our customers to be able to have the reliance that we could stem this thing quickly.

That also helped build that culture that we’re talking about. If you look at the two parameters that Raf had put out there, one being we could have obfuscated, just hid the fact, tried to run from the press, and been very evasive in our wording. That may have worked. And it may not have worked. But, for us, it wasn’t an option, and it wasn’t an option at all in the process.

For us, it was part of the executive culture to be very open and the people who participated in the breach understood that. They knew the risk and they knew that it was a time of great distress for them to be able to handle the breach and handle the pressure of having been breached.

What that did for our customers is build a strong reliance upon the fact that we took this very seriously. If we had taken this as “let's hide the fact, let's go ahead and fix the problem and see what we can get away with,” it would have been the wrong message to carry to our people to begin with. It would have said to our people that it's okay if we go ahead and fix the problem, but it's just a fix. Fix it and walk away from it.

For us, it became more that this is something we need to take responsibility for. We took that responsibility. As we say, we put on the big-boy pants, and even though we had the financial hit in the short run, the benefits have been wonderful from there. For instance, during the course of the breach, our attrition was very, very low. Our customers realized by our being that open that we were seriously involved in that process.

Honesty and openness

Los: John, that speaks perfectly to the fact that honesty and openness in the face of a failure like that, a big issue, is the thing to do. If I found that something like that happened and the first thing you told me was, "It's no big deal. Don’t worry about it," I'd get suspicious. But if you told me, "Look, we screwed up. This is our fault. We're working to make it better. Give us some time, and it will be better," as a customer, I'm absolutely more apt to give you that benefit of the doubt.

Raf Los
In fact, if you deliver on that promise long-term, now you’ve got a really good relationship. I hope by now we've realized, most people have realized, that security is never going to reach that magical utopian end state. There is no secure.

We provide the best effort to the alignment of the business and sometimes, yes, bad things happen. It's the response and recovery that’s absolutely critical. I don't want to beat a dead horse, but you guys did a fantastic job there.

South: Thank you, Raf, and you hit a really important point. Security is not that magic pill. We can't just wave a security wand and keep people out of our networks. If someone is motivated enough to get into your network, they're going to get into your network. They have the resources, the time, the money, and, in many cases, nation-state protection.

So they have the advantage in almost every case. This goes back into the concept of asymmetric warfare, where the enemy has a great deal more power to execute their mission than you may have to defend against it. For us, it's a message that we have to carry forward to our people and to our customers -- that our effort is to try to minimize the time from when we see an attempt at a compromise to the time we can react to it.
Real control on this kind of sprawl is virtually impossible.

Los: I took that note earlier, because you said that a couple times now and I'm intrigued by "mean time to discovery" (MTTD). I think that’s very meaningful, and I don’t know how many organizations really and truly know what their MTTD is, whether it's in applications, and how long it takes to find a bug now in the wild, once it’s made it past your relief cycle, or how long it takes to discover an intrusion.

That's extremely important, because it speaks to the active defenses and the way we monitor and audit, because audit isn't just a dirty word that says somebody walks through, checks a couple of boxes, and walks out.

I mean audit in the true sense. Someone goes through and looks at systems, does some critical thinking, and does some deep analysis. Because, at the end of the day, John, I think will probably be the first to say this, systems have gotten so complex right now to maintain. Real control on this kind of sprawl is virtually impossible. Forget how much budget you can have. Forget how many staff you can hire. It's just not possible with the way the business moves and the way technology speeds along.

The rational way to look at that is to have a team that, every so often, takes a look at a system, looking to fully audit on this. Let's figure out what's going, what's really going on, in this platform.

South: That’s one of the cultural changes that we've made in the company. I have the internal IT audit function also, which is very nontraditional for a company to do. A lot of times, the audit function is buried up in an internal audit group that is external to the operation. That makes it a more difficult for them to do a truly effective audit of IT security.

Separate and independent

I have an audit group that stands separate and independent of IT, but yet is close enough with IT that we can go in and effectively conduct the audits. We do a large number of them a year.

What's important about that audit function and what positively influences the effectiveness of an audit is that you go into the meeting with, say, a technical group or a development group that you want to audit, with a positive, reinforcing attitude -- an attitude of not only finding the issues, but also of a willingness to help the group work out its solutions.  If you go into the audit with the attitude that “I am the auditor. I'm here to see what you are doing,” you're going to evoke a negative reaction. 

Los: It's adversarial.

South: It's adversarial. My auditors go in with a completely different attitude. "I'm here to help you understand where your risks are." That whole concept of both moving from an adversarial to a proactive response to auditing, as well as having a very proactive engagement with security, is what's really made a big cultural shift in our company.

Los: Yeah, that’s fantastic. That’s the way to put it.

Gardner: In listening to you both, I am hearing shifts in perceptions that are having very powerful impacts on your businesses and perhaps the industry. First, of course, was to recognize that being open about a security breach allows you to deal with it more directly.

Even on a personal psychology level, if you have secrets in a family setting, it's hard to address them. The same thing probably pertains to security. Changing that perception of this as being open allows you to address it more directly.
Our executive team realized that one of the fundamental things that was important for security of our company as a whole was that security had to be baked into everything that we did.

Then, it's also looking at that MTTD, recognizing that you're not necessarily going to prevent types of intrusions that can be damaging. The sooner you know about them, the more you can contain them and limit the damage. There's also the shift in perception more toward directness of being real about what the risks are.

Lastly, there's the shift in perception about moving from an adversarial position on what your weaknesses are to looking at that as the very fundamental step to remediation and getting to that level of containment. It all sounds very powerful.

Help me better understand how we get companies, for those who are listening, to shift perceptions about security.

South: That’s always a strong question that has to be put to your executive team. How do we shift the understanding and the culture of security? In our case, our executive team realized that one of the fundamental things that was important for security of our company as a whole was that security had to be baked into everything that we did.

So we've taken that shift. The message that I take out to my people, and certainly to the people who are listening to this podcast, is that when you want to improve that security culture, make security the core of everything that takes place in a company. So whether you're developing an application or working in HR, whether you're the receptionist, it doesn't matter. Security has to be the central principle around which everything is built.

Core principle

If you make security the adjunct to your operation, like many companies do, where security is buried several layers down in the IT department, then you don't have the capability of making it the fundamental and core principle of your company. Again, it doesn't matter who you are in a company, you have some aspect of security that is important to the company itself.

For us, the message that we're trying to get out to people is to wrap everything you do around the security core. This is really big, particularly in the application world. If you look at many other traditional ways that people do application development, they'll develop a certain amount of the code and then they'll say, "Okay, security, go check it."

And of course, security runs their static and dynamic code analysis and they come back with a long list of things that need to be fixed, and then that little adversarial relationship starts to develop.

Los: John, as you're talking about this, I think back. Everybody's been there in their career and made mistakes. I'll readily admit that this is exactly what I was doing about 12 or 13 years ago in my software security role.

I was a security analyst. The application would be ready to go live. I'd run a scan, do a little bit of testing and some analysis on it, and generate a massive PDF report. Now you either walk it over to somebody’s cube, drop it off, walk away, and tell them to go fix their stuff, or I email it, or virtually lob it over the wall.
It's always better to lead by example, and hold those who do a good job in higher esteem.

There was no relationship. It's like, "I can't believe you're making these mistakes over and over. Now go fix these things.” They'd give me that “I am so confused. I don’t know what you're talking about look." Does it ever get fixed? Of course, not.

South: And, Raf, the days of finishing a project on Thursday, turning it over to security, saying, "This is going live on Friday," are long gone. If you're still doing that, you're putting your company at risk.

Los: Agreed.

Gardner: Perhaps, Raf, for those of us who are in the social media space, where we're doing observations and we're being evangelists, that there is a necessary shift, too, on how we react to these security breaches in the media.

Rather than have a scoreboard about who screwed up, perhaps it's a better approach to say who took what problems they had and found a quick fix and limited the damage best. Is there a need for a perception shift in terms of how security issues in IT and in business in general are reported on and exposed?

Los: I absolutely believe that rather than a shamed look, it's always better to lead by example, and hold those who do a good job in higher esteem, because then people will want to aspire to be better. I fundamentally believe that human beings want to be better. It's just we don’t always have the right motivations. And if your motivation is, "I don’t want to be on that crap list," for lack of a better term, or "I don’t want to be on that worst list," then you'll do the bare minimum to not be on that worst list.

People will respond

If there's a list of top performing security companies or top performing companies that have the best security culture, whatever you want to call it, however you want to call that out, I firmly believe people will respond. By nature, people and companies are competitive.

What if we had an industry banquet and we invited everybody from all the heads of different industries and said, "Nominees for best security in an industry are, finance, health care, whatever?" It would be a show like that, or something.

It wouldn't have to be glitzy, but if we had some way of demonstrating to people that your customers in the world genuinely care about you doing a good job -- here are the people who really do a good job; let's hold them up at high esteem rather than shame the bad ones -- I think people will aspire to be better. This is always going to work going forward. The other way just hasn’t worked. I don’t see anything changing.

South: I think that's the right direction, Raf. We still have some effort to go in that direction. I know of one very, very large company, and one of their competitors had been breached just recently. So I called a contact I had in their security group and passed on the malware. I said you might want to check to see if this is in your organization.

He said, thanks and I called him up a couple of days later and I asked, "How did it go?" He said, "Upper management kind of panicked for a little bit, but I think everything settled down now." This was code for "they didn't do much."
The more these people see successful examples of how you can deal with security issues, the more it's going to drive that cultural change for them.

We have some progress still to make in that direction, but I think you're absolutely correct that the more these people see successful examples of how you can deal with security issues, the more it's going to drive that cultural change for them. Too often they see the reverse of that and they say, "Thank God that wasn’t us."

Gardner: We need to start to close out, but another interesting issue here is that you can't look at just technology without considering the culture, and you can't consider the culture without the issues around the technology.

What's changing on the technology side that either of you think will lead to perhaps an improvement on the culture? Is there something that comes together between what's new and interesting about the technologies that are being deployed to improve posture around security and that might aid and abet this movement toward openness and the ability to be direct, and therefore more effective in security challenges?

Los: We're looking at each other for a good answer to that, but one of the keys is the pace of change in technology. That technology, for a number years, in our personal lives, used to lead technology in the business world.

So a laptop or desktop you had at home was usually in the order of magnitude greater than what was sitting on your desktop at the office and your corporate phone would be an ancient clamshell, while you have your smartphone in your pocket for home use.

Fewer devices

What's starting to happen is people are getting annoyed with that, and they want to carry fewer devices. They want to be able to interact more and organizations want maximum productivity.

So those worlds are colliding, and technology adoption is starting to become the big key in organizations to figure out what the direction is going to be like, what is the technology trend going to be. Then, how do we adapt to it and then how do we apply technology as a measure of control to make that workable? So understand technology, understand direction, apply policy, use technology to enforce that policy.

South: And it's finding what elements of technology are relevant to what you're doing. You see a large push today on bring your own device (BYOD), and the technologies that are making almost a commodity of the ability to handle information inside your company.

The biggest challenge that we are facing today is being able to make relevant technology decisions, as well as to effectively apply that new technology to our organizations. It's very simple, for instance, put a product like an iPad onto your network and start using it, but is it effectively protected and have you thought about all of the risks and how to manage those risks by putting that device out there?

Technology is advancing, as it always does, at a very high clip, and business has to take a more measured response to that, but yet be able to effectively provide something for its employees, as well its costumers, to be able to take advantage of the new technologies in today's world.

That's what you're seeing a lot in our customer base and the payments space in mobile technologies, because that's the direction that a lot of the payment streams are going to go in the future, whether it be contact or contactless Europay, Mastercard, and Visa (EMV) cards or phones that have near field communication (NFC) on them. Whatever that direction might be, you need to be responsive enough to be able to be in that market.

As you said, it's technology that’s driving something of the business itself, as well as the business and the culture in the company being able to find ways to effectively use that technology.

Los: It's kind of funny, because just as every technology is innovative, it helps us, whether it's perform commerce faster, be safer, do something better. Every one of those comes with risk, whether it's NFC, web applications, mobile, card, whether it's whatever you name today. There are limitations in security types of issues with everything, and it comes down to what we're willing to deal with, what controls can we put around it to mitigate it, and what's the outcome at the end of the day.

South: Exactly. And if things go wrong.

Los: Then what?

South: How do we detect it, how do we resolve, how do we contain it, and how do we respond to it?

Los: Yup.

Gardner: Maybe even better than saying if things go wrong, have the attitude of when they go wrong.
There are limitations in security types of issues with everything, and it comes down to what we're willing to deal with.

Los: Absolutely.

South: That has to be your attitude today, because it's no longer a question of if I put the right trenches and walls in place, can I hold these guys off, because even if I didn’t have a connection to the Internet, people can still get to my information and take it away. It has to be an attitude of we'll work from the assumption of breach and build our defenses from there. So it goes back to Raf’s concept of MTTD, which of course assumes that you have detected it.

Los: Right, that it is an assumption.

South: And measure it from there, but that’s the only approach you can take, because if people take an approach that I can keep it away from me, we call those people targets.

Gardner: I'm afraid we will have to leave it there. Please me join me in thanking our co-host, Raf Los. He is the Chief Security Evangelist at HP Software. Thank you so much, Raf.

Los: It’s always a pleasure to be here.

Gardner: I'd like also like to thank our supporter for this series, HP Software and remind our audience to carry on the dialog with Raf on his own blog and through the Discover Performance Group on LinkedIn.

I'll also like to extend a huge thank you to our special guest, John South, Chief Security Officer at a Heartland Payment Systems. Thank you, sir.

South: Thank you, Dana. I appreciate it.

Gardner: And you can gain more insights and information on the best of IT Performance Management at http://www.hp.com/go/discoverperformance.

And you can also always access this and other episodes in our HP Discover Performance Podcast Series on iTunes under BriefingsDirect.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your co-host and moderator for this ongoing discussion of IT innovation and how it’s making an impact on people’s lives. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Transcript of a BriefingsDirect podcast on the need to recognize the inevitability of a security threat and devise ways to respond quickly and openly. Copyright Interarbor Solutions, LLC, 2005-2012. All rights reserved.

You may also be interested in:

Thursday, October 18, 2012

VMware-Powered Cloud Adoption Delivers Bevy of Data and Performance Benefits for Revlon, Says CIO David Giambruno

Transcript of a BriefingsDirect podcast from the VMworld 2012 Conference on how cosmetics giant Revlon has benefited from innovative cloud-based data delivery infrastructure.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: VMware.

Dana Gardner: Hello, and welcome to a special BriefingsDirect podcast series coming to you from the recent 2012 VMworld Conference in San Francisco.

In these conversations we explore the latest in cloud computing and software-defined datacenter infrastructure developments. I'm Dana Gardner, Principal Analyst at Interarbor Solutions and I'll be your host throughout this series of VMware sponsored BriefingsDirect discussions. [Disclosure: VMware is a sponsor of BriefingsDirect podcasts.]

It's been a year since the last VMworld Conference in 2011 when we first spoke to Revlon. We heard then about their world-class private cloud as an early adopter of innovative cloud delivery and we decided to go back and see how things have progressed at Revlon.

We'll learn now, a year on, how Revlon’s global and comprehensive cloud has matured, how the benefits from aggressively embracing the cloud have evolved, and perhaps learn about some unintended positive consequences of their data architecture.

To fill us in, we're joined by David Giambruno, Senior Vice President and CIO of Revlon. Welcome back, David.

David Giambruno: Morning, Dana.

Gardner: Now that you've been doing private cloud as an early adopter and at an advanced state, what it has been doing for you? How has it progressed now that there has been a bit of maturity?

Giambruno: We have a couple of fronts. The biggest, which you alluded to, was the unintended consequences, and we've had a couple of them. When you think of Revlon, we're global and we have a huge application portfolio. As we put everything on our cloud and are using our cloud, we realized that all of our data sits in one place now.

So when you think of big-data management, we've been able to solve the problem by classifying all the unstructured data in Revlon and we did that efficiently. We still joke that it's like chewing glass. You've got to go through this huge process.

But, we have the ability to look at all of our data, a couple of petabytes, in the same place. Because the cloud lets us look at it all, we can bring up all of Revlon in our disaster recovery (DR) test environments and have our developers work with it at no cost. We have disconnected that cost and effort.

Once we realized we had this opportunity to start working on our big data, the other unintended consequences was our master data model. On top of our big data, we were able to able to efficiently and effectively build a global master data model.

Chief directive

At Revlon, one of our chief directives from the executive team is to globalize. So we're collapsing 21 enterprise resource planning (ERP) systems into one. The synergies of having this big-data structure and having this master data model is changing how to deploy a global ERP. Loading that data is now just a few clicks of a button. It's highly automated. We're not ETLing data and facing all the old challenges. We're not copying environments. Everything is available to us and it’s constantly updating.

At Revlon, we replicate all of our cloud activity every 15 minutes. You've seen on VMware, where we had disasters and we were able to recover a country quickly and effectively. That replication process and constantly updating allows us to update all these instances at no cost and with little effort.

You have to build the structure and you have to go through that process, but once it's done, it's now automated and you march that out. It's the ability to quickly and effectively manage all your big data coming in. For us, it's point of sale -- roughly 600 million-plus attributes.

For us to provide information to the business teams, to build good products, to sell good products, is a key differentiator in helping them.

Gardner: Well, it seems that a key aspect of the modern enterprise, the integrated enterprise, is having that data and analysis, having a lifecycle approach from the point of sale, to inventory, to planning, and to supply chain. You say that’s an unintended consequence. Why did you do the data the way you did that’s now led to this best cloud architecture for you?
We live in the information age, and to me, the most important thing is delivering information to the business teams.

Giambruno: We started the cloud architecture, and I always joke it's like having a Ferrari that you can take out for a spin. When we were building it, we didn't realize all the things we can do.

So it's really that je ne sais quoi, the little thing that, as you see it, you realize all these things you can do. You are always planning to do those things for the business, because that’s what we do, but it's how you do them.

I've always said the cloud is what the local area network (LAN) was 15 or 20 years ago. The LAN changed the way people dealt with information and applications, and the cloud is doing the same thing. Actually, it's on a bigger geometry, because it really eliminates geography and provides the ability to move data and information around.

We live in the information age, and to me, the most important thing is delivering information to the business teams. That's what we see as one of the big next evolutions in our cloud -- making information out of all this data and delivering that on whatever device they want to be on, wherever they are, securely and effectively, in a context that they can understand. Not in a way that we can understand, but in a way that they can consume.

Gardner: Understanding a bit about how you did this chronologically, for those that are still in the process of getting there with private cloud, did you focus on the data issues first and then application and workloads? Did you do them simultaneously? Is there some lesson to learn about how you did it in an orderly sense that others could benefit from?

First things first

Giambruno: I live in this simple world of crawl, walk, run. Whenever I say that my team starts cringing, because they think, "Oh, there he goes again." But it was literally fix the infrastructure first and then, from an application and data perspective, the low-hanging fruit, the file servers.

It's this progressive capability of learning how to do things -- low risk to high risk. What you end up doing is figuring out how to effectively do those things, because not only do you manage the technology, but you have to manage the people and the process changes, and all those things that have to happen.

But all ships have to rise at the same time. So it's the ability to run these concurrent streams. From a management perspective, it's how not to get overwhelmed and how to take advantage of the technology, the automation, and the capabilities that come along with that to free up work that you used to do and put it towards making the change.

I'm a big believer in not doing big bang. So it's not like, tomorrow we're going to have a private cloud. Throw the switch. It's the small incremental changes that help organizations adapt. It's a little bit every day. You look back, and at the end of six months or a year, you realize how much we've done.

It's been the same in Revlon. I constantly take my team and sit them down and say, "Look what we've done. You're in the forest. You're in the trees. It's time to look at the forest. Step back and look what you guys have done." Because it's a little bit every day, and you don't realize the magnitude or the mass, when you have a team of people doing something every day and going forward.
From a management perspective, it's how not to get overwhelmed and how to take advantage of the technology.

Gardner: For those of our listeners who may not be that familiar with Revlon, at least your IT operations, give us a sense of the scale -- the number of applications, size of data, just so we better appreciate the task that you've accomplished.

Giambruno: I usually quantify it by our cloud, because those are the simple metrics and we seem to be pretty steady, so the metrics are holding. Our cloud makes about 14,000 transactions a second. Our applications move around Revlon 15,000 times a month with no human intervention. Our change rate of data is between 17 and 30 terabytes a week.

We have roughly, depending on the ups and downs, between 97 and 98 of our total compute on our internal cloud, we have some AS/400s and I think one UNIX box left. But that's really the scale of what we do.

All of our geographies are around the world. We sit in all the continents except for Antarctica. We have a global manufacturing facility in Oxford, North Carolina, that produces 72 percent of everything we sell in the world. We have some other factors around the world. And we are delivering north of six nines uptime.

Gardner: An unintended consequence was a benefit for how data can be accessed and consumed, but a lot of people are hoping for consequences around cost. Is there something going on now a year later vis-à-vis your total cost, or maybe even the cost of data? Maybe you have been able to reduce the footprint of data, even while you have accessed more and more quickly. What's the cost equation?

Cost avoidance and savings

Giambruno: There is a history there, as we talked about. We have given back north of $70 million in cost avoidance and cost savings, and we're continuously figuring out how to use everything. My team is highly technical, so I call it turning screws. We are always turning screws on how to more effectively manage everything.

We're always looking at how to not spend money. It's simple. The more money we don't spend, the more that R&D, marketing, and advertising have to grow our company. That's the key to us.

We leverage capability, so one of the big things this year also was our mobile business intelligence (BI) capability. We've disconnected most of the costs for things in Revlon around IT. We only manage at a top line.

But if someone wants to try a new application, generally by the time the business team gets in a meeting with us, it's no cost. We have servers set up. We have the environment. We have the access control set up for the vendor to come in and set everything up. So that's still ongoing.

We have got this huge mobile BI initiative, which is delivering information to business teams and contacts. That's the new thing where we have disconnected the cost. We're not laying out money for it, and we're just now executing around that.
While data keeps growing, we're still figuring out how to manage things better and better in the background.

For me, the cost equation is more and more around cost avoidance and keeping on extending the capability of that cloud.

Gardner: And it seems as if those costs are more of an operational ongoing nature, predictable, recurring, easy to budget, rather than those big-bang types of cost?

Giambruno: Very, very predictable. For the past three years, we have had the same line items. While data keeps growing, we're still figuring out how to manage things better and better in the background, because  the cloud generates lot of data, which we want it to do. Data, information, and how we use that is the competitive weapon.

This cost avoidance, or cost containment, while extending capability, is the little magical thing that happens, that we do for the business. We're very level in our spend, but we keep delivering more and more and more.

Gardner: Because we are here at VMworld in San Francisco, tell me a little bit about the VMware impact for the cloud. How do you view the VMware suite and portfolio vis-à-vis the impact it has had on your maturation and benefits?

Very advanced

Giambruno: We kind of joke with the VMware team that we have what's called Revlonomolies. Revlonomolies is what one of the guys on the helpdesk called it, because when we're calling, we're very advanced. I want to use technology as a competitive weapon. My team masters it. We own it intellectually.

For us, it's where VMware is going. We're always pushing VMware. "What have you got next? What have you got next?" It's up to us to take capability and extend it. I don't mean to be flip or narcissistic or anything like that, but we've got that piece under control. It's about how do you do it better.

Every time there's an upgrade, what features and functionalities can we then take advantage and translate that into a business use? When I say business use, we tell the business teams, "Here's a new capability. You can do this and keep changing the structure of operating."

The new version of vSphere 5.1 came out, and we're in the process of exposing our internal cloud to our vendors and suppliers. We're eliminating all these virtual private networks (VPNs). It's about how we change and how IT operates, changing the model. For me, that's a competitive advantage, and it's the opportunity to reduce structural cost and take people away from managing firewalls.

We did that. We got that. Now we're going to do this a different way. We're going to expose to our vendors securely the information that they need, that they can interact with as easily and effectively.
Changing the model is really the opportunity, making it easier for the auditors to audit and making it easier for your supply chain.

There's even the idea of taking a portion of our apps and presenting those to our suppliers on their iPads and their iPhones so they can update our data and our systems much more cleanly and effectively. We can get the synergies and effectiveness and have our partners like to work with us and make it easy on them as well. It's always a quid pro quo, "It's Revlon. They're good to deal with. Let’s help them."

It's how you create those partnerships and effectiveness to get business done better. It makes it easier on the business teams, contracts go better, and it's cascading. I call it the spiral up effect, changing the way you operate to spiral up and take advantage of capabilities.

Gardner: Is that something we could classify as another unintended consequence -- a benefit that you have been able to enjoy these efficiencies around cloud internally for your enterprise, but now you are taking it to an extended enterprise benefit?

Giambruno: Absolutely. Look at the security complexity around VPNs and managing that and the audits. That's so much fun. Changing the model is really the opportunity, making it easier for the auditors to audit and making it easier for your supply chain, for all of those people to interact with you in a much more effective manner.

It's about enabling procurement to process their information and work with the vendors, because everything is about change. It's about speed of change. If we get a demand signal that changes and we need to buy more raw materials or whatever for our factories, we have the ability for not only our procurement teams, but our vendors to interact with us easily to make those changes. It ensures that we can deliver the right products, to the right stores, to the right peoples, so at the end the consumers are happy. It's about how do you change the model of delivering that.

Technology enabler

VMware has done that for us, and we keep taking advantage of all the stuff. I joke that I'm like a technology enabler: "What have you got for me? What have you got for me?" So I can give it out to the business and my teams, because it keeps people interested. We can say, "We saw you guys, and it was hard for you. Now, you can do this." And it's done.

"What do you mean it's done?" "It's done. Just use it. It's okay. Let us know what you think, if you want us to change something." But it's always being on the front of the bow, saying, "Here's what we can do. Here's how we can help."

That’s the culture of IT in Revlon. I'm merciless about how we're just here to help. We run the technology and own the technology intellectually, so we can help. That’s my only concern.
VMware has done that for us, and we keep taking advantage of all the stuff.

Gardner: Given that we started our conversation about data and the benefits that the cloud architecture has brought to you, is there anything about the VMware approach? They've been focused on virtualization in their history, moving towards fabric approaches to development and deployment in the cloud model. How about data?

Is there something that you'd like to see now that you're going down that path in the nature of the relationship between a cloud and data services, anything that you would like to see change or shift?

Giambruno: My team thinks that there needs to be a cellular approach to applications. What I mean by that is we have had what we call dribs out there. In the press lately, everybody has been talking about POD data centers. In 2009, we were written up in one of the magazines for our Mini Me data centers, essentially our little PODs, and that’s our cloud capacity that we manage around the world.

But when you think about an application architecture, let's take an ERP instance. We want to take a vertical slice of our warehouse management and push that out from a central location into our warehouses. Right now, that’s really hard. You end up with multiple instances or a single global instance, and then you have to deal with network latency and all those fun things.

Internal cloud

But in the future, in my internal cloud, I should be able to take a vertical instance of functionality and push that. To me, that's next. If the vendors can figure out how to do that and have my internal cloud manage those transactions back, but push the pieces of functionality wherever it needs to be, so it sits in those Mini Me data centers and let it be close to people, so I don’t have to deal with latency and then manage those transactions back, that's the next big evolution.

The one other one is mobile computing. What I mean by mobile computing is viewing applications, so data never leaves my data center.

I know a device. I know the person. When they hit the edge of my network, essentially hit my data center, we know their device. We know who they are, and they only get access to information they are supposed to have and they only view it.

I could encrypt my entire data center, and at a hypervisor level, encrypt everything, because if you encrypt the VBK file, the job is done. The compliance and security impact is huge. No more data leakage, audits become easier, all of those things.
We need to slice applications up, move them out, and then view the applications.

Again, it's a completely different way to operate and think about things, but we need to slice applications up, move them out, and then view the applications. That’s a whole new geometry of operating IT in a much more efficient manner.

Gardner: I'm afraid we'll have to leave it there. We've been talking about Revlon’s global and comprehensive cloud and how it has matured, and about the benefits, both intended and unintended, from aggressively embracing the cloud model.

I'd like to thank our guest. We've been here with David Giambruno, Senior Vice President and CIO at Revlon. Thanks so much, David.

Giambruno: Have a nice day.

Gardner: And thanks to our audience for joining this special podcast coming to you from the 2012 VMworld Conference in San Francisco.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host throughout this series of podcast discussions. Thank again for listening, and come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: VMware.

Transcript of a BriefingsDirect podcast from the VMworld 2012 Conference on how cosmetics giant Revlon has benefited from innovative cloud-based data delivery infrastructure. Copyright Interarbor Solutions, LLC, 2005-2012. All rights reserved.

You may also be interested in: