If you consider how the Internet of Things is transforming the technology industry, one of the most interesting and thought-provoking areas to pay attention to is what we might consider technology “majors” – firms like HP and IBM and Cisco that made their mark (and their hundreds of billions) serving the needs of an earlier generation of technology consumers.
How these established technology firms are pivoting to address the myriad challenges posed by the “Internet of Things” tells us a lot about how the IoT market is likely to shake out for consumers and – more pressingly- the enterprise.
And one of the most interesting companies to look at in that esteemed group has to be Dell Inc. The Texas-based company was the brainchild of Michael Dell, who surfed the PC Tsunami of the 1990s to make his company, Dell Computer Corp., the largest and most profitable maker of personal computers in the world – revolutionizing a “direct to consumer” sales model for PCs in the process.
But Dell Inc.’s concentration in the PC market became a perceived liability as the technology market shifted to smaller, portable devices like mobile phones and tablets – products that Dell has had trouble selling with the same aplomb as personal computers.
After struggling through the last decade, Dell was taken private in an October, 2013 leveraged buyout led by Michael Dell himself. At $24.9 billion, it was one of the largest in technology industry history and the biggest in the post- Great Recession era.
Now a private firm back under the firm control of its charismatic CEO, Dell has the ability to maneuver much more deftly than it did as a public firm, answerable to Wall Street analysts for each quarter’s profits. One of the avenues the company is pursuing, with gusto, is the development of a wide range of security-related products and services that will serve increasingly complex IT environments.
John McClurg, Dell’s Chief Security Office for the company’s Global Security Organization, is a key player in that strategy – and he is uniquely well-suited to it. Prior to joining Dell as its CSO in 2011, McClurg was the Vice President of Global Security at Honeywell International. He also worked at Lucent Technologies/Bell Laboratories and in the Federal Bureau of Investigation (FBI), where he held an assignment with the US Department of Energy (DOE) as a Branch Chief charged with establishing a Cyber-Counterintelligence program within the DOE’s newly created Office of Counterintelligence.
At Dell, McClurg is responsible for setting both the strategic focus of Dell’s internal physical and cyber security. He is also the point person for insuring Dell’s business resilience and security, integrating Dell’s wide-ranging security offerings internally and developing new security initiatives to protect the firm.
The Security Ledger sat down with McClurg in November to talk about the challenges posed to companies like Dell by the Internet of Things, and how Dell is positioning itself, increasingly, as a major player in the security space: providing products and services to help companies manage their own security needs.
Security Ledger: Your background is really interesting. Before Dell, your experience was really steeped in physical security, both at the FBI and then working for companies like Lucent and Honeywell. Talk to us about how you came to take the position at Dell.
John McClurg: Michael reached out to me. He was pursuing this vision of transforming Dell into an end-to-end, scalable solutions company. Michael really had an epiphany, which is that there were these security inequities that were not being addressed. His epiphany was that we had to bring this to a new level. We needed a new model. So Michael asked me to come along with him as he transformed the company.
Security Ledger: Let’s talk about some of that new model. Dell has acquired a number of security firms in the last five years.
John McClurg: There are a lot. Gartner just announced that Dell is in the Magic Quadrant for the second year in a row for unified threat management. That comes from our (2012) acquisition of SonicWALL.
Security Ledger: You guys purchased SecureWorks…
John McClurg: Yes, we acquired SecureWorks in 2011 and we’re in the Magic Quadrant for Managed Security Services. We acquired Aventail, a next generation firewall. We purchased KACE for patch management (in 2010) and (encryption vendor) Credant (in 2012), which is now Dell Data Protection | Encryption. Because we own all these solutions and can engage the engineers who created them…we’ve found that we can make these solutions, which are classically silo’d work as a total protection package.
Security Ledger: What has changed the most, in your eyes, about the threat landscape from when you started in the security field?
John McClurg: You know, as I look at the threat environment that’s churning right now, one of the aspects that strikes me is the degree to which employees are engaging in social media. Just the level of details that hackers can harvest from social media and the way that they leverage that specificity in spear phishing attacks to send something back at us. FOr example, we’ve got a guy saying ‘Well, he must know me. Look at the specificity of it.’ So we’re really knocking up against the outer edges of what makes us human. You can harvest information on family members and use that in a spear phishing attack that is launched at an employee. And we know that something like 90% of attacks start with spear phishing. I also note the number of critical vulnerabilities that we’re having to contend with. Many of these are in technologies that we’ve relied on for some time, like Heartbleed.
It’s old news now, but I keep coming back to Tom Friedman’s (2005) book The World is Flat. That book forced us to take a more holistic look at the business landscape – how technology removes barriers. But the bad guys are moving to exploit those gaps. That’s one of the driving forces behind our end-to-end security strategy. The bad guys know to look for weak links in those relationships as a place to attack. If they know that we’re too strong in one area, they’ll look for a weak link.
Security Ledger: So what’s the proper response to that?
John McClurg: The first thing is to demand a culture of security within organizations. You have to supply employees with the right training and tools.The reality is most breaches are related to human error. Second, we need to think of security first. Security has mostly been an afterthought. You’ve had single solutions that deal with a narrow range of problems rather than integrated solutions that allow users to focus more on their business. Third: you need to turn security into a business enabler rather than business barrier. In our most recent Dell Global Technology Adoption Index, security was the number one barrier to leveraging new technologies like mobility, cloud and Big Data. The longer security is the distasteful cost of doing business, the more (security) won’t happen.I think most companies are dog weary of playing the reactive (security) game. They’re looking to get into the proactive space and making security about business assurance rather than putting out fires.
Security Ledger: Let’s talk about the implications of Internet of Things, which is a subject that we write about a lot at Security Ledger. Dell would seem to be in an interesting position as both a security and information services firm and a maker of “stuff,” including consumer goods, as well.
John McClurg: I really see the Internet of Things as another manifestation of the phenomenon Friedman recognized, which is that you had this rigidity of boundaries that technology is really breaking down. With the Internet of Things, there’s a real ferocity to that. I think Dell is in a great position to take advantage of IoT. From our perspective: we’re interested in taking a connected-converged approach. But we need to pay special attention to the elements we can control, particularly the data that comes in to and is shared among interconnected devices. When we bought Credant for their encryption capabilities it was to make sure Dell’s data protection capability extended out to when the data was created. That’s a way to close the distance between them and us.
Security Ledger: What’s on your radar and Dell’s as you look ahead over the next few years in the security space?
John McClurg: I think we really need to focus on the insider threat. I’m definitely pushing Michael to purse that. And even in advance of that, Michael has positioned us well in that area with StatSoft (acquired in March, 2014) in the Big Data space. Their technology allows us to combine and overlay Big Data capabilities with rich data stores. This is the kind of data that has lived in silos and never allowed us to see indicators of possible risk. We’ve had HR (human resources) and security systems deployed, along with other systems, but the reality is that insider threats often manifest in the physical world. These days you might have postings on social media that are indications that a particular employee is inclined a certain way, but we haven’t had the analytic tools to give us the heads up we needed to prevent an unfortunate event.
At Dell we’ve implemented a system that does this and that has the prowess and viability of a solution. We’re continuing to mature it. There are a number of possible risk indicators – as we know from decades of failure. At this point, what precludes our success is having to wring more indicators of propensity out of the data and refine that. It’s like the movie (and book) The Minority Report, where you had a pre-crimes division.
Of course, we want to make sure that this is mature in the ethical sense. As we acquire capabilities, we need to use care as we engage these tools. I have training in philosophy, so I appreciate that we don’t punish folks for what they think in western societies. As we think about these capabilities we need to be careful that we’re not punishing a ‘propensity.’ Ideally, you would identify it and take corrective actions, but even then you have to be careful. When a propensity exists, that label can be damaging. So all these conversations move us clearly into the realm of proactive and predictive security. It’s one thing for government to be wrestling with these things, and another to thoughtfully consider this as a private firm and employer. Dell appreciates this and we’re prepared to roll our sleeves up.
Security Ledger: Thank you, John McClurg, for taking the time to speak with The Security Ledger!
John McClurg: Thank you!