Photo of Kevin McKenna, Brocade collecting on behalf of Neha Chhawchharia and Joy Macknight.

Information security, including intellectual property (IP) protection, is a key concern for businesses. The information security solution that Brocade’s treasury team implemented is innovative, both in the way it addresses and solves the issue. The solution not only helped Brocade’s executive team gain better visibility and control over its most sensitive information, it transformed Information security from just an IT led function, to a company-wide initiative with business units and employees managing information. This solution transforms treasury’s role beyond traditional risk management into a leadership role responsible for managing critical strategic risks across the whole organisation.

Information security had become a top concern for senior executives and Board members at Brocade. As Neha Chhawchharia, Global Risk Manager explains, “before Brocade executives could make certain that Brocade’s most critical information/data is secure, it was necessary to understand what our most critical and sensitive information was and how this information was being managed. As we did not have this visibility, the enterprise risk management (ERM) team per the request of the CEO set out to tackle three objectives: to identify, classify and map the life cycle of Brocade’s most critical/sensitive information (eg how it is created, used, disseminated, stored and destroyed); to review how this information is managed today and provide recommendations on how to close any security gaps; and to implement the recommendations provided.”

The treasury-led working team comprising representatives from legal, IT, internal audit/compliance and ERM departments conducted detailed interviews across the organisation, meeting with each vice president, their direct staff and the various information owners to gather and understand the answers to five fundamental questions:

1. What sensitive data do we hold and who are their owners?
2. Where does our sensitive data reside, both internally and with third parties (eg software-as-a-service (SaaS) providers, contact manufacturers, suppliers and customers)?
3. How is the data moving (eg created, used, distributed, archived and replicated)?
4. Who needs/has access to this information?
5. What are the current security and procedural controls around this information?

The team gathered 250 pieces of company sensitive information through the interviews. This list was then filtered down to 80 pieces of company critical information based on the framework. Examples of company critical information include strategic business plans, product roadmaps, employee personal data, non-public material financial information. The team also analysed the information to identify any security gaps and provided solutions to close the gaps. The analysis and solution were then presented to the CFO and the executive staff for review. The recommendations of the analysis focused on creating a resilient information security culture by developing correct employee behaviour, discipline and processes. The point was to move information security management away from IT into the hands of business units and employees through employee education and day-to-day involvement in protecting company critical information. The recommendations were made in the following areas:

• Communication from top.
• Restrictions on distribution of sensitive information.
• Access control around critical data.
• SaaS and cloud services vendor evaluation and audit processes.

The benefits of ‘Critical Information Identification and Protection’ project steered by Brocade’s treasury team are as follows:

• Greater control, management and security over Brocade’s most critical and sensitive information.
• Greater visibility and oversight to Brocade’s executive management team and Board members over Brocade’s most sensitive information and its management and protection.
• Information classification helps in providing (IT department) better understanding and identification of the sensitivity of information leaving the company in case of a breach.
• Complete mapping and understanding of Brocade’s most critical information and its life cycle – how it is created, used, disseminated, stored and destroyed.

Chhawchharia explains, “while the implementation of the recommendations is still under way, the project has already made us aware of our key vulnerabilities and strengths. As a result, management has better visibility over our critical information risks.”