CSO Insights: Ricoh USA’s David Levine on Employing a Cloud- and Cybersecurity-First Strategy

David Levine, Vice President of Corporate and Information Security and CSO for Ricoh USA, Inc., shares his thoughts on reinforcing a security mindset in the organization and how a cloud-first strategy helps enable their operations in the "new normal"

With abrupt transitions taking place in different organizations, leaders in C-suite positions have had to rethink the sufficiency of their security and technical structures. In their pursuit to protect their customers and strengthen their teams’ remote productivity and availability, C-Suites look into available technologies such as cloud services adoption.

As the pandemic continues to force organizations to shift to the work-from-home (WFH) setup, more businesses are coming to terms with the fact that changes in continuity, security, and mobility hereon are needed. More importantly, regardless of their businesses’ scale, these adjustments pose new challenges and opportunities for decision-makers.

David Levine, Vice President of Corporate and Information Security and Ricoh USA, Inc.’s chief security officer (CSO), has seen his fair share of changes in the industry, including shifts in online security and cybercriminal activities and a need for a broader understanding of governance as a distributed function. With his 25 years of experience with the company, along with his experience in both the IT and security industries, Levine is no stranger to roles that involve engineering and project management, running security, infrastructure, network center, operations, litigation support, and management, access management, physical security, eDiscovery/litigation support, and others.

In a similar vein, Ricoh USA, Inc. has evolved to become the leading provider of document management solutions, IT services, commercial and industrial printing, and industrial systems. In recent years, the company has reinforced this direction by adopting a cloud-first methodology and accommodating an “as-a-service” cloud environment. Levine currently runs the global virtual security team and coordinates with team members from Japan, Asia Pacific (APAC), Europe, Middle East and Africa (EMEA), and the Americas. He shares with Trend Micro how their organization accommodates mobility by reinforcing a security-first mindset, employing a cloud-first strategy, managing risk, and enabling employees.

Changing misconceptions on security

If you pull the security team in at the ninth hour, we’re already in a bad position. We’ve pushed hard to get people to understand that the earlier you engage us, the more helpful we’re going to be. Instead of being a stumbling block at the last minute, we’ll be an enabler at the first.

Currently, working remotely is somewhat easier now that security is considered a critical element to success. In the past, however, security teams were seen only as back-office function support; too often, they were also perceived as “road blocks” who, at the last minute, pointed out issues that needed to be addressed before solutions could be deployed.

For Ricoh, improving security has involved many changes, including changing misconceptions, transforming perspectives, asking questions that are both difficult and beyond-operations, continuing education, and practicing self-reliance for security compliance. As a result, the role of security has also become more visible and involved.

By encouraging conversations while still in the project planning or development stage, not to mention pushing for a DevSecOps culture, Levine’s team helped to change this mindset toward security, particularly the misconceptions about security being an obstacle to deploying solutions. Levine contends, “If you pull the security team in at the ninth hour, we’re already in a bad position. We’ve pushed hard to get people to understand that the earlier you engage us, the more helpful we’re going to be. Instead of being a stumbling block at the last minute, we’ll be an enabler at the first.”

The strategy of involving security from the beginning, however, depended not just on the security team alone, but also on changing the mindset of Levine’s peers in IT and the business. While the business focused on addressing customers’ requirements and ease of use, security added to the conversation by having the business and developers think about how that same functionality could be manipulated by a malicious actor. As a result of this change, everyone contributes to ensuring security by adjusting their view and thinking about details and controls that they might not have initially considered, thereby reducing risk and potentially preventing issues before they happen.

eSecurity continues to be paramount for the company, especially since working remotely has become part of the “new normal.” In order to secure their operations under these circumstances, Ricoh immediately began with assessing what changes needed to be made – either temporarily or permanently – to ensure that the business is enabled and customer privacy is maintained. Levine adds that having the right security technologies and tools (including the Trend Micro suite), advanced endpoint functionalities, and other solutions that reside on laptops helped to smoothen the transition and gave the company the confidence that they had good protection and visibility.

Levine says that user education also plays a big role in the new work environment. Users need to be reminded, for example, that using the home network is not the same as sitting in the office, and family members are not privy to work assets: “At the end of the day, the hardest piece of the whole security puzzle is people. People are unpredictable, and they will continue to be one of the biggest challenges. In that regard, we emphasize education and impress upon people that they are as much in the security equation as my team. It does matter what they do every day; they need to keep security in mind in all that they do and not view security as just one team’s responsibility. At the end of the day, it’s everybody’s responsibility.”

A cloud-first strategy and enabling mobility

Done right and with the proper security, the cloud offers great benefits but like everything else, it has to be implemented and maintained correctly.

Levine says the company has been adopting a cloud-first mentality for quite some time and has been moving forward with significant digital transformation efforts, both of which clearly helped enable a smooth transition to an equally significant remote workforce. Additionally, while he notes that trends in the industry tend to be cyclical, he doesn’t see a return to the data center anytime in the foreseeable future.

The flexibility, availability, easy procurement, and expandability of the cloud affords ease and helps enable mobility: “We’ll definitely continue to see the leveraging of hosted, cloud, and SaaS environments because there are a lot of inherent advantages to doing that. Why try to run your own data center these days?” Levine also noted that cost savings are not often one of the advantages, but given the other tangible benefits, cost shouldn’t hinder movement toward that direction, either.

“As we continue to mature our cloud strategy and cloud security program, we will enable cloud adopters within Ricoh’s teams a level of autonomy for execution, management, privacy, and security,” Levine remarks. “It’s always a balancing act between educating users, making sure that they have the tools and understanding, as well as working directly with them. Done right and with the proper security, the cloud offers great benefits but like everything else, it has to be implemented and maintained correctly.”

Third Party-Risk and the Cloud

In addition to securing your own cloud/SaaS solutions, organizations also have to keep a close eye on the solutions that they use. Cloud security is a shared responsibility model. Some of the controls and governance are the responsibility of the hosting provider, while some belong to solution provider. Levine states, “I am amazed by how often, in 2020, I still see companies that put a solution into one of big hosting providers’ environments and simply assume that just because the provider has the full alphabet soup of security and governance certification, that means they are secure. Unfortunately, that is only half of the equation: An organization must still secure the solution that sits in that environment!”

To that end, it is key for an organization to have a good process to evaluate the security of the solutions they use, both internally and externally via partners.

The path forward

Levine and his team recently had a third party conduct a maturity review of their cloud environments with the intent of identifying potential gaps with processes and solutions. The results of the engagement will drive better security and reduce risk overall. One of the outputs, which ties into employee education and self-service, was a security checklist to be used by teams both proactively (when starting cloud projects) as well as reactively (to document the current maturity of existing solutions). 

When looking at solutions, Levine notes that “We are going to place an emphasis on existing partners, like Trend Micro, who has leading cloud tools that we have established relationships with and know the interfaces of. I would much rather expand an existing portfolio than add a new solution — unless that really is the best option.” Inasmuch as an organization can leverage and aggregate solutions, therefore, data and alerts will simplify its environment and increase effectiveness.

Key Takeaways:

  • Shift the perception. Involve security teams early on and often in order to create partnerships and move away from being a roadblock.
  • Enable resources. Whether an organization is educating teams on how to look at functionality from the viewpoint of an adversary or providing tools and processes that enable them to be self-supported, the end result will be stronger security and better relationships.
  • Coordinate with third parties. Even today, there are plenty of cases where companies mistakenly trust or believe that the hosting provider alone has their security covered. However, organizations should make sure that their third-party management program asks the right questions relative to cloud/hosted solutions so that they can make informed risk-based decisions.
  • Rely on partnerships. When needing new solutions/tools for the cloud, leverage existing partnerships as much as possible to drive efficiencies and integrations.

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.