Western Union Finds IT Security Success by Managing Risk

Western Union's chief information security officer, in an effort to transform the internal security at his company, packages security to be more consumable.

LAS VEGAS—Western Union has been in business since 1851, moving messages and money across the United States and around the world. Over its long history, Western Union has faced its share of security threats, and the modern IT security threat landscape is one of them.

Speaking at the Interop conference here, Mike Kalac, the chief information security officer (CISO) of Western Union, detailed how he helped transform the internal security at his company to deal with the modern era of information security threats.

Kalac explained to the audience that in 2012, the information security group within Western Union was viewed as being an obstacle, rather than an enabler, for the business. For example, the IT security group at the time was blocking access to both Facebook and YouTube, on the fear that those sites were insecure and represented a security risk.

When Kalac's group finally did open up and provide limited access to Facebook and YouTube, he admitted that the change wasn't communicated properly to the organization. So even after access was made available, the IT security group within Western Union was still despised.

Fundamentally for Kalac, security success depends on effective communications.

"When people don't understand why a security policy is in place, they go the path of least resistance," Kalac said. "So if the users don't understand why they should be using a VPN when they connect in from a Starbucks, they won't use the VPN. They will just use the open connection."

The challenge that has emerged in recent years is the simple fact that consumer technology has in some respects become better than enterprise technology. A decade ago, according to Kalac, employees were able to get better Internet access and computers at work than at home.

"Now you leave home, and you leave all the cool tech at home," Kalac said. "The office is also blocking you from visiting sites and [is] adding all kinds of widgets to monitor and log what you do."

If IT security is to be successful, IT needs to understand what users really want to do. Within Western Union, there is an exception policy tool that allows employees to request access to online tools and services. The company's marketing group was increasingly asking for access to cloud file-sharing service Dropbox because the group needed an easy way to move files, Kalac said. To meet that need, Western Union signed up for a commercially supported cloud file-sharing service.

As the CISO, Kalac said his job is really all about managing risk. "As CISO, I learned I had to accept some risk to get more security," he said. If he didn't accept the risk that comes with enabling employees to move their files with a Dropbox-type service, then Western Union employees would have taken the path of least resistance and the files would still move.

"So I get a controlled risk that I can control and monitor, while the person on other side can do their job," Kalac said.


A core piece that Kalac is using to help transform the IT security group at Western Union over the last two years is the Western Union Information Security Enablement (WISE) program.

Kalac realized that simply bombarding employees with security messages is not entirely effective. What is needed is to effectively package up messaging, which is what WISE is all about.

"The mission of WISE is to provide protection for Western Union data and systems, to reduce costs and simplify your world through wise solutions that enable the business," he said.

What's key about the WISE effort is that it is a programmatic approach that has the Western Union brand wrapped around it. The initiative involves the key stakeholders within the organization, and end-user impact of any change is always identified, according to Kalac.

"We all love technology, but take a step back to get out of the techie mode and see what your organization is trying to do and what behaviors are going on," Kalac said. "Take some controlled risk and then engage people in a different way. People want to be engaged, and they want to know why."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.