Building a Security Culture at Broadcom Software

At Broadcom, our innovations are the building blocks of technologies that shape our lives today and that is why we see security as the responsibility of every individual at our company. It is critical to our business, and it is crucial to the success of our customers worldwide. A study from IDG Communications, Inc. found that over 70% of CIOs expect their involvement with data privacy and compliance to increase over the next year, which is no surprise given the ever-increasing complexity of the security landscape.

This is not hyperbole. The threat landscape continues to expand and become more sophisticated. It continues “shifting left” – focusing as much on the software developer as on the customer or end user. As a result, we, too, find ourselves in the crosshairs of cyberattacks along with our customers and partners.

That’s why developing a security-first culture is both a major goal for our company and the responsibility of every individual at every level and every division of our enterprise.

The First Broadcom Security Conference

A big step forward towards creating a security-first culture across all Broadcom took place recently with our first internal, company-wide security conference. The gathering brought together engineering leaders from every Broadcom Software business unit, privacy and security experts within Broadcom, as well as outside security experts and industry analysts including: Google Cloud, Synopsys, Palo Alto Networks, IDC and Jfrog . The goal was to create an opportunity to share where we are now in our security planning and policies, and to look ahead to our strategies and innovations. Some key presenters included:

• Alan Davidson, CIO, Broadcom
• Clayton Donley, Vice President and General Manager, Identity Management Security Division
• Ilias Chantzos, Chief Privacy Officer, Broadcom

Held in late September at our corporate headquarters in San Jose, California, the conference offered the opportunity for a deep dive into how security is built into every product development cycle, product, and company system across all Broadcom Software.

Here are some key takeaways from the security conference:

• Education is Key to a Security-First Culture
  One of the weakest links in any enterprise security plan is people. It is what keeps me awake at night when I reflect upon our security posture, but education is key to a security-first culture and something we believe in strongly at Broadcom. We educate on key security principles and even some of the most basic ones that may be obvious - for example, don’t share your passwords – but it also means relentlessly putting the effectiveness of your security plans and programs to the test. The common response that “this is the way we’ve always done it,” is not how we approach security. That is why we are continually educating our engineers on the latest threat landscape and ensuring these are built into everything we create.
   
• Easy and Simple Doesn’t Equal Secure
  A good example of this relentless testing is how Broadcom is constantly making modifications to its multi-factor authentication (MFA) and passwordless ID access. From an identity perspective, we are investing in and modifying these technologies towards the goal of making them easier to use while maintaining their effectiveness.
   
• Collaboration is Key
  We know that we have some of the best and brightest people in the industry at Broadcom. Creating ways we can improve our collaboration around security will only make us stronger and our products better for our customers. We are relentlessly customer-centric—helping our customers build and grow their businesses drives everything we do. The Security Conference is the first step in driving collaboration across our company for the benefit of our customers
   
• STAR and the Supply Chain
  It is an end-to-end supply chain that we feel is our responsibility to protect, control, and monitor at every step. A key organization directing our Broadcom Software protection technologies is our Security Threat and Response (STAR) team, as part of Symantec Enterprise. One of the principal responsibilities of our STAR team is to protect the supply chain. That protection is backstopped by our industry’s most extensive collection of threat data sources, including product telemetry collected from the more than 72 million endpoints running on our software, and over 100 intelligence feeds.
   
• Standing Up for Security
  Like our customers, every business quarter, we stand up before our Board of Directors and say that Broadcom is secure. Over the past several years, I can state with assurance that each time, I was able to confirm that we are.

We are building a security-first culture at Broadcom - into every product innovation, every employee, and every system we plan and develop. It’s a program that needs to be a priority every single waking moment. And it begins with this investment in our people to create that culture.