Rackspace CSO on security: It’s time to go back to the fundamentals

Brian Kelly, CSO at Rackspace

Although less sexy, it is time to get back to the fundamentals. And it is this call to action that forms the basis of my 2016 predictions.

Simplify and streamline security: Based on the recognition that complexity is the enemy of security, legitimate efforts to simplify will be made that will impact consumers and developers:

  • This does not mean reducing the number of controls in an environment; in fact it’s quite the opposite. It means we bake the controls into the products and solutions we engineer from their inception and make them as transparent to our end users. We will also see activation of security as a default setting. Products and solutions will no longer require users to “turn on security;” it will be a part of the consumers’ inherent “bill of rights” of using a product or solution.
  • We need to simplify and drive down the cost of compliance and auditing. Connective tissue between business enabling policies, standards and technology must allow customers and their partners to trust in our tech/services and provide “on demand” audit readiness.

The savvy consumer: Personal technology will continue to outpace enterprise technology – Consumers will achieve greater adoption and better leverage of leading and established processes to enable technology.

  • Consumer technology has become increasingly sophisticated and has outpaced enterprise technology. It is not constrained by legacy systems and technical debt. Consumers too are becoming more sophisticated and challenging the way we integrate new technologies (and secure them) into the business environment.
  • This should be encouraging businesses to consider resilient, adaptable reference architecture and service models, so they can satisfy consumer demands, and keep up with personal technology.

From data to decisions – There will be a greater focus on providing security visibility & control. Data analytics will become increasingly significant.

  • Companies sit on a virtual goldmine of information they can use to make decisions and operate more efficiently. The problem is: they do not have the sophistication or tools to transform data into useful information on which we can make decisions. But technology and capability is catching up and we will see a trend of using this information to regain control and provide better visibility into our most critical systems.
  • This in turn will drive ‘Analytics as a Service’, as businesses look to use data to handle timely business decisions and real time rewards for their customers.

Security moves up the stack – Security teams will continue to move up the stack to take a more business-centric approach. Mapping users to applications and business functions and providing controls at this level become more important. Move to zero trust environments and no standing permissions.

  • Having no knowledge of the application and business functionality is no longer an excuse. Hackers are getting smarter… we must know the applications and business better than they so we can better protect it.

New technology requires new methods of protection – We will begin to see the deprecation of concepts that are no longer viable. Need a fresh look. Can no longer hold on to the old ways of doing things.

  • As disruptive technology becomes commonplace, we must constantly ask ourselves how we secure it. Hopefully security is baked into its design and engineering but we all know that human nature, market demands and internal pressures often prevent this kind of necessary rigor. New methods of protection should be applied embed security into the DNA – the very fabric – of the solutions and products we bring to market.

The rise of active defense – We will no longer blindly accept nor tolerate adversary’s actions. More aggressive enforcement. Commercial organizations will begin to fight back. Timely and practical information sharing will help to drive up the adversary’s costs.

Security will be an accelerator, not an inhibitor of cloud adoption – Cloud adoption will accelerate driven, in part, by security becoming an enabler.

From vendor to partner – Due to the shortage of security resources, organizations will become dependent on third party resources for the execution of their security programs. Relationships will transition from traditional vendor to partner and there will be greater collaboration around business risk.

The death of the data center – “Friends don’t let friends build data center.” Cloud will be the new norm and more companies will migrate from ‘cloud on the periphery’ to ‘cloud powering mission critical applications and system.’ Companies will grew weary of sustaining heavy infrastructure budgets that are hard to manage and change. Data centers will evolve into virtual ecosystems of cloud service providers.

Don't miss