Discover security session: You never had control

Rafal_-Profile_Web.jpgBy Brian McDonough, Discover Performance Managing Editor

 

At HP Discover Las Vegas on Tuesday afternoon, Rafal Los, HP Software's chief security evangelist, talked the challenges of security in a cloud-based or hybrid world, part of the “Master the Cloud” track at the show.

 

The problem he posed: In the mobile/social media/big data world that cloud technology underpins, there's a lot going on, and it's all happening really fast. Businesses need to adapt to rapid change, and few are succeeding. The IT department, he said, is often part of the problem. “We're known as the Department of No,” which puts a break on change in a world where, say, global financial markets can utterly change overnight.

 

“Slow change is death to today's organization,” he said. “If your business can't adapt, you're done.”

 

CISOs can be major impediment to business agility because they're concerned with protecting the enterprise, which Los said has become a focus on “control.” And with the advent of hybrid IT delivery, security leaders tend to freak out because they can't control the cloud. Which begs one question, Los said: “Did you ever have control to begin with?”

 

From control to governance

Credit card provisioning, use of free online services like Gmail or Dropbox, the consumerization of IT—that false sense of control has been steadily undermined for some time. Rather than fight to regain a repressive level of control that was largely illusory anyway, Los suggested changing the security model in a fundamental way.

 

“Control is not scalable,” Los pointed out. IT security is no longer a matter of having a tech guy manually patch 50 servers over the course of a week. “We have to get out of this 'we're gonna touch everything' mindset and get into a governance mode.”

 

CISOs need to be able to trust that (well-designed, thoroughly vetted) automation will implement security policies in response to predetermined risk tolerances. Security should be evolving from a mess of disparate architectures with different management and security approaches to a common architecture with converged management and security solutions. Flexibility and portability (“Develop once, run anywhere.”) will be key.

 

IT leaders, he said, have to accept that risk is not a binary choice of “secure” or “not secure.” It's more like, “as secure as we can make it right now,” “as secure as we are willing to pay for,” “as secure as the criticality of this data/app/environment needs.”

 

It seemed to me that Los was laying out a philosophy for security in what Mark Potts had earlier in the day been calling the next generation of IT. Los' approach would change how CIOs and CISOs deal with partners, vendors, developers and end users. Los can be found online on his blog, “Follow the White Rabbit,” and on Twitter at @Wh1t3Rabbit. How does his call to replace “control” with “governance” sound to you—and is it a shift you could make in your enterprise?

 

 

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
This account is for guest bloggers. The blog post will identify the blogger.
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.