Organizational culture needs to change so that security and DevOps can exist in tandem: Bill McGee, Trend Micro

Bill McGee, Senior Vice President of Hybrid Cloud Security, Trend Micro speaks on security in hybrid cloud adoption, the related challenges and benefits at Trend Micro's CloudSec India 2017 event in Mumbai.

Excerpts from the interview:

Do you think people have become more comfortable with the idea of migrating to cloud and do you think it is hybrid cloud that we have to thank?

Different markets are at a different phase of their lifecycle. Markets where public cloud has been in place for many years such as ddddbthe United States and Australia, we’ve seen very aggressive adoption of cloud and of hybrid cloud environments. I live in Canada, which is a more conservative market. Canadian public cloud datacenters have just recently occurred. So Canada is maybe more in the life cycle that India is in where the datacenters have just been in the country for a relatively short period of time. There’s not as much expertise yet in terms of knowing how to use the cloud successfully. Some call them secondary cloud markets. But I am fully confident that they will achieve a very similar level of success than we’ve seen in some of the more mature markets. It’s time and expertise. And it’s because of the speed that it allows organizations to move. So that speed has a market impact. As somebody sees a competitor move fast and they feel a need to respond, and if cloud has been one of the enablers to that speed then people will adopt it quickly as well. So we expect to see more aggressive use of hybrid cloud in markets like India in the very near future.

In terms of cloud security, what is so difficult for organizations to figure out?

Cloud adoption often started to be called in terms of ‘shadow IT’ or ‘bypass IT’. So cloud adoption often occurred outside of the mainstream IT and mainstream IT security groups. So in a sense IT and IT security are still playing catch up to the original adoption of cloud. Even if they have been given responsibility for it now. And we have started to see that change. 2 years ago even in the US often it was – we were working with those ‘shadow IT’ projects. Now the responsibility is more moving into IT and IT security. So they’re bringing the traditional mindset. I think the remaining roadblock that you are still getting is the developer pipeline is moving at a much faster pace than it did historically where application introduction used to occur maybe in months if not in one year cycle. Now it’s much faster. So the security teams need to determine how we can interact with these much faster paced development and operations lifecycles in order to move security adoption earlier in the lifecycle. If we wait until those applications show up in production before we apply any security insight, it’s too late. And that’s very different for organizations and I think there’s still organizational culture that needs to change so that security and dev-ops work much more closely than historically.

What are the top three challenges that you see companies facing in terms of security when it comes to hybrid cloud adoption?

I mean the first one is a very basic challenge which is people. So the security group and organizations is typically under-staffed and very busy. And some markets have a relatively high turnover rate. Therefore they are always bringing new people and training them. And therefore we as vendors can help our customers by making our technology easier for new user to become an expert relatively quickly. If it takes weeks and months to become an expert, that is actually a long time from a customer perspective. So the first feedback we get from our customers is I’m so busy, you have to help me save time. If you can’t help me save time, I have a hard time taking on additional security functionality because my bandwidth is already very, very constrained. So that’s a big issue. Then I think the second is perhaps a lack of understanding that there are tools that can protect in a hybrid way from a single product. So some organizations assume they need a completely different set of tools for the cloud than they had on premise. And while we definitely recommend that customers need to look at their existing tools and decide whether they are going to work for them in the cloud, because some definitely will not, there are products from Trend Micro that work well across that hybrid environment. So again the customer can use different reasons for deciding whether a workload makes sense on premise or cloud. We hope they don’t have to use security as the reason. They may use compliance as I said earlier, and may use performance and cost as criteria. I hope with security we can help them do as good a job protecting on premise and cloud. So lack of personnel, education around tool set and breaking down barriers between security groups just like development and operations used to be very separate. Now the dev-ops culture has really brought those two groups to essentially working as one. Security is now the last piece of that puzzle and also has to be brought together. So I think those are probably the top trends that we see within our customers.

In your opinion how much of a concern is cost  when it comes to investments in cloud and security?

Organizations have decided the only way that they will save money by using the cloud is when their application is highly variable in terms of the amount of computing it needs. So for highly variable applications the cloud is going to save them money because they may only need two servers on a Monday and then 10 servers on a Tuesday and then two servers again on Wednesday. But another reason why the cloud can save costs is the cost of experimentation is low. If you design a new application and it fails, the cost of shutting down the cloud is zero. You’re paying as you go, so you just stop paying and your costs stop. How that affects us as a vendor and other vendors of the customer is our products have to take on the same cloud characteristics that the cloud has. Customers want to consume security in a consumption based way.

A second recent development, again more of interest currently in North America but we expect it to occur globally, is the ability to procure software through the cloud marketplaces themselves, so that the end customer has one bill for the computing infrastructure and their tools on top of the computing infrastructure. That innovative visibility has huge cost savings. Because they are giving each application team visibility of their actual costs. In traditional on premise environments, it is extremely difficult for organizations to allocate costs correctly to each group and give them visibility. So while direct cost savings may not always be the initial motivator, the benefits of only paying when your application is getting used is a significant benefit. This is a primary reason why we see new applications is many organizations are taking a policy of any new development that occurs on the ground. Sure with existing applications, do we need to migrate them? Maybe not. Maybe they are better served in our traditional on-premise environment. But with new application development, because the outcome of that new application is still uncertain, thus, the cloud is a great place for experimentation.

That’s very interesting. So they are actually looking at security and flexibility and cost savings all at the same time.

That’s where they really expect all the additional services that they need to have the same characteristics because they have started to find that those characteristics have significant value for them. The scalability, consumption based pricing, the integrated visibility of billing, all these characteristics are very valuable.

According to you, what should organizations’ CSOs and CIOs keep in mind about security when they are deploying hybrid cloud? 

When I look at these issues, I’m not sure that they were so easy to solve in the on-premise environment that they are currently on. One of the changes that needs to occur is the customer mindset has to change from a largely hardware based mentality from the traditional datacenter to a software-based mentality in the cloud. If a customer is uncomfortable with that way of thinking, they are going to have a challenge being comfortable with adoption of cloud and cloud security. But all the market forces we see are turning hardware mechanisms into software. Look at networking; it is turning from primarily a hardware based world to a software based world. Security is just the next domino to fall, so to say. And then it’s making sure you understand where your responsibilities lie and where the cloud provider's responsibilities lie. All the cloud vendors are very good, both spelling out what their responsibilities are and where they start and stop, and as long as customers are educated about that, then I think they can be quite successful.  

Absolutely. And you mentioned in the beginning how much of a challenge is collaborating with other partners or vendors of the ecosystem. That is actually something that is extremely important and CSOs actually talk about this. They see it as a major challenge because one vendor doesn’t talk to another. So that is again a big challenge and they don’t really see a solution to the problem themselves. But from the other side, how do you really see this fault?

A big challenge for organizations in markets is where the cloud is newer. Let’s say again in Canada and in India, there’s not the pervasive expertise yet. This is where system integration partners and cloud consulting partners are so valuable because they can bring their ears of expertise to the table to help end organizations figure those things out while they are still learning it. What we see today in some of these newer markets is the partner community is very vital. Because it takes years of experience within the organization itself to understand what works well and what doesn’t in the cloud. And so we are seeing those partners are becoming very important for our business and very important for the end customer to be successful.

That’s great. So what are some of the security trends that you see in the next 3 years?

Yeah, we see a couple of things. One is that traditionally security has dealt well with what we call known good and known bad or black and white. So white is known good, that’s your known software. Your know the communication pattern. Black is malicious. But there’s a world of grey in between. Giving customers the technology they need to be able to deal with grey, which may literally be targeted at them only. That’s where sand box technologies, machine learning, and AI technologies show a lot of promise for those types of capabilities. Further, we see advancements in security analytics help customers find the proverbial needle in the haystack in their environment is also an important area. We as vendors, and Trend Micro takes this very seriously the need for us to open up our products so customers can also supplement our threat knowledge with their own threat knowledge because if they are experiencing targeted attacks they may have information unique to them that we don’t have. Our products need to be able to help them. That’s a scenario where we have more work to do to help our customers use our products in that way to help them deal with attacks specifically targeted at them. 

ファッションコーディネート