Info Security PG: Why is the classic security solution model failing and should enterprises rethink their security strategies from scratch again?
Mike Hrabik: Security is too often viewed as the application of the latest doo-dad that the industry produces. Gartner tracks these things through something called a hype-cycle. So we see a recurring theme that someone thinks up a new tool that can protect people from "X" and the industry gets behind it and pushes it as the latest greatest must have, organizations buy the item, attempt to implement it and all too often we hear 9 months later that it's a failure - didn't deliver on its promises.
The single most important thing that an organization can do that will affect their actual security is to have a strong security program and plan. Sounds simple but it isn't. It requires having the right leader, the ability to understand the business, and communicate with other business executives as a peer. If those things are in place, then having a plan that is risk based, accounts for threats likely to occur, and vulnerabilities that exist sets the organization up for a mindset that focuses on results, not the particular way in which they are achieved.
Really successful CSOs are viewed by their organization as enabling the business to achieve higher revenues and lower costs. They are a trusted partner in the business. Selecting solutions or providers that will map to your needs and organization (not the other way around) and that will adapt to your changes over time is where long-term benefits can be realized.
Info Security PG: How should cloud providers leverage security and compliance as a value add?
Mike Hrabik: Anytime a new "paradigm" is adopted the initial reaction is that it's completely new and therefore requires completely new tools and processes. But then after things start settling it's learned that yes small specializations here and there need to be made, but nothing can stand as an island in the long-term. it all has to integrate back into an overall picture.
Cloud technologies and providers are no exception. The same techniques that have worked in enterprise and virtual computing environments can be applied to the cloud as well.
The big difference as I see it is the scope of adoption that I expect many organizations will engage in. Whereas in the past SaaS or hosting vendors tended to provide fairly narrow services, many organizations will at some point in the future move a substantial, perhaps most, of their computing into the cloud.
At that point integration and cohesion becomes key. Cloud providers that provide auditing and security mechanisms that can plug into an overall security and compliance platform will win.