SERVAAS VERBIEST (SV): Welcome to IT Availability Now, the show that tells stories of business resilience from people who keep the digital world available.
I'm your host, Servaas Verbiest, and today I'm joined by Shannon Davis, the Global Director of Partner Readiness at Alert Logic and we're discussing how security skill gaps can take a toll on hybrid cloud integration and transformation.
Thanks for coming today, Shannon.
SHANNON DAVIS (SD): Servaas, thanks for having me. I'm looking forward to the conversation.
(SV): Fantastic, fantastic. So, there's a lot of things that are driving the need to transform today. When you look at the current landscape and you see a combination of the war in Ukraine and manufacturing shutdowns in China that are impacting guaranteed inventory and causing radical price increases on what is available, a lot of people are looking to the cloud, right? So that they can navigate through semiconductor chip shortages, and like I said before, impacts of the COVID-19 outbreaks and other regions that are impacting manufacturing.
And it's a great idea if you have the right people in place. The problem is a lot of businesses don’t. So as these issues persist, and businesses start to shift their focus to integrating cloud technology and becoming more hybrid, potentially fully in the cloud, what are they really opening themselves up to that would make this a risky move from a security standpoint?
(SD): Servaas, great way to set the stage to talk about this because there's so many reasons that companies are evaluating the cloud and security is typically not one of the first things they're thinking of when they're making that move. And when you move to the cloud, it's tough to think about the mindset of cloud security because it's not like a traditional data centre mindset. Some clouds are set up almost like a platform as a service and if you're not thinking about network security and things that you traditionally would, you're setting yourself up for failure.
When you look at public cloud adoption, the speed of provisioning is great. You can set up a cloud so much more quickly than a traditional data centre. But inevitably, that's going to lead to complexity sprawl, and when you have that, organisations are having a hard time keeping up with the complexity of managing the cloud, and then that leads to excessive risk. And most successful cyber attacks in the public cloud are specifically due to customer misconfiguration, or mistakes and mismanagement vulnerabilities that could be prevented - something as simple as keeping your operating systems and security patches up to date, not some sort of an underlying failure of the cloud provider's sort of protection responsibilities.
So I think for a lot of companies, it's understanding a) how are we going to manage the cloud and if it's a new skill set, how are we going to get the personnel and the expertise to do that? And b) how are we going to make security part of the foundation of our cloud approach rather than an afterthought or a bolt-on item? And it comes down to personnel. It's just how are you going to augment your staff and have an extension of your staff to help focus on that if you don't have it in house?
(SV): And I like what you said there because a lot of these cloud platforms maintain a quote-unquote “shared responsibility model” that outlines the responsibilities that both parties have in the cloud, but also, what it really does is divest risks, right? It says I'm going to keep everything available within the data centre, but if you jeopardise your organisation because of an issue with the configuration, it's not my fault.
(SV): When you look at that and you take that into consideration, and now you're starting to integrate these, quote-unquote “shared responsibility models” into an area where you have full responsibility, what types of issues do you see beyond the ones that you've covered with that integration?
(SD): I'll tell you, I talk with so many companies that have misconceptions about what's their responsibility when it comes to security in the cloud. They assume because they’re going with one of the big three hyperscale public clouds that there's some sort of security that's inherently included, and there's really not.
So, number one, it's dispelling any sort of misinformation around that and helping people understand you're responsible for your own security when it comes to the cloud and asking them, you know, are you looking for threats? And if so, how? Are you monitoring traffic? Are you doing intrusion detection? Are you collecting and analysing logs? And are you doing all of these things? And there's assumptions out there that those were included because we're in this hyperscale cloud when in reality, they're not. So, starting with a basic understanding of what it means to be secure in the cloud and who's responsible for what I think is a good step one.
And then identifying what staff do you have that are dedicated to security? Because if you don't have a security staff and you're expecting people to multitask, you're probably setting yourself up for some sort of failure when it comes to security in the cloud. It's a full-time job in and of itself. So, a lot of folks take an experienced member of the IT team who's used to traditional data centre type of infrastructure management, and tell them, “hey, by the way, you're in charge of our security as well.” When you're looking at security in the cloud, the cloud isn't set up like a data centre. If you look at Azure, it's more of a platform as a service model. And you have to think of that completely differently. If you look at AWS, maybe there's some more similarities there, but still, so much more to think about, and if you don't have the expertise, if you don't have the staff that has that level of training, you're setting yourself up for failure.
And it's not as simple as “let's just go out and hire people.” If you look at one of the top concerns that most companies are facing, it's that these people don't exist. There's a 0% unemployment rate in cybersecurity right now. And the Bureau of Labour Statistics predicts the demand to grow by 38% over the next two years. So, what do you do if you can't go hire these people? And that's the real question that a lot of companies are facing today.
(SV): And you know what's interesting about that, too? A lot of people assume that cybersecurity is a science, right? But the reality of the situation, at least in my opinion, and I think you'll agree with me, is it's kind of an art form because there's a lot of ways to tackle the problems that you've identified. And one of the interesting challenges along with staffing, at least in my mind, is the toolsets that they're going to use across these platforms, and how they're really going to tie everything together, right? And then once you establish that, if you invest the time and energy and learning of all these different toolsets and all these different configurations, maintaining the staff that configured them. Because I’d imagine if you set up a hodgepodge of stuff that happens to accomplish what you're looking to from a security perspective, if that person leaves or there's an alteration to that team, you know that tribal knowledge is gone. You're going to start not from square one, probably like square negative one, right?
(SD): Absolutely. I talk with so many folks that get hired, they come into a company and they're replacing somebody that left or got a promotion or, you know, there's some sort of a change to that team, and it's technical debt. They've inherited the tools that were purchased by their predecessor, and they have to figure out a) how did they cobble them together and b) how do I make this work? And when you look at people that are going to the cloud and, you know, unable to buy additional servers for their data centre due to the shortages or maybe they went to a work from home model so they're getting out of the data centre completely, how do you ensure that you have a consistent security posture across your traditional on-prem and data centre and your cloud footprint and how do you manage both of those with limited staffing and resources while you're trying to learn new tools?
I talk with a lot of folks that say “yeah, we bought this tool, but now we're not getting the value that we need out of the tool because we don't have the staff.” And that's another thought. You want to go purchase these tools to check the boxes to meet a security or compliance concern that you have. You're not thinking about the human element. Who's going to manage that tool? Who's going to update that tool? Because you may have a tool that's scanning for malicious traffic but if you don't have it up to date with the latest threat information, you're not scanning for the latest and greatest. So, it takes a human being to do that and a lot of companies just don't think that far ahead. That's where partnering with a security company that's going to keep everything state of the art and up to date is really beneficial for a lot of companies that just don't have the ability to find that staff.
(SV): That makes sense. And honestly in a resource-constrained marketplace, knowing that a lot of organisations want to tie their internal investments to things that are going to really differentiate themselves in the spaces that they reside in and really provide a better customer experience to capture more market share, security is an important thing but when you're starting to look at where those dollars have to be distributed, taking advantage of the organisation that has the expertise, technology, and experience to ensure that you're up to date and not potentially creating a risk by embracing all this new technology is probably very crucial, right? And you probably can recognise a lot of those benefits, as I mentioned before, a lot faster than if you went at it on your own.
(SD): Oh, absolutely. I think that security is something that everybody's concerned about. There's so much going on in the world. Cybercrime last year: there were more new CVEs than ever before in history, and this year is only going to get worse. And people really need to make it a priority. If security is not one of the key focuses that you have as a board of directors or as a senior leadership team for your organisation, it should be, and making sure that you are set up for success by having the right staff in place and a lot of times the best source to do that is to outsource. Go with a provider that has that staff, that has the expertise, that has thousands of customers so that they are keeping you on the cutting edge and you're outpacing your competition.
(SV): The term outsource, you know, I think that that's a way of looking at it. I usually see it more as augmentation, right? Because the reality of the situation is a managed service provider, whether it's a cloud platform or in your organisation's case, from a security perspective, they're going to be able to specialise in certain areas of business. What we're also going to do is augment the existing capabilities that they have and ensure that they have a framework that allows them to keep running as things change in the marketplace and inside their business. And specifically, with you guys, you do a fantastic job of not only providing that information, but augmenting their existing personnel’s capabilities so if they expand into new marketplaces or they have to take on new product releases or deploy infrastructure and fund new places, they don't have to start from square one or square negative one. They're already probably at square five at that point.
(SD): That's a great call out. At Alert Logic, we really view ourselves as an extension of the team of our partners and our customers. And I talk with so many people that have a different perspective of what they should be focusing on with security. And when you look at left of boom or right of boom or pre-breach and post-breach, you have companies that are worried about everything pre-breach. Let's build the biggest wall so that we don't have to worry about getting breached. And that's an old-school data centre type of mentality. In this day and age, yes, you should focus on that, but you also need to focus on what happens when I am breached. And that's why at Alert Logic we're so focused on the pre and post and being able to quickly identify if there's anomalous behaviour or a breach does happen so that you can be notified to begin remediation.
Our goal is to minimise that average time to detect so that when the bad guys get in, they don't have time to do anything before you kick them back out again. And not only that. Companies aren't thinking about things like disaster recovery, or data recovery in the event that they were hit with something like ransomware or extorted in a ransomware attack. So really taking a step back and working with an expert or picking up the phone and calling Sungard and saying “what should I be looking at?” And having that security conversation and looking at it holistically, end to end. Companies aren't doing that today. They're down in the weeds and they're focusing on individual aspects, and they don't have that holistic view. So, we're really trying to guide people to think about that. And it's more affordable than hiring one or two employees to go with a provider like Alert Logic and Sungard to help you manage the sprawl of security.
(SV): That's a very good point and you know, it's about full-body posture and procedure that connects with tools and having the right expertise to put that into action, right? Because plans and tools that sit and do nothing are worth nothing. Right?
(SV): Shannon, I really appreciate you taking the time to join us today, and as always, you provided a lot of great insight.
(SD): Thank you so much, Servaas. It was my pleasure, and I can't wait until the next time.
(SV): Looking forward to it. That was Shannon Davis, the Global Director of Partner Readiness at Alert Logic.
You can find the show notes for this episode at SungardAS.com/ITAvailabilityNow.
Please subscribe to the show on your podcast platform of choice to get new episodes as soon as they become available.
IT Availability Now is a production of Sungard Availability Services.
I’m your host, Servaas Verbiest, and until next time, stay available.