The chief security strategist of a cyber security firm Blue Coat Systems, which looks to enable enterprises to choose securely the best way to work in an ever-evolving threat environment, speaks about the company’s mission and the explosion of BYOD cloud services. He talks to Ben Sullivan.
What is Blue Coat’s mission and where is it at today?
We’ve been on this journey for about a year and a half, when we repurposed the company and made a string of acquisitions. We work on the philosophy that there’s a bunch of great stuff on the internet and we want to be the company that unlocks the power of those applications on the internet that firms use.
I think enabling is security’s mission – enabling, rather than preventing.
How is the enterprise dealing with the explosion of BYOD cloud services?
It’s amazing. I think most large companies are under the illusion they have a choice whether to move to cloud or not for certain services, but what’s happened is that there are so many really innovative consumer or quasi-consumer companies that are terrific, employees are moving to cloud whether their bosses want them to or not. I think about how I collaborated with my wife on something like our wedding guest list, and there are great products out there like Dropbox or Box that make it so easy, why wouldn’t you use them?
And employees come to their companies and look for that same great technology experience that is at home. It’s more efficient for me to collaborate with colleagues. People are just going to do it. They’re not going to ask anybody if they can use cloud products
We’re at a time where usability and convenience trumps IT infrastructure.
It’s the most productive people in the enterprise who are going to this software first. So it’s not even a random procession of people. It’s the people who want to get stuff done; they want to be able to deliver.
Security is entering this time where the way we’re going to be measured, not just Blue Coat but any security company, is in how we can tell customers not the 10 things we stopped from happening, but the 10 things we enabled you to do. We can let you do what you do with confidence. Security is getting an elevated position inside the business because we’re about what we can do rather than what we can’t do.
How is it even possible to lock down all of these different cloud services that employees are bringing into the workplace?
I don’t think you can lock it down. ‘How do we lock this thing down?’ is the first question people would ask. But now, what I think would happen is that you would go to the CIO or the CEO, whoever driving the business, and you would say ‘let’s have a conversation about how we can lock this place down’, and he’s going to get rid of you as quickly as possible. They’ll never want to talk to you again.
But if you went and said ‘people trust us, we need to figure out how to add security without stifling the growth of the company’, it would be a different matter. But I don’t think it’s possible to lock down the platforms.
So it gives you a very broad perspective on things you will encounter.
When it comes to IT security, is it a matter of educating employees to be safer users?
I think my personal viewpoint has changed a lot on that over the past five years. If you’re a professor, like I am, you fundamentally think that education can change people. In security, the problem is the way we’ve educated people about security is very prescriptive.
‘Don’t click on this, don’t click on that, if you see an attachment that looks like this don’t open it.’ The problem is if that method becomes widely accepted, within 24 hours attackers will adapt so that they never do X again; in fact, they’ll send you an email saying ‘don’t do X! Do Y!’ I don’t think that it’s possible to bring people up to the level where they’re making good security choices. If we require people to do that then we’ve failed as a security industry.
Having to know what a firewall even is is a shortcoming of the security industry. But a set of technologies in the background should help you make good choices.
What needs to change immediately for users to become safer?
Password resetting. Twenty years ago the best way to do password reset was to ask you biographical questions. Pet names, third grade teachers etc., because who would know that stuff? Your family, of course, but they could do way worse things to you!
But that was a good idea 10-15 years ago, and it has persisted as the de facto standard of how to do password reset.
People are more known to strangers at distance then they ever have been. Social networks can be used to find out where you have lunch. There were things that were public record but not searchable – grandfather’s occupation, maiden name, all on Ancestry.com.
People talk about password breaches – yeah, okay, that’s bad, but you can go in and change your password. If someone knew this biog data about you, you could not only get into that site but into any site you ever cared about. Password reset has persisted longer than it should have. It’s the ghost of Christmas past coming to visit us.
Blue Coat is a US-headquartered firm with over 1500 employees in 32 counties, and has a customer base that expands to more than 80 million users.