Huge security data leaks have been hitting government organisations and businesses in the U.S., such as the OPM hack that saw the records of 21.5 million people breached, but Kelly isn’t surprised.
"It doesn’t surprise me. Security people have a very simple model, we use to say prevent, detect, respond, govern and educate – you’ll never hear me use the word prevent.
"Anyone who uses that word (prevent) really doesn’t understand this business. You can’t prevent this stuff, the best we can do is deter."
Kelly explains that while you can make it as difficult as possible to deter through layers of defence, you’ve got to be world class in your ability to detect, contain and respond.
To get to this point, Kelly encourages investment: "Are they effective in their ability to detect and contain? If not, and many aren’t, then you need to invest disproportionately till you get to a point where you’re as good as you can get."
While this may be easier for larger organisations to do, many have fundamentally failed to adapt to the threat.
"You’ve still got a lot of organisations that are very much signature based and they haven’t really made the step to recognise that signature based is largely ineffective – it’s minimum.
"I think what’s happening is that organisations have made an investment but with technology that’s still for yesterdays problems."
Part of the problem that governments and businesses face is a fragmented structure, which leads to security gaps and budget restrictions.
"There’s this gap in the middle, the small and medium businesses are in a really tough spot. They don’t have the resources to build SOC, to invest in research or even attract, hire and retain the high end security people.
"They’re in a hard spot, so then what do they do? They either buy what’s on the shelf today, one IDS, one web app firewall, one encryption and they patch these things together but they’re not very effective."
The other approach is to get a managed service provider, but Kelly explains that even that can be difficult for many organisations.
"Even a baseline MSP that will do monitoring will still be looking for $2-$3 million a year – that’s a lot resource.
"They’re never going to be able to do the enterprise stuff, they can probably do a little like put in their own security controls, but this may not be effective and they can’t afford to do monitoring so there is a real gap out there."
Given the sophistication of the threat today, simply patching together various technologies will not deter a determined adversary. If the organisation cannot commit resources to build, staff and manage the own SOC, nor afford a third party Managed Services Provider, they find themselves in a very dangerous position.
Considering cloud technology, Kelly is on an "aggressive path to say we’ve got to rethink security in the cloud industry."
While he believes that enterprises are quite knowledgeable of what tools are available for security, he says: "They are still thinking of yesterday’s security, it’s probably a challenge for the whole industry as cloud has moved so quickly.
"Rather than think of future controls in the cloud, we grab yesterday’s solutions."
While he feels that many are aware of this problem, a change in approach is required.
Using a car analogy he described security as buying a car, if you’re buying a car you aren’t asking if you need brakes or a steering wheel, you just expect them to be there, "In security we’re still having to ask for brakes and a for a steering wheel."
This leads into the issue of security complexity, which Kelly says: "Complexity is the enemy of security."
"I look in the racks, the top four or five appliances in racks is security. Imagine a large cloud provider with thousands of racks, lots of appliances. How many people does it take to manage all those appliances?
"Immediately I say this is unsustainable."
Kelly wants to drive the industry to re-define one trusted computer based and says: "I look forward to the day when we start ripping these appliances out of the racks."