Digital Transformation
Showing results for 
Search instead for 
Did you mean: 

Discover security session: You never had control


Rafal_-Profile_Web.jpgBy Brian McDonough, Discover Performance Managing Editor


At HP Discover Las Vegas on Tuesday afternoon, Rafal Los, HP Software's chief security evangelist, talked the challenges of security in a cloud-based or hybrid world, part of the “Master the Cloud” track at the show.


The problem he posed: In the mobile/social media/big data world that cloud technology underpins, there's a lot going on, and it's all happening really fast. Businesses need to adapt to rapid change, and few are succeeding. The IT department, he said, is often part of the problem. “We're known as the Department of No,” which puts a break on change in a world where, say, global financial markets can utterly change overnight.


“Slow change is death to today's organization,” he said. “If your business can't adapt, you're done.”


CISOs can be major impediment to business agility because they're concerned with protecting the enterprise, which Los said has become a focus on “control.” And with the advent of hybrid IT delivery, security leaders tend to freak out because they can't control the cloud. Which begs one question, Los said: “Did you ever have control to begin with?”


From control to governance

Credit card provisioning, use of free online services like Gmail or Dropbox, the consumerization of IT—that false sense of control has been steadily undermined for some time. Rather than fight to regain a repressive level of control that was largely illusory anyway, Los suggested changing the security model in a fundamental way.


“Control is not scalable,” Los pointed out. IT security is no longer a matter of having a tech guy manually patch 50 servers over the course of a week. “We have to get out of this 'we're gonna touch everything' mindset and get into a governance mode.”


CISOs need to be able to trust that (well-designed, thoroughly vetted) automation will implement security policies in response to predetermined risk tolerances. Security should be evolving from a mess of disparate architectures with different management and security approaches to a common architecture with converged management and security solutions. Flexibility and portability (“Develop once, run anywhere.”) will be key.


IT leaders, he said, have to accept that risk is not a binary choice of “secure” or “not secure.” It's more like, “as secure as we can make it right now,” “as secure as we are willing to pay for,” “as secure as the criticality of this data/app/environment needs.”


It seemed to me that Los was laying out a philosophy for security in what Mark Potts had earlier in the day been calling the next generation of IT. Los' approach would change how CIOs and CISOs deal with partners, vendors, developers and end users. Los can be found online on his blog, “Follow the White Rabbit,” and on Twitter at @Wh1t3Rabbit. How does his call to replace “control” with “governance” sound to you—and is it a shift you could make in your enterprise?



0 Kudos
About the Author


This account is for guest bloggers. The blog post will identify the blogger.

Jan 30-31, 2018
Expert Days - 2018
Visit this forum and get the schedules for online HPE Expert Days where you can talk to HPE product experts, R&D and support team members and get answ...
Read more
See posts for dates
HPE Webinars - 2018
Find out about this year's live broadcasts and on-demand webinars.
Read more
View all