CSO - Our coverage of the annual Global Information Security Survey conducted by CSO and CIO magazines in partnership with PwC has sparked some interesting discussions about what it takes to be a security leader. Specifically, the discussion is about how organizations can move from being a security laggard to something better. As part of those discussions, we spoke with Andy Ellis, chief security officer at Akamai Technologies. Ellis is responsible for overseeing the security architecture and compliance of the company's globally distributed network and sets the strategic direction of its security.
CSO: What attributes must an enterprise leader in risk management have?Ellis: This is a hard thing to measure. I think the important thing is that the organization actually understands the risks that apply to them, and that they are making intelligent decisions based on that risk profile. These are the organizations that are actually out front, leading the way, defining new risk models for themselves and selecting technologies and solutions that are appropriate for their business. It's about paving the way, not following somebody else's cookie cutter.
Companies seem to be spending a lot on security products, but not as much on strategic efforts. Do you think it's indicative of their already having effective strategies in place? Or, are they focusing just on the technology?In a down economy, you probably aren't spending time revamping your strategy. Hopefully, you're executing. That would be my guess as to what a lot of these organizations are doing. I think what you could be seeing is organizations saying "Look, I'm not going to try and rebuild my business continuity plan this year. It's not like we actually added a thousand people. I can run with the existing plan. It's much more important. Let's go execute on the strategy that we didn't finish from last year." I think industry often spends more time thinking about strategy and less time executing. That's what we're seeing in the survey results: "Hey, let's protect our jobs by going and executing on what people can see." Many times enterprises can see a strategic change in security, and if management can't see it, it may not have much perceived value.
A lot of companies seem to be skimping on disaster recovery and business continuity planning. Do you think there's a reason for this beyond it not being a priority, or organizations believing bad things won't happen to them?You have to look at it individually. For many businesses, that's a risk they have to take. I recall, after 9/11, there was an investment company that was praised for their business continuity plan. It was one of the investment companies that had been in the World Trade Center, and everybody was holding them up as this example of great business continuity planning. They had a good plan in place and they kept their business running after the attack. Three years later, the company was out of business. The reason was -- at the end of the day -- they didn't actually have a business continuity plan that dealt with how to keep the business successful after losing so many skilled knowledge workers. The point is that there are some events that are not worth planning for. And some companies, because of where they are at in their development cycle or whatever, can't afford to put a disaster recovery plan in place.
- Network Monitoring and Troubleshooting for Dummies The Network Monitoring and Troubleshooting for Dummies Book introduces you to common network performance management (NPM) issues and give you a new way...
- Forrester's Ideal Tool Set For Application Performance Management For Better Business Performance Read the report to learn the key findings of Forrester's recent benchmark data on the current state of application availability and performance within...
- The Application Deluge and Visibility Imperative Learn how an integrated approach ensures performance of your network and applications by leveraging network performance management and WAN optimization solutions.
- 10 Steps to Application and Network Performance Nirvana 10 simple steps that network operations teams can take to ensure that applications and underlying infrastructure can both be tuned for maximum performance.
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All LAN/WAN White Papers | Webcasts