Accuvant CSO Offers Channel Advice On NSA Impact

The lengthy list of revelations about the National Security Agency's surveillance activities pose difficult challenges to cloud adoption and technology deployments, but it also establishes some new opportunities for the channel, according to a security industry veteran who is helping executives build out their security programs.

The fallout from the NSA revelations on U.S. cloud service providers and technology vendors will be regional, said Jason Clark, who was named by Accuvant as its new chief security and strategy officer in December following a three-year stint at security vendor Websense. Clark, a former chief information security officer at The New York Times and Emerson Electric, told CRN that he is seeing renewed interest in behavioral analytics, network monitoring and data security measures as organizations try to protect sensitive intellectual property from malicious insiders.

Clark said he will help the company establish stronger relationships with C-level executives. He said he plans to work with executives at organizations who are revamping their security strategies. He will work alongside Accuvant's risk assessment and architecture recommendation teams. In an interview with CRN, Clark shares his philosophy when it comes to the channel and explains how the potential fallout from the NSA revelations could impact cloud services and data protection.

[Related: NSA Back Door Exploits Present Hurdles, Opportunities For U.S. Companies Selling Overseas ]

CRN: There has been a broad discussion about the security of data in the cloud following the barrage of National Security Agency surveillance activity leaks. What is your view on data security and trust in U.S. cloud providers?
Jason Clark: I think the fallout is more international. Everybody that I know who sells cloud services, specifically in Europe right now, are getting bombarded with questions about security. People are doing a lot of extra due diligence on the security of cloud infrastructures. Some of this is healthy. For a long time, cloud providers have never been under this much scrutiny from a privacy or security standpoint. It isn't necessarily hindering cloud providers from winning deals because very few of them have the robust controls that are required. But it is certainly deterring the adoption of cloud in specific regions.

From my perspective, the question over government access to data has been more of a discussion in the media rather than a chief concern among the multinational organizations that I have dealt with. When I'm talking to executives at organizations that is not what they are really worried about. There's concern regionally where the culture around data privacy and security is heightened such as in Europe or Brazil.

CRN: Is there a discussion on data security and system monitoring to detect insider threats in the wake of the NSA revelations?
Clark: If you ask me, the No. 1 gap that exists today is the insider threat. There is the least amount of capability, technology and investment in addressing insider threats. I think it is becoming a much bigger issue at organizations. In the past, it typically took a security incident brought on by an insider to get the organization thinking about solutions to address it. I see some very large organizations hiring one person to start developing an insider threat program. Fast-forward five years from now: Every organization that has intellectual property to protect might have five or more people on the security team designed to address it. To me, the two biggest domains around this are behavioral analysis and data analytics. It's not about big data; it's about rich data. Big data is too much storage and I don't think people need to spend that kind of money. Forward-thinking organizations will focus on establishing rich data rather than big data, and analyzing the behavior of their users rather than preventing them from doing something.

CRN: What is your philosophy when it comes to engaging solution providers in the channel? What has your relationship been like in the past with resellers and consultants?
Clark: They've got to bring me value. They need to have strong relationships with the products that [they] are trying to sell. I ask every single one of them when they walk in the door to tell me about five to 10 things that you hit home runs with or were amazing at. I want to know what you can hit the home run with and only do those things for me. Over time, a couple [of partners] rose to the top and developed a very strong relationship with me and my team. They understood and knew my network, my threats and my business. From that, they were then able to always continue to deliver to me lots of value. I never wanted my phone to ring off the hook from vendors. I always directed vendors to my trusted partners who knew completely what my company's strategy was and what I wanted to get done.

The partners that rose to the top brought value to the table in the relationship they were establishing. They had the capabilities that I was in need of, but also had a mission to help me create success.

NEXT: Clark On Cloud Security, Risk Management Strategies

CRN: You are speaking at the 2014 RSA Conference called "Castles In The Sky." What will be the theme of the session?
Clark: It's about cloud security. Everybody knows the huge blind spots already associated with the cloud, but I see it as an opportunity for information security to get a lot more involved with the business. The cloud is so much of a business enabler, and that is where everything is going. The cloud can be leveraged as an opportunity to completely remodel the security strategy of an organization away from the infrastructure-centric or compliance-centric view of security.

We'll talk a lot about various technical architectures that I would recommend as people go through a deployment of Office 365 or migrating to Salesforce.com and other cloud infrastructures. It will explore where security vendors are innovating and what some startups are doing to help secure the world there. We'll define the problem and I'll explain that cloud is not all doom and gloom. This will help elevate your jobs, but you have to be ready for it.

CRN: Describe the blind spots that seem to be consistently associated with the cloud.
Clark: It's lack of visibility. You still have blind spots on your network, but at least you have a bit more control and more visibility into what is going on. As your devices are going more mobile and off of your network, you lose that transparency. Encryption is a blind spot. SSL traffic is often a blind spot, because you can't see in that. It forces some organizations to buy technologies to help them see in that traffic. Cloud becomes a much bigger blind spot because you are relying on the controls supported by the provider. There are a lot of things you can do to get some visibility, but you don't have insight into a lot of the internal practices. You need to figure out a good balance.

CRN: What will your new role be at Accuvant?
Clark: A lot of vendors are hiring chief security officers who had been in the field to help marketing and sales activities and think about their product strategy. They're looking to create solutions to address problems by finding the core problems first and then creating the solutions to address them. At Websense, I touched about 400 chief security officers and chief information officers a year. But now at Accuvant, I get to focus on helping the broader audience as well as focus on 40 to 50 customers and CISOs and CIOs and help them really be successful. I'm moving from building specific products to being able to help people with services.

I'll be helping produce some models and tools to help them think about things from a threat-modeling perspective. It is about making more risk-based decisions by applying controls to the security weaknesses to look at it in more of a visual way. I'll be helping organizations have the flexibility to think about the way their security strategy and security team is organized. The last part is in assessments and architecture recommendations. If you want to solve the APT or DDoS problems, this is the architecture we recommend, and the people and processes around it.

PUBLISHED JAN. 2, 2014