Lessons in security leadership: Andy Ellis

The 2011 CSO Compass Award winners discuss prioritizing investments, learning lessons the hard way, and much more

As a cloud-optimization services provider, Akamai handles tens of billions of daily Web interactions for 90 of the top 100 online U.S. retailers, 29 of the top 30 global media and entertainment companies, nine of the top 10 world banks, and all branches of the U.S. military. Overseeing the security architecture of this massive, globally distributed network is MIT graduate and former Air Force Officer Andy Ellis, now Akamai's senior director of information security and chief security architect. He is a noted speaker and the author of Protecting a Better Internet, a blog focused on key issues facing the information security industry.

CSO: What is unique about the security challenges you face at Akamai?

Ellis: Nearly all security problems start with a human being who does something they shouldn't or makes a mistake. But we decided early on that we didn't want humans in the loop. Instead, we built our systems so that failures would be dealt with by systems. So whereas the normal security concern is what people would do to you, we have to look at what the system can do to you. That takes adversarial engineering: You design assuming everything is an adversary so you're naturally resistant to it.

Why is transparency a particular concern of yours?

In the past, we'd tell customers as little as we could about our security. But making them pull teeth to get that information was very expensive because they'd spend a lot of time asking questions. So more and more, we're telling people proactively what we do, to the point where we've added a line item to the contract that gives them visibility into Akamai controls. We want people to think of us as the cloud vendor that gives them intelligence.

What is the most difficult or rewarding accomplishment of your career?

The building of a secure content-delivery network, which goes back to Akamai's founder [Daniel Lewin], who perished in the 9/11 attack. This was 10 years ago, when cloud wasn't on anyone's radar. Danny and I went back and forth deciding the minimal set of controls needed for security, and there were days I didn't think we'd ever build it. Then, one morning at 8 a.m., I get a phone call. I'd been up until 5 a.m., responding to an incident. It's Danny, and he's with a financial-services customer. He says, "I'm going to sell them the secure content-delivery network, and I need you to talk to them about it." This was literally three days after I was ready to throw my hands up on the whole thing. I said, "OK, Danny, I need two minutes to splash water on my face so I'm coherent."

So I talk to the customer, and they're asking questions as if it's already done. It was at that "Aha!" moment that I said, "This is going to work." Now, some of the biggest banks in the world are using it.

What has been the biggest change to the CSO role in the past few years?

Historically, we think of security as a gatekeeper, the ones who say "no." But our job is to help people make better risk decisions, with as little oversight as possible. The first step is making sure they talk to us early on, not to find the security problems, but to help you think through what the security problems are. If you let someone else be responsible for risk, you're willing to take on more risk. But if I make you aware of risk, you'll do the right thing.

What is one of the biggest mistakes you've made during your career and what did you learn from it?

A lot of it comes down to misspeaking. One time, I was trying to express to one of the senior executives here the risk of information exposure. I said, "What if your financial information leaked out?" It fell flat in the room--it sounded like I was threatening him. They heard it as, "If you don't do the right thing, it's your data that will be leaked." So I've spent a lot of time trying to improve my coherence.

What are two things about security or security leadership you wish you'd known 10 years ago?

Ten years ago, I thought I knew all the answers and just had to get people to agree with me. But that's not the case. There's no such thing as "perfect security;" there are multiple ways to solve the same problem.

If a CSO could get budget approval for one security investment, what should it be?

Enabling your automated systems to do as much as possible to minimize operators' access rights. Operators make errors, so keeping them from accessing data is safer.

Join the CSO newsletter!

Error: Please check your email address.

Tags akamaisecurity

More about Akamai TechnologiesEnablingetworkMIT

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mary Brandel

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place