CISO bets on cloud security services to protect data

Jabil CISO John Graham is using cloud security software to protect his customers’ most sensitive intellectual property.

In what could be considered an unusual move at a time when most companies choose to keep their cybersecurity tools on-premises, John Graham, CISO for Jabil Circuit, says the manufacturing services company is adopting more cloud security services.

Graham says that moving to the cloud lets the company focus on its core business of making high-precision molds, mechanical tools and medical devices. More specifically, it allows his tech staff to focus on threat analytics. Graham expects Jabil’s cloud migration strategy to become the rule rather than the exception.

John Graham, CISO for Jabil Circuit.

John Graham, CISO for Jabil Circuit.

“The biggest thing that we get is speed to deployment and stability,” says Graham, who joined the $18 billion company in September 2013. “No longer do I have to have a team that has to worry about upgrading the hardware or the OS, or fooling with any of that."

[ Related: Boards are getting more involved in cybersecurity, but is it enough? ]

Companies have been gradually moving many of their business applications and software infrastructure to the cloud. But they’ve been slow to entrust their security to someone else, preferring to manage their firewall appliances and other cyber-tools internally. Yet CIOs and CISOs struggling to keep pace with the rapidly shifting threat landscape -- which includes anything from random phishing to highly targeted attacks from hackers seeking corporate data -- see an advantage in relying on vendors for whom cybersecurity is their core competency.

David Burg, global cybersecurity practice leader for PwC, says that 69 percent of 10,000 CEOs, CFOs, CIOs and other executives surveyed this year said they using some form of cloud-based tool for data protection, privacy, network security, identity and access management, real-time monitoring and analytics, and advanced authentication “I think we’re at the beginning of a wave of an evolution from on-premises to off-premises” solutions, Burg says.

Jabil streamlines Web security in the cloud

When Graham became Jabil’s first CISO two years ago, he learned the company was running 75 distributed Web-filtering machines that were up for renewal in just four months. Rather than protecting the network, the machines were being used to block porn and other entertainment sites. That wouldn’t do for a company that stores digital copies of product schematics for large enterprises, making it an attractive target for attackers. After evaluating several solutions, Graham selected Zscaler, which provides hosted Web security, malware detection and other services. “This was the first step to put a blanket around the whole company,” Graham says.

[ Related: 5 tips for better enterprise security ]

Continuously scanning Jabil’s network, Zscaler works in conjunction with Splunk machine-learning software to hunt for and block potential security threats, as well as the OneLogin single sign-on authentication tool to see whether employees are bringing in malware as they sign in with their corporate credentials. He says the switch to Zscaler, completed in about six weeks, has enabled him to reassign low-level employees as “hunters” protecting analyzing threats, rather than just “watching screens,” waiting for something bad to happen.

That’s crucial for Graham, whose lean team of 42 workers manage IT governance, risk and compliance, as well as business continuity and disaster recovery for 101 offices worldwide. Graham, who has managed risk in roles at First Data and SunTrust Banks, says financial services firms have hundreds of staff dedicated to cybersecurity. Whether a staff runs large or small, Graham says it’s possible for companies to move all of their cybersecurity protections to the cloud, saving the time and trouble of managing every device or security tool.

Standardizing on cloud security

“I honestly think that that’s where it’s headed, and we’re doing as much of that as we can right now,” he says. He adds that there’s nothing that he wouldn’t consider putting in the cloud from a cybersecurity perspective. Jabil is currently considering purchasing from Zscaler cloud firewall services to secure its perimeter, as well as protection for when it acquires new companies. He says Zscaler routinely provides Jabil a six-to-eight week notice when it is performing an upgrade to its services.

Moving to a cloud model, of course, presents unique challenges. Some clients that entrust Jabil with sensitive intellectual property require documented evidence of cybersecurity protection, forcing the company to request the information from its cloud partners, such as Zscaler or Google, for which it relies on collaboration and productivity apps. “Building that evidence in a cloud model is something that we’re working towards.”

Join the CSO newsletter!

Error: Please check your email address.

More about First DataGoogleSplunkSunTrust Banks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Clint Boulton

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place