The 2011 CSO Compass Award winners discuss prioritizing investments, learning lessons the hard way, and much more
As a cloud-optimization services provider, Akamai handles tens of billions of daily Web interactions for 90 of the top 100 online U.S. retailers, 29 of the top 30 global media and entertainment companies, nine of the top 10 world banks, and all branches of the U.S. military. Overseeing the security architecture of this massive, globally distributed network is MIT graduate and former Air Force Officer Andy Ellis, now Akamai's senior director of information security and chief security architect. He is a noted speaker and the author of Protecting a Better Internet, a blog focused on key issues facing the information security industry.
CSO: What is unique about the security challenges you face at Akamai?
Ellis: Nearly all security problems start with a human being who does something they shouldn't or makes a mistake. But we decided early on that we didn't want humans in the loop. Instead, we built our systems so that failures would be dealt with by systems. So whereas the normal security concern is what people would do to you, we have to look at what the system can do to you. That takes adversarial engineering: You design assuming everything is an adversary so you're naturally resistant to it.
Why is transparency a particular concern of yours?
In the past, we'd tell customers as little as we could about our security. But making them pull teeth to get that information was very expensive because they'd spend a lot of time asking questions. So more and more, we're telling people proactively what we do, to the point where we've added a line item to the contract that gives them visibility into Akamai controls. We want people to think of us as the cloud vendor that gives them intelligence.
What is the most difficult or rewarding accomplishment of your career?
The building of a secure content-delivery network, which goes back to Akamai's founder [Daniel Lewin], who perished in the 9/11 attack. This was 10 years ago, when cloud wasn't on anyone's radar. Danny and I went back and forth deciding the minimal set of controls needed for security, and there were days I didn't think we'd ever build it. Then, one morning at 8 a.m., I get a phone call. I'd been up until 5 a.m., responding to an incident. It's Danny, and he's with a financial-services customer. He says, "I'm going to sell them the secure content-delivery network, and I need you to talk to them about it." This was literally three days after I was ready to throw my hands up on the whole thing. I said, "OK, Danny, I need two minutes to splash water on my face so I'm coherent."
So I talk to the customer, and they're asking questions as if it's already done. It was at that "Aha!" moment that I said, "This is going to work." Now, some of the biggest banks in the world are using it.
What has been the biggest change to the CSO role in the past few years?
Historically, we think of security as a gatekeeper, the ones who say "no." But our job is to help people make better risk decisions, with as little oversight as possible. The first step is making sure they talk to us early on, not to find the security problems, but to help you think through what the security problems are. If you let someone else be responsible for risk, you're willing to take on more risk. But if I make you aware of risk, you'll do the right thing.
What is one of the biggest mistakes you've made during your career and what did you learn from it?
A lot of it comes down to misspeaking. One time, I was trying to express to one of the senior executives here the risk of information exposure. I said, "What if your financial information leaked out?" It fell flat in the room--it sounded like I was threatening him. They heard it as, "If you don't do the right thing, it's your data that will be leaked." So I've spent a lot of time trying to improve my coherence.
What are two things about security or security leadership you wish you'd known 10 years ago?
Ten years ago, I thought I knew all the answers and just had to get people to agree with me. But that's not the case. There's no such thing as "perfect security;" there are multiple ways to solve the same problem.
If a CSO could get budget approval for one security investment, what should it be?
Enabling your automated systems to do as much as possible to minimize operators' access rights. Operators make errors, so keeping them from accessing data is safer.