CISO bets on cloud security services to protect data
Graham says that moving to the cloud lets the company focus on its core business of making high-precision molds, mechanical tools and medical devices. More specifically, it allows his tech staff to focus on threat analytics. Graham expects Jabil’s cloud migration strategy to become the rule rather than the exception.
“The biggest thing that we get is speed to deployment and stability,” says Graham, who joined the $18 billion company in September 2013. “No longer do I have to have a team that has to worry about upgrading the hardware or the OS, or fooling with any of that."
[ Related: Boards are getting more involved in cybersecurity, but is it enough ]
Companies have been gradually moving many of their business applications and software infrastructure to the cloud. But they’ve been slow to entrust their security to someone else, preferring to manage their firewall appliances and other cyber-tools internally. Yet CIOs and CISOs struggling to keep pace with the rapidly shifting threat landscape -- which includes anything from random phishing to highly targeted attacks from hackers seeking corporate data -- see an advantage in relying on vendors for whom cybersecurity is their core competency.
David Burg, global cybersecurity practice leader for PwC, says that 69 percent of 10,000 CEOs, CFOs, CIOs and other executives surveyed this year said they using some form of cloud-based tool for data protection, privacy, network security, identity and access management, real-time monitoring and analytics, and advanced authentication “I think we’re at the beginning of a wave of an evolution from on-premises to off-premises” solutions, Burg says.
When Graham became Jabil’s first CISO two years ago, he learned the company was running 75 distributed Web-filtering machines that were up for renewal in just four months. Rather than protecting the network, the machines were being used to block porn and other entertainment sites. That wouldn’t do for a company that stores digital copies of product schematics for large enterprises, making it an attractive target for attackers. After evaluating several solutions, Graham selected Zscaler, which provides hosted Web security, malware detection and other services. “This was the first step to put a blanket around the whole company,” Graham says.
[ Related: 5 tips for better enterprise security ]
Continuously scanning Jabil’s network, Zscaler works in conjunction with Splunk machine-learning software to hunt for and block potential security threats, as well as the OneLogin single sign-on authentication tool to see whether employees are bringing in malware as they sign in with their corporate credentials. He says the switch to Zscaler, completed in about six weeks, has enabled him to reassign low-level employees as “hunters” protecting analyzing threats, rather than just “watching screens,” waiting for something bad to happen.
That’s crucial for Graham, whose lean team of 42 workers manage IT governance, risk and compliance, as well as business continuity and disaster recovery for 101 offices worldwide. Graham, who has managed risk in roles at First Data and SunTrust Banks, says financial services firms have hundreds of staff dedicated to cybersecurity. Whether a staff runs large or small, Graham says it’s possible for companies to move all of their cybersecurity protections to the cloud, saving the time and trouble of managing every device or security tool.
“I honestly think that that’s where it’s headed, and we’re doing as much of that as we can right now,” he says. He adds that there’s nothing that he wouldn’t consider putting in the cloud from a cybersecurity perspective. Jabil is currently considering purchasing from Zscaler cloud firewall services to secure its perimeter, as well as protection for when it acquires new companies. He says Zscaler routinely provides Jabil a six-to-eight week notice when it is performing an upgrade to its services.
Moving to a cloud model, of course, presents unique challenges. Some clients that entrust Jabil with sensitive intellectual property require documented evidence of cybersecurity protection, forcing the company to request the information from its cloud partners, such as Zscaler or Google, for which it relies on collaboration and productivity apps. “Building that evidence in a cloud model is something that we’re working towards.”