The Big Interview: Brian Kelly, chief security officer at Rackspace -TEISS® : Cracking Cyber Security
2 June 2015
While he was stationed at the Pentagon, it was only when the military began to understand the role cyber could play in war that Kelly’s big break came in information security. He was asked by the joint chiefs of staff to help in a mission called information warfare, which resulted in him spending a lot of time working on how this could potentially change military doctrines.
His efforts in the military saw him win the Defence Meritorious Service Medal, the third-highest award bestowed upon members of the US military which recognises non-combat achievements.
But soon after leaving the military, Kelly had an ambition to take what he had learnt in cyber-security to companies. Kelly, who is based in San Antonio, Texas, told me: “I had reached a point where I thought we needed to take this to the private sector. A lot of this was happening in the public sector, but it was not getting to the companies that were the greatest risk. That was my transition point.”
Kelly was working for a company called Trident Data Systems, whose focus was also on info war for the government and the air force, but Kelly felt the systems they were developing could be adapted to the private sector.
Kelly says: “There was an intrusion detection technology called DIDS (Distributed Intrusion Detection Systems), probably one of the first ever examples of this technology. We created what they call today the Security Information Management System (SIMS), which is basically a data analytics platform.
“We created one back in the 90s called ASIMS (Automated Security Instant Management System), which was almost really one of the first SIMS. There were a lot of things that had not been done before that came out of those days. A lot of technologies emerged from the early days in San Antonio.”
Kelly thought the best way to bring this to the private sector was through Wall Street because it was the banks that were dealing with these issues first and foremost. He moved over to work at the big four accounting firms, first to Deloitte and then Ernst & Young, to bring this to the banking industry.
His main focus these days is protecting the data of one of the world’s biggest cloud service providers, Rackspace, which had revenues of $1.79billion last year. At Rackspace, Kelly’s approach is that a company can help improve the security of its data by keeping it in the cloud.
He says: “By buying into a cloud provider they are also inheriting a security team. You are more secure in the cloud because we are able to dedicate a large number of resources to security.
“I have over 300 security professionals that support our customers every day. I do not see that level of attention and focus when I visited even Fortune 100 companies. Sometimes we miss that fact.”
There has been some concern from companies that data is not secure if it is not on premises. Kelly believes this is because companies are worried about potentially having loss of control over their information.
Kelly says: “What we are hearing is that it is just the uncertainty – because customers feel that they do not know what is happening to their data if it is off premises.
“There is this assumption that if data is in-house it is safer, and that may be a bad assumption. It may feel better to walk down the hall and open the door and go into the data centre and see the racks and the lights blinking, but that does not mean it is safe.”
For small-to-medium-sized companies it can be difficult to have the resources required to implement the security systems needed to protect data.
Says Kelly: “There is a big section of the market – the small-to-medium business area – that are in a tough spot today. The very large companies have the resources to really build their defences for advance detection responses.
“They can build security operations centres with the latest and greatest technology. They can attract and attain very high-end security people, but they are a minority. For the majority of companies in that mid-market level it is not feasible and practical for them to spend millions of dollars to build a security operations centre.
“They very likely cannot compete for high-end security talent – even spending a few million dollars a year for a managed service offering by a third party is difficult for some of these customers. They are in a very tough spot because their only alternative is to try to find low-cost solutions to give them at least some visibility to what is happening in their environment.
“The problem with these low-cost solutions is that they may be within budget, but it is likely they will not be effective against the more sophisticated attacks that we are seeing today.”
This is where cloud computing providers can help companies gain access to security they would not have otherwise, believes Kelly.
He says: “Just given the access we have to our customers and the scale in which we can deliver these services, we can actually provide that advanced detection and response monitoring for these customers at a fraction of the cost, by taking advantage of the scale we have.”
Technology has certainly become a lot more sophisticated since Kelly’s early air force days, with cyber-attacks a very real threat. Companies who do not look at ways of keeping their data safe could become increasingly vulnerable to attacks, but cloud computing could be one low-cost way of keeping their systems safe.