The Need of a New Security Model

In my experience as a CISO at two Fortune 500 companies and now a Chief Trust Officer at Box, I've observed a dramatic shift in the security landscape and initiated development of a new security model. My reason for writing this post is to get your thoughts on some of these ideas and engage you in a discussion I'd like to have with you and other CISOs and security leaders.

Our primary challenge is that as the utility of computing has evolved, our security model hasn't.  I believe that we can address the security issues arising from the evolution of computing and the rise in advanced threats with a new model.

We are facing significant security anproductivity changes createbour long-term shift from a centralized utility model (the mainframe) to a decentralized one (client/server). More intriguing, the introduction of SaaS and other "cloud" services over the last decade has given resurgence in centralized computing. This, combined with the introduction of "always on" networking and mobile devices, has created a transformation for corporate IT departments. It's a transformation of how IT provides its services in a new  fashion. Moreover, it's not the first time a change has occurred and it won't be  the last.  

For IT, this is a huge boon. The ability of  IT  to provide  corporate services in "the cloud" serves three main purposes in this transformation. 

  1. First is the ability to remove legacy tech debt and enable services in a faster development and release cycles 

  1. Second is to facilitate the ability of their employees of working freely outside of the office on mobile devices  

  1. Third is the restructuring of IT's cost model in which it provides those services

It's bit different for the security industry. We've talked long and hard about the risks and concerns about cloud providers. However, I believe the cloud can be a centralized utility, providing the security benefits that we've been missing for the past 40 years. 

Unfortunatelywe still see security in an enterprise network and control only aspect.  We do not have the capabilities to truly protect our content and transactions as they have left our environments in a significant way.  Instead, we drive harder controls to those devices to extend our "enterprise" to the devices as they traverse the Internet. This model is flawed and needs to be replaced with a new model that allows for the basic security controls to be transparent to our corporate network and the rest of the Internet. It's this change of our reference that allows us to begin to solve the security problem we are in today and realize the benefits of a centralized "cloud" model.  Only then can we envision the security transformation that needs to happen.

This is the core focus of my thoughts and a first article in a series on how we need to change in the industry, both vendor and practitioner.  It's my objective to have this ongoing discussion with all of you.

I want to hear from you:

  • Share your thoughts -

  • Join me and experts from Forrester and CipherCloud for an online panel ( on August 20th at 11 am PST. We will discuss the challenges and approaches to securing content in the cloud.