Accuvant CSO Offers Channel Advice On NSA Impact


The lengthy list of revelations about the National Security Agency's surveillance activities pose difficult challenges to cloud adoption and technology deployments, but it also establishes some new opportunities for the channel, according to a security industry veteran who is helping executives build out their security programs.

The fallout from the NSA revelations on U.S. cloud service providers and technology vendors will be regional, said Jason Clark, who was named by Accuvant as its new chief security and strategy officer in December following a three-year stint at security vendor Websense. Clark, a former chief information security officer at The New York Times and Emerson Electric, told CRN that he is seeing renewed interest in behavioral analytics, network monitoring and data security measures as organizations try to protect sensitive intellectual property from malicious insiders.

Clark said he will help the company establish stronger relationships with C-level executives. He said he plans to work with executives at organizations who are revamping their security strategies. He will work alongside Accuvant's risk assessment and architecture recommendation teams. In an interview with CRN, Clark shares his philosophy when it comes to the channel and explains how the potential fallout from the NSA revelations could impact cloud services and data protection.

[Related: NSA Back Door Exploits Present Hurdles, Opportunities For U.S. Companies Selling Overseas]

CRN: There has been a broad discussion about the security of data in the cloud following the barrage of National Security Agency surveillance activity leaks. What is your view on data security and trust in U.S. cloud providers?

Jason Clark: I think the fallout is more international. Everybody that I know who sells cloud services, specifically in Europe right now, are getting bombarded with questions about security. People are doing a lot of extra due diligence on the security of cloud infrastructures. Some of this is healthy. For a long time, cloud providers have never been under this much scrutiny from a privacy or security standpoint. It isn't necessarily hindering cloud providers from winning deals because very few of them have the robust controls that are required. But it is certainly deterring the adoption of cloud in specific regions.

From my perspective, the question over government access to data has been more of a discussion in the media rather than a chief concern among the multinational organizations that I have dealt with. When I'm talking to executives at organizations that is not what they are really worried about. There's concern regionally where the culture around data privacy and security is heightened such as in Europe or Brazil.

CRN: Is there a discussion on data security and system monitoring to detect insider threats in the wake of the NSA revelations?

Clark: If you ask me, the No. 1 gap that exists today is the insider threat. There is the least amount of capability, technology and investment in addressing insider threats. I think it is becoming a much bigger issue at organizations. In the past, it typically took a security incident brought on by an insider to get the organization thinking about solutions to address it. I see some very large organizations hiring one person to start developing an insider threat program. Fast-forward five years from now: Every organization that has intellectual property to protect might have five or more people on the security team designed to address it. To me, the two biggest domains around this are behavioral analysis and data analytics. It's not about big data; it's about rich data. Big data is too much storage and I don't think people need to spend that kind of money. Forward-thinking organizations will focus on establishing rich data rather than big data, and analyzing the behavior of their users rather than preventing them from doing something.

CRN: What is your philosophy when it comes to engaging solution providers in the channel? What has your relationship been like in the past with resellers and consultants?

Clark: They've got to bring me value. They need to have strong relationships with the products that [they] are trying to sell. I ask every single one of them when they walk in the door to tell me about five to 10 things that you hit home runs with or were amazing at. I want to know what you can hit the home run with and only do those things for me. Over time, a couple [of partners] rose to the top and developed a very strong relationship with me and my team. They understood and knew my network, my threats and my business. From that, they were then able to always continue to deliver to me lots of value. I never wanted my phone to ring off the hook from vendors. I always directed vendors to my trusted partners who knew completely what my company's strategy was and what I wanted to get done.

The partners that rose to the top brought value to the table in the relationship they were establishing. They had the capabilities that I was in need of, but also had a mission to help me create success.

NEXT: Clark On Cloud Security, Risk Management Strategies