Five Questions with an OG, Brian Johnson: Cloud Security
MissionOG is fortunate to be supported by a deep network of experienced operators and entrepreneurs. This entry is part of a blog series where we share perspectives from “OG’s” – original innovators from specific market segments and/or business disciplines.
Brian Johnson was the CEO and co-founder of DivvyCloud, the leading provider of cloud security posture management solutions. The company’s clients included Discovery, 3M, Spotify, and Autodesk. In 2020, DivvyCloud was acquired by Rapid7 (NAS:RPD). Following the acquisition, Brian served as senior vice president of Rapid7’s cloud security practice.
WHY DID YOU START DIVVYCLOUD?
In 2011, while at Electronic Arts, Chris DeRamus, DivvyCloud’s co-founder, and I had just finished migrating most of our infrastructure from datacenters to Amazon Web Services (AWS). When completed, we noticed that we had significantly more infrastructure available than when we started, more people were involved with the infrastructure than before, and a higher amount of daily changes being made than prior. This led to more “noise” in the environment than our legacy systems, which added significant challenges for prioritization and analysis.
Through this experience, we realized that cloud was going to lead to massive transformation across the industry, as companies adopted it as their primary infrastructure solution. At the time, we weren’t really sure how we would solve the problem or even what the problem set specifically was for enterprise, but we knew we had the skills and the perspective to help others successfully adopt cloud. After further reflection, we left Electronic Arts, began writing code, and formed a plan as we went.
HOW SHOULD CISOs OR CIOs BE THINKING ABOUT CLOUD SECURITY NOW?
Today, Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs) play a more strategic role in the company than they did 10 years ago. IT and security were originally services that were deemed a necessary evil. Now, security and IT act more like partners to business unit leaders in an ever-changing landscape.
When talking with CISOs and CIOs, we will often use the analogy of soccer to describe the changing role of a CIO. Previously, CIOs/CISOs were goaltenders. Security and IT were the gatekeepers to prevent bad things from going out. While this helped an organization remain safe, it was also a very cumbersome and overly burdensome process. Engineering teams became fed up with the speed of IT. When Amazon came out with on-demand infrastructure, engineering teams around the globe used it to get around IT, security, and compliance to move faster than before. Ultimately, this led to the goaltenders being moved to the parent role on the sideline. IT and security leaders could barely see what was going on, and had no authority to do anything about it. To get closer to the action, IT/Security had their companies adopt technology such as cloud security posture management (CSPM) and cloud management platforms (CMPs). With the implementation, IT/Security teams became line referees, where they could see what was going on and identify specific areas of risk, but ultimately kept off the field.
As the CISO and CIO roles evolve, IT/Security needs to find its way to being the center referee. They will need to be able to see, participate, and identify issues while still allowing our engineers to move at the speed of innovation. Next generation protection and automation tools will enable security and IT organizations to properly identify and remediate true risk in real-time, while still allowing the engineers the freedom needed to do their jobs.
HOW HAVE YOU SEEN CLOUD GOVERNANCE EVOLVE WITHIN LARGE ENTERPRISES?
Over the last decade, we have opted for speed of security in order to deal with an ever-changing innovative and competitive landscape. But that speed came at the cost of security and optimization. With the rising threat of ransomware and data leaks, organizations are starting to re-evaluate their risk tolerance. At one point, the risk of losing market share outweighed the risk of being compromised. Now, with cyber-attacks happening every day, it has become clear that the industry needs to move from innovation mode to operational mode.
HOW DO YOU EXPECT THE SECURITY MARKET TO CHANGE IN THE NEXT FIVE YEARS?
Over the next five years, I expect to see IT and Security play a bigger role in cloud strategy. Prior, engineers owned and operated infrastructure, but now IT and Security need to regain some semblance of control. Technologies such as Kubernetes will provide a cloud abstraction layer that will not only help workloads be more portable, but also help IT/Security restore some of the control lost over the last 15 years.
WHAT DEVELOPMENTS IN CLOUD SECURITY ARE YOU MOST EXCITED ABOUT?
In IT/Security, the pendulum is always swinging. Technologies such as Kubernetes, edge computing, and machine learning will help drive the industry back towards “center” where IT/Security and engineers work as partners instead of adversaries. Multi-cloud infrastructure will become a standard and Kubernetes will help abstract cloud infrastructure. The premium cost of cloud will eventually drive organizations towards re-focusing on optimization and predictable spending.
I also expect that cheaper, cooler, and faster hardware along with a more robust IP infrastructure will lead to a shift towards true hybrid cloud and a focus on leveraging on-premise infrastructure. We will see companies begin to use “on-prem clouds” as a base line, while cloud infrastructure is used for development, edge and surge computing.