How Akamai Evolved Into a Security Vendor
In this episode of The View with Vizard, host Mike Vizard talks with Dr. Boaz Gelboard, Akamai chief security officer, about how Akamai, a longtime provider of a CDN, is now evolving into a security vendor. The video is below followed by a transcript of the conversation.
Mike Vizard: Hey, guys. Thanks for the throw. We’re here with Boaz Gelbord, newly appointed CSO for Akamai. Boaz, welcome to the show.
Boaz Gelbord: Thanks so much for having me, Mike.
Vizard: So, you’re only on the job a couple of weeks now so, what’s the priority? What’s the first thing that comes to mind that you guys gotta work on and what’s keeping you up at night?
Gelbord: Well, you know, joining a company like Akamai’s really exciting, and there’s a great amount of things to learn. My focus and priority, really, in the first few weeks has been learning Akamai’s systems, learning its technologies, meeting the team. We have a tremendous pool of talent here – a very strong security team and a general technology team – and really learning our security program. So, it’s been really exciting. It’s been a very warm welcome from all of my colleagues and I’m really looking forward to being part of making the internet safer at Akamai.
Vizard: What’s your take on the role of the CDN in security these days? A lot of folks tend to view it as a DMZ and it kind of protects them from the wild west out there, but a lot of folks don’t seem to be using it so, what is the challenge in kind of getting organizations to wrap their head about how to use a CDN in a security context?
Gelbord: Right. Well, you know, one of the exciting things at Akamai – and really, one of the things that drew me to the company – is that although it started out in content delivery – and media delivery’s still a big part of the business – it’s really morphing into a security company and is doing some very exciting things in terms of moving from traditional methods of security – if you think of security as, you know, DMZs, as you were alluding to, firewalls, that sort of thing – into more modern ways of security. So, I think that we’re really in an inflection point in terms of how companies need to look at how to secure their systems, and I think Akamai is very well positioned, you know, from the perspective of being on the edge and sort of sitting in between a lot of the ways that users interact with their various websites. And so, for me, that’s a very exciting proposition. I think it’s somewhere where we have a lot of things to offer customers in terms of how to better secure their systems.
Vizard: We’re hearing a lot more focus these days on software supply chains in the wake of some recent high-profile breaches. Where does DevOps, in your mind, and security and DevSecOps all come together as it relates to a CDN? The CDN is becoming a target platform so, where do you fit in the supply chain?
Gelbord: You know, I think that all major sort of technical components of delivering a product or delivering a system are now under increased scrutiny, right? This happened in the wake of SolarWinds, and when, you know, a company looks at how they deliver their product to their customers, there are many cases – literally hundreds of different components – that are part of it. So, I think that that’s a really important area for organizations to focus on – is how do they make sure that they have visibility into what those critical vendors are, and what are the measures that they’re taking in order to secure themselves? And I think that every company finds themselves – you know, technology companies often find themselves both in the situation of looking and assessing how their vendors are doing, as well as working with their own customers to provide them assurance that they’re taking the right steps to secure their networks. And, you know, certainly, Akamai, as a company that, in some way, runs a significant amount of the traffic on the internet, is in a position where providing our customers with assurance that we’re taking the necessary measure is a very important part of our value proposition and something that we take very seriously.
And certainly, for me, you know, part of what was very exciting about joining the security team at Akamai was being able to part of that and being able to help grow the business through the providing that level of assurance.
Vizard: What is your take on the relationship between developers and security these days? There’s a lot of folks who are betting on DevSecOps to result in more secure code, but others are saying, “That takes too long. We don’t have time to train all those developers and we need the security people to get move involved in application security. So, how do I strike a balance?”
Gelbord: You know, I think there certainly is a balance to be struck there. I think a very big component is ensuring that developers are enabled with the tools that they need in order to properly secure systems. So, I think the traditional model – where you would have a security team that sits apart from development and does checks every now and then and then, sort of provides a large list of issues to developers saying, “Hey, you know, here’s 83 problems that we found with your code. Please fix ’em” – I don’t think that that model scales or is really fit for purpose in terms of the way that development teams need to develop today in a more agile, rapid, manner. So, I think that the key is to really partner with development teams to ensure that they’re enabled – they have the tools that they need, they have the education and the processes to have a large majority of things, and then, I think there’s a governance process – there’s a governance function – for our security team in order to ensure that those things are being conducted in a way that they should and to catch the more esoteric type of issues that maybe a team isn’t well positioned to catch themselves.
Vizard: Do you think that the workflows need to be redesigned between security then and development teams as part of that conversation? And what is that ideally gonna look like? Where is the hand-off? I think the devil’s in the details here.
Gelbord: Absolutely. There’s no question about it. And I think it’s also unique to each organization in terms of how they have their current workflow set up, you know? And most organizations have a patchwork of some areas that are maybe further ahead in that journey and some that are further behind and so, I think that there’s definitely, as you say, devil in the details, and that each organization needs to look at where they have sort of models that work for them, right? And in particular, how to scale those services across the organization.
So, I think one thing that’s worked well – that I’ve seen work well in the past – is when you have certain groups that are really kind of leaders in terms of adopting those type of models, and where they can demonstrate value – particularly in that self-service model – that serves as sort of an example for other teams where they also want to adopt it. But I think that demonstrating that value and showing that it’s something that actually increases productivity versus gets in the way is key to evangelizing and growing that across the company.
Vizard: We hear a lot about AI these days. Is AI gonna save us from ourselves or is it just more hype than reality? Where are we in the spectrum?
Gelbord: Well, I think, you know, it’s a double-edge sword, ’cause, on the one hand, when you look at AI – and, you know, my concern in the near term is that it actually enables the automation of a lot of kind of attacks that require human intervention or manual intervention in the past. So, I think we’re gonna see, over the next couple of years, is that the job of attackers is gonna become easier and their ability to carry out more sophisticated attacks is going to increase as a result of AI. You know, on the other hand, I think AI also offers defensive teams the opportunity to scale and automate a lot of their work. So, I think it’s gonna be a little bit of an arms race, and I’m bullish about the long-term prospects there, but I am certainly concerned, in the near term, that the advantage may tilt somewhat to attackers versus defenders.
Vizard: Speaking of the attackers, there’s a lot of chit-chat these days about ransomware everywhere you turn. One of the issues at the moment is should we ban people from paying ransom in the first place, because it encourages folks to use crypto currencies to anonymously pay for things and that just encourages more attacks, some people say. What’s your take?
Gelbord: Yeah. It’s a nuanced issue and it’s, I think, one that’s hard to pin down, because there’s different jurisdictions that have different views on those sort of things. You know, different organizations will have different consequences for not paying their ransom so, in some cases, maybe business consequences. You know, we’ve also seen situations where there’s hospitals and other mission critical organizations – where there could potentially be lives at stake. So, I think it’s hard to really give a one-size-fits-all answer to that. I do think that the ransomware threat is something that has awoken a large number of organizations that maybe hadn’t really looked at their overall defensive posture to make investments in cyber security that maybe they hadn’t made in the past.
So, I think that the – what we’re really seeing today from ransomware, in a sense, is a tip of the iceberg in terms of what’s potentially possible, right? We haven’t seen – we could potentially see, in the future, you know, not just the threat of data being exposed, but even more malicious activity being threatened if ransoms aren’t being paid. So, I think it’s a very good wake-up call for the industry in general to look at what the actual threat profile is and to make the necessary investments to at least mitigate that risk going forward.
Vizard: I feel like we expect too much of our security people and there’s a lot of pressure in this job. Do you think that the relationship between security teams and IT operations teams and the developers all needs to change? Because it has to become more of a team sport. I think there’s this notion that, somehow or other, the security guys are gonna take care of everything.
Gelbord: It absolutely has to become a team sport, and I think a lot of organizations are already doing that, you know, quite well. I think that a security as a function needs to be imbued in the mindset of everyone across the organization, really, so, there is a role for security teams in terms of governance, in terms of evangelizing, in terms of supplying some of the central services that are better done at scale. But I think – particularly for companies where security is a core part of the value proposition or where they do very sensitive – or deal with sensitive data or perform sensitive activities – security as just part of the overall way the company functions is increasingly going to be the way that it needs to be approached versus, you know, having just a separate security team that’s half of the security.
Vizard: All right. So, other than hanging out on the Akamai website, what’s your best advice to your fellow CSOs?
Gelbord: Well, you know, I have the privilege of knowing a lot of fellow CSOs and I think that one of the things that makes this industry exciting is that there is a great connection between folks in the cyber space. We’re sort of all in this together, so to speak, and so, I think that just keeping the community strong and exchanging information is one of the really beneficial things that we can all do for each other. We’re all facing similar threats. You know, I think from a cyber perspective, growing our knowledge and continuously engaging with the business is really critical. One of the things that I think characterizes this space is that things don’t stay the same. So, it’s really a process of continuous learning and staying abreast of the rest.
Vizard: All right. As Ben Franklin once said, “If we don’t all hang together, we will surely hang separately”, right?
Gelbord: Indeed.
Vizard: All right. Hey, thanks for being on the show.
Gelbord: Thanks so much for having me, Mike. I enjoyed it.
Vizard: All right, guys, back to you in the studio.
[End of Audio]