vali_111 - Fotolia
When it comes to cloud adoption, protection of information and physical resources is a top concern of CIOs and CISOs. Just ask David Neuman, the vice president and CISO of multi-cloud service provider Rackspace Inc. In the CISO position, Neuman oversees the managed cloud provider's security initiatives, working with staff from all aspects of the global operation -- 11 data centers providing services in 121 countries. The company, based in Windcrest, Texas, has more than 6,000 employees (Rackers), the majority in the United States.
"Most industries are on a journey. They want to see infrastructure as more of a commodity that they can optimize for cost and effectiveness," Neuman said. "Many of them have heavy workloads, like Oracle and SAP, that drive them, and they need expertise; that is our sweet spot."
Neuman rose up through the U.S. Air Force enlisted ranks, becoming a noncommissioned officer with global responsibilities before advancing to the CISO position in the private sector. He holds a master's degree in national security and strategic studies from the U.S. Naval War College, a master's in security administration from Bellevue University and a bachelor's degree in computer studies from the University of Maryland University College. During his 28 years of service, his leadership transformed the way the Department of Defense (DOD) integrated cyber capabilities into military operations. He developed a three-year plan for building a resilient and defensible information enterprise and an operational plan for protecting the Air Force's Rapid Global Mobility mission. He also authored treatises on cyberdefense coordination and attack countermeasures. Between the Air Force and Rackspace, he was an executive director and chief operating officer for Ernst & Young's Americas Cybersecurity practice.
What kinds of security issues are of particular concern to managed cloud providers?
David Neuman: Rackspace is in some ways a full-spectrum target. We may not be the ultimate target, but we are the catalyst that bad actors may try to get through to get to customers. … We must protect our corporate assets and those points at which our Rackers enter into customer environments so that customers know the assets they have are protected and ensured.
I wish we could take security out of the industry vernacular because what we try to focus on is bringing business resiliency to customers. So I am concerned about the threat landscape and risk, but on the other hand, I have to be a business enabler. Sometimes you have to make risk-based decisions on how to best support customers. We have highly interactive discussions with Rackers and customers, and make the participants focus on valued outcomes, both from an offering and services perspective.
Your full title includes 'global information security operations, strategy, architecture and engineering services.' That implies a broader set of responsibilities than some CISO positions. What's the thinking there?
Neuman: The description they have for [the CISO position] represents the new form of CISOs, as business enablers rather than just firefighters. As CISOs, there are operations practices and tech practices and there are also business enablers. We all fancy ourselves as enablers, but the reality is that you have to integrate yourself into the business process and then focus on outcomes. I provide my informed input to a great team of professionals so we can focus on smart outcomes. We also recognize that this isn't a one-and-done play. We have to focus on all those things: operations, tech and business.
Did your close call with Hurricane Harvey last summer test your disaster recovery preparations? What did you learn from that experience?
David Neumanvice president and CISO, Rackspace
Neuman: First, our thoughts and prayers go out to our fellow Texans and those in neighboring states and also those affected by other disasters. Our plans worked because we spent time on them and we practiced. That is something Rackspace did before I came. If you are providing managed hosting, you can't just arrive at a location and think about the details when you get there; you have to have things in place and practiced.
We anticipated the follow-on gas shortage and implemented business continuity plans for San Antonio and other areas within Texas. We quickly recognized the impact of the shutdown of half of the Colonial Pipeline and 40% of refinery capability. The one thing you can't control is the human reaction, such as people hoarding gas. But we were ahead of that.
You spent a lot of time in the U.S. military focused on cyber issues, and you earned a degree from the Naval War College, where they train and practice for actual war. How did that inform your approach to the CISO position and cybersecurity?
Neuman: The Naval War College is an amazing place and an amazing institution. The opportunity to attend and earn a master's degree was the highlight of a career. When I attended, I was probably 25 years into my career. Officers that go there are highly vetted.
The faculty galvanized my operations thinking. But it wasn't just the faculty. The experience you come into contact with there is also the people, and it isn't just people from the services. I had classmates from the CIA and State Department. There are international students. It really gets you out of your box and prepared to command an Air Force cyber unit.
The ability to take classes, learn about what others do and understand the value they bring to their mission -- and to participate in an exchange of thinking -- is so valuable. The professional who tries to protect everything protects nothing: that was something I learned there that has become instrumental in how DOD conducts its cyberdefense operations. I don't know if I would have thought that way if I hadn't been around those people and studied Carl von Clausewitz, Alfred Thayer Mahan and other strategic thinkers.
We have an expression in the military: It isn't the weapon you sling that makes you lethal; it is the way you sling it. In this [cyber] battlespace, you have to think about what you are setting out to do. The name of the game is readiness. My operating model for the teammates I have here is that you can't stop or prevent cyber hostilities, so you have to be ready to mitigate the impact and continue to fight. That has been a pivotal insight, especially when you take smart people and give them an active defense approach to work with.