Interview: Bob West On “Shift Left” Security, The Challenges Of Cloud Migration, And How Palo Alto Networks Is Supporting Security Consolidation

When it comes to cloud migration and expansion, technical complexity is the biggest challenge that organizations are currently facing, according to Palo Alto Networks’ most recent The State of Cloud Native Security report. There are three main reasons for this: a lack of talent, maintaining security and visibility, and meeting compliance requirements. And two of these go hand in hand.

“Right now, there are about three and a half million roles around the world that can’t be filled because there aren’t enough security people,” says Bob West, Chief Security Officer at Palo Alto Networks. And filling the talent gap by utilizing people with the right mindset, but who don’t necessarily have a technical background, is one way of approaching this challenge.

West is responsible for Palo Alto’s cloud native application protection platform (CNAPP), Prisma Cloud. Bob joined Palo Alto Networks in 2022; in his current role, he provides strategic counsel to Palo Alto Networks’ customers and prospects. Holding positions on the advisory board for multiple cybersecurity organizations, Bob is a frequent and influential speaker on cloud security. He was recipient of the HITEC 100 award in 2022, which recognizes the top 100 most influential Hispanic leaders in the technology industry and is frequently quoted in the press.

In an exclusive interview with Expert Insights at RSAC 2023, Bob discusses the biggest challenges that organizations are facing when it comes to cloud migration or expansion, and how a “shift left” approach to security and the consolidation of tools and teams can help address those issues. You can listen to our full conversation with Bob on the Expert Insights Podcast.

Tackling The Biggest Cloud Challenge: Technical Complexity

“We need to identify people that are smart and have the aptitude and desire to learn, and that’s how we invest in this. Looking for non-traditional people is something that needs to be done because, otherwise, it’s going to be very hard to fill [those roles].”

But this only takes us some of the way; the tools themselves must also be simple enough for people from versatile backgrounds to use.

“When I think about enterprises, I think about things architecturally,” explains Bob. “In the physical world, if you have a complex structure, it’s harder to get the right level of structural integrity. I look at technology architecture the same way: simpler is better.”

“If you have complexity and you have a lot of tools, they’re harder to use, which means you need more people. Simplifying, not just, the architecture, but the number of tools and vendors that we use, is particularly important to be able to digest everything and manage environments as best we can.”

Consolidating Teams And Tools

Many organizations have limited resource when it comes to security, both in terms of budget and human-power. There are two key ways that businesses can make the most of the resource that they have. They can either outsource their security to a managed security service provider (MSSP) that could also complement the talent they already have in-house, or they can cross-train their existing staff.

Cross-training employees can be an excellent way of managing security from an organizational perspective, ensuring that gaps are filled if someone is ill or leaves the company. It also enables employees to develop their professional skill sets. However, it often involves unifying disparate security, IT, and development teams, which can create friction. The best way to deal with this, Bob says, is through proper governance.

“There’s always natural tension between security and technology organizations. The ideal scenario is that you get representation from across the organization—business, security, technology, legal, auditing and compliance, and human resources—so that everyone is coming to the table to establish a dialogue and make decisions as a group.”

“So, when you’re talking to a development team about the importance of integrating security, and there’s resistance to that, you can say, ‘We as an enterprise made a decision that this is important.’”

Building Security In From The Outset

While consolidating teams and tools is a route that many organizations are taking when it comes to streamlining security, many security professionals argue that a “shift left” approach to security is needed to further alleviate the pressure on security teams. This approach involves building security into the software development lifecycle, rather than finding and fixing issues once a product is already developed or—in some scenarios—after it’s been released. This would extend the development time but mean that the final product is less likely to have vulnerabilities that security teams need to monitor, update, and patch.

“When a car rolls off the assembly line, you don’t say ‘let’s add quality tests now!’—it’s built into the manufacturing process. If you don’t have the right level of quality, you start having defects. And if the defects are severe enough, you start having recalls, which are very expensive, take a lot of time, and have a big cost to your brand and reputation,” explains Bob.

“And security is the same—especially when it comes to development. It’s very hard to retrofit security into applications, so the ideal scenario is that you include security in the design and then follow that throughout the application’s lifecycle.”

The main pushback to this approach is that many developers aren’t trained on how to write code securely. Rather than ignoring this approach, we should address these issues by educating developers on good security hygiene, says Bob.

Remaining Focussed As The Cloud Evolves

We’re living through a turbulent time, not only in the realm of cybersecurity, but in the world in general, with many countries across the globe experiencing geopolitical unrest and economic downturn. This, says Bob, means that many organizations are accelerating their journey into the cloud, in order to benefit from its flexibility, agility, and scalability.

As we move further into 2023 and more businesses migrate to the cloud to leverage these benefits, it’s important to be aware of some of the emerging technologies out there.

“There’s a lot of chatter about ChatGPT and other AI -based entities, and we’re very focused on understanding how to leverage those types of environments so that we’re bringing more value to the market. But we also need to understand what the negative consequences are for us.

“You can use any tool for good, but there’s the other side of the coin, when that tool can also be used for nefarious purposes.”

Palo Alto Networks plans to continue to support their customers through this evolution by focusing on providing multi-layer security—across infrastructure, workloads and containers, multi-cloud networks, and software supple chains—via a unified, consolidated platform.

“Reducing complexity and the number of tools is our core value. We have integrations with our other products […] and integrations with other vendors that offer different classes of tools.”

“Most organizations want one place to look at everything. As much as we’d like them to use our window on the world, that’s just not what happens in a lot of cases. Being able to integrate with these other tools becomes important to understanding the broad clinical ecosystem and the different tools that organizations use, and integrate things as tightly as possible.”

Listen On Spotify

Listen On Apple Podcasts

About Expert Insights

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions. You can find all of our podcasts here.