Cybersecurity and Cloud Expo Q&A with Mike Bursell, Chief Security Architect, Red Hat

Could you define what your job role details and your day to day routine?
As Chief Security Architect at Red Hat, I’m part of the Office of the CTO. My responsibilities can be split into three main parts:
– talking about the value and importance of security – this is has a broad remit and includes everything from speaking at industry conferences to internal “town hall” events, alongside press and analyst conversations and, of course, meeting with customers. My conversations are generally not product-specific, typically revolving more around technology impacts, process (e.g. DevSecOps), culture or architecture.
– encouraging joined-up thinking about security across our product portfolio – this can be anything from encouraging product managers to embrace crypto-agility to working with senior architects on protocol improvements for upcoming releases.
– looking 18 months to ten years into the future, and trying to understand what’s coming up that might affect Red Hat, its partners and customers, and, more widely, the industry and open source community.
Some of the things on my radar include Trusted Execution Environments, Quantum Cryptography and Homomorphic Encryption, but it’s not all
technical: changing expectations around risk management in at the C- suite level is also of interest, for example.
A typical day might include writing a byline article, attending a stand-up weekly meeting for a proof of concept project I’m running, reading a white paper on blockchain, working on a presentation for a conference or internal meeting and planning a trip to meet various customers in the US or Asia. It’s a varied role!
How is your organisation approaching cybersecurity?
Our approach to security is to build it into our products – and services – throughout their lifecycle. As a vendor of products based on open source, that includes evaluating the code that we put into our products and supporting customers with a dedicated Product Security team that analyses threats and vulnerabilities against our products and provides relevant advice and updates.
What were the biggest challenges in 2018?
2018 was overshadowed by the various hardware-associated vulnerabilities like Spectre and Meltdown (Red Hat was involved in getting mitigations out in the very first wave of responses) but there was a lot more going on. Customers are really beginning to get their heads around the fact that security isn’t just about features and functionality, but about process and culture as well, which is why DevSecOps is such a hot topic at the moment. It’s not simple, though, and we’ve spent quite a lot of time trying to work out how best to spread the message in ways that are appropriate for the various audiences. That in itself is a challenge: developers are becoming very powerful, but security doesn’t stop with them. It’s something which permeates up through compliance managers, enterprise architects, operations, and all the way to the C-suite, though the manner in which they consume the message is different for each function and layer.
What are you most looking forward to at the show?
It’s always good to see what the industry is showing at booths, so I ensure that I take time to walk the exhibition floor, but even more important is attending sessions and finding out what the rest of the community has at the top of its agenda. I’ve also come to realise over the past few years that the “hallway track” – meeting and getting to know people outside the sessions – is an extremely valuable part of any conference: I particularly look forward to meeting some of the other speakers, as there’s a very good cross-section of the industry represented.