The State of Security 2023: Okta CSO David Bradbury Talks Wins, Challenges, and Roadmaps
Security lives at the nexus of “vitally important” and “constantly changing,” which means lots of opportunity and just as many challenges.
David Bradbury, Okta’s chief security officer, keeps his eye on both Okta’s own security and the overall security landscape — making him an ideal resource for understanding current security best practices and forecasting trends.
Read on to learn a C-suite perspective on security trends, what keeps him up at night, and the one key move that will help companies strategically advance their security practices in the new year.
Okta: What’s exciting to you about the current state of security?
David Bradbury: Many organizations are starting to see tangible, measurable gains coming from our security investments. This makes it easier to get companies on board with security investments. Plus, as individual organizations get safer, the whole ecosystem becomes more secure, which is significant.
There’s this persistent misconception that while security is critical, it also slows down your workforce. That it’s something you need to do, but it won’t necessarily be a win for your teams, just more friction.
It doesn’t have to be!
As I look at Okta’s journey to becoming passwordless, I see an organization that’s more secure and operationally faster. We’ve implemented FastPass, which combines a biometric check with your physical device, to swiftly and securely establish that a user is who they say they are.
This allowed us to deprecate other, bulkier authentication methods like typing passwords because the “possession plus inherence” checks are stronger.
Then it becomes a math equation: How many users do you have, and how often are they entering a password, then reaching for their phone to approve a multi-factor authentication request? If you can save every user 10 seconds every time they log on, every single work day, that scales up to a win for security and efficiency — and that’s something a CISO can easily pitch to the rest of the C-Suite.
O: Definitely a win! What concerns you about the current security environment?
DB: Two things are top of mind for myself and my team.
First, as ecosystems grow, they become more complex. Look at the explosion in the use of SaaS applications across all aspects of every business. If you take inventory of the third-party tooling you’re using, plus any open source, plus the wide array of needed integrations, plus your regular cadence of required security hygiene, it adds up to an increasingly complex and sophisticated environment that’s causing CISOs a few sleepless nights.
This complexity offers adversaries more weak spots to exploit, with the added risk factor of continued reliance on fallible, carbon-based life forms to detect and respond to security threats. I’d like to see significantly more automation in our space and a far greater reliance on silicon-based life forms to keep our companies and our customers safe from harm.
Second, at the same time, we need to improve talent acquisition and training across all the roles within the security team, both technical and non-technical. Good automation doesn’t create itself — we need more application security engineers and more compliance experts, to name a few. Investing in human resources is one of the most significant things a company can do.
Okta is fortunate in that we’re seen as an industry leader, which gives us access to people that are tough to find. Still, I think we all need to uncover more ways to develop the next generation of security practitioners. If you’ve got an employee who’s curious and engaged with security, that’s a real opportunity to promote from within and develop a security resource.
This ties back to automation too. If there aren’t enough security people on staff (or available to hire), how can we do the work needed to make security activities more efficient? That’s our industry’s challenge over the next 12 to 24 months. And if economic shifts lead to less hiring, this challenge only gets more pressing.
O: Are there security wins companies can realize in a potentially slowing economy?
DB: Yes. The common quote here is that necessity is the mother of invention. The new year will bring many examples of security teams thinking differently about how to solve problems, coupling existing tooling with good old ingenuity.
Security is generally an area where companies of all sizes are willing to invest, regardless of the macroeconomic conditions. But I think the future will bring much more emphasis on “value-added” security activities. If we use a certain level of security tooling, does that free up our employees to work in other areas that drive our business forward?
Given the incremental functionality that the leading Zero Trust providers add to their products month after month, there may also be an inflection point for concepts like Zero Trust, as well as opportunities to rationalize and simplify your security stack.
If the business is slowing down operationally, it’s an excellent opportunity to pause and ask a simple question: what tooling do you have assigned to each security domain?
Our popular State of Zero Trust Security annual report shows that Zero Trust is still in everyone’s plans, especially given the focus by policymakers on requiring Zero Trust implementation. So we’re confident in our plan to continue helping our customers with their Zero Trust roadmaps and educating the market with data and insights.
Strong authentication is Okta’s core competency, and gaining quick wins for our customers on their Zero Trust journey only gets them closer to a security program with solid foundations.
In all, it’s shaping up to be another challenging year, but one where foundational investments in security will continue to pay dividends for years to come.
Curious about the journey toward Zero Trust or just getting started? Download our State of Zero Trust Security annual report.