How can technology leaders stifle the potential for insider threats?

The failures I see happen when everybody is so narrow-focused on making sure our code is secure and there’s no concept of where it is. For example, I worked at a company where the code-signing USB key was just handed from engineer to engineer based on who was signing a code release that day. Everyone put all this effort into making sure the code itself was secure, but then the person who actually had to sign the code was like, "Oh, just grab the USB key in that drawer." You put so much effort into whatever sounds exciting, whatever the hot buzzword is, but your actual processes are just so broken.

At Rubrik, we have customer data, so we are spending a lot of time on preventing customer data leakage. But it’s something we have to keep reinforcing: it’s great that the code is secure and that we didn't put an API key in it that somebody found on GitHub, but what is our actual process to release that code to get it pushed out to systems? Where's it going? The micro view is good, but sometimes an organization can get so focused on it, that the macro view leaves a lot to be desired.

Most of the breaches happening have been process-related for the most part. If somebody was actually doing the right thing by monitoring code access and data access, most of them wouldn't have occurred. 

I think every one of us knows that while the cloud is fantastic for many things, it really has become far more complex over the last couple of years with all the different products and services being run. And at least for some of my past roles, the cloud is now the primary delivery mechanism for customer or consumer-facing information and applications, making it that much more important that it's secured appropriately versus something that’s more internally-focused.