Compliance != Security (Except When It Might Be)

Tuesday, January 16, 2018 - 4:00 pm–4:30 pm

Rob Clark, Cloud Security Leader at IBM


What do all cloud compromises (probably) have in common? They took place in SOC2 data-centres and on ISO27k systems and security management—we all know that Compliant != Secure. So why at IBM did we completely restructure our approach to security and model the way we do business around two sets of NIST guidance!?

In this talk I will describe how we built a security team to support the DevSecOps approach to secure development, decreased complexity in our cloud deployments, and drove security feature functionality in to platform offerings. We built a security organisation that aligned to NIST 800-53 revision 5 (draft) guidance and measured itself using the NIST Cyber Security Framework. We made individuals personally responsible for understanding how particular controls are met across the entire cloud (200+ services and acquisitions, 53 data centres) and more importantly; devising how these controls can be measured.

Robert Clark, Cloud Security Leader at IBM

Rob Clark is a Distinguished Engineer at IBM where he is the CTO for cloud infrastructure security and responsible for the overall security posture of the IBM Cloud. Rob has a passion for building teams and solving hard problems. Rob is a keen contributor to Open Source software, having previously lead the OpenStack security project, which won the Linux Foundation's Core Infrastructure award for best practices around Security, Quality and Stability.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {208141,
author = {Robert Clark},
title = {Compliance != Security (Except When It Might Be)},
booktitle = {Enigma 2018 (Enigma 2018)},
year = {2018},
address = {Santa Clara, CA},
url = {},
publisher = {USENIX Association},
month = jan

Presentation Video