Skip to main content

Six Key Alignments for CISO's on Cloud Security

September 21, 2017

Many CISO's and security teams are struggling with developing and executing an effective cloud security strategy, especially one that can keep up with the new technologies being deployed every day. Security leaders must take a foothold in the cloud to achieve positive outcomes, but first they must understand the fundamental difference cloud brings to the market. Spoiler alert: It's NOT just someone else's data center.

CISO's on Cloud Security

The execution of a cloud initiative is arguably more of a business strategy than a technology decision. This is even more apparent as the chasm between early adopters and the early majority has been crossed in the market. 

No longer relegated to Silicon Valley startups and small businesses, there are few large enterprises left who have not begun to shift to the cloud. One of the major changes is the removal of the burden of provisioning infrastructure, which now is expressed as software and often integral to the application itself. 

An advanced cloud application, and the infrastructure on which it is deployed, is indistinguishable from each other. This means that the application now dictates the infrastructure on which it runs. This is a fundamental shift in focus away from data center infrastructure to application infrastructure. This focus on applications also has modified the nature of security in the cloud to rely more heavily on the application team or the cloud migration team. As a result, traditional security teams often are required to react to the sudden switch to the cloud versus being integrated into the process. 

In addition to this challenge, most security teams lack the training and exposure to the cloud environment to be ready to successfully implement a comprehensive cloud security program. 

Because the conversations between cloud service providers and their clients often are a business strategy discussion, security usually is a lightly covered topic. However, as the early majority group moves to the cloud, security concerns are beginning to create slowdowns in adoption. The cloud service providers’ reaction to this has been to invest publicly in cloud security programs to assuage these concerns. 

While this investment is a great step forward, comprehensive and programmatic cloud security often is a skipped-over inclusion to most cloud migration programs. In this period of early majority adopters of cloud, it is critical that the security community adapts to the new skills and relationships required to build effective cloud security programs. Specifically, security teams need to invest in resources with cloud application development, DevOps and cloud architecture skills. These skills are required to be able to integrate security strategy and controls into the cloud. There is great opportunity to leverage the cloud itself and the resources available in artificial intelligence and analytics for security. The challenge to security teams and CISOs is to make the pivot quickly so they can be included early in this shift. 

Key points on which CISO’s and cloud teams should align:

  1. Cloud is a business velocity shift, not a technology choice.
  2. It is critical to get security teams real-world application development and cloud architecture experience—either through co-op programs in development teams, boot camps or outside hiring.
  3. A joint cloud governance model should be established between the cloud and security teams.
  4. Data classification and threat profiles should govern the level of the maturity of security solutions applied to each app. 
  5. Teams should focus on core security outcomes when designing cloud security architecture. 
  6. Automation and orchestration tools should be leveraged as a way to build better compliance and establish security teams in the cloud.

Developing a comprehensive security strategy before undertaking any cloud transformation is key to minimizing the level of exposure. Enforcing security in cloud workloads is often overlooked and underestimated.

    John Turner

By: John Turner

Senior Director, Cloud Security

See More

Related Blogs

March 14, 2018

Observations on Smoke Tests – Part 1

Smoke testing in the traditional definition is most often used to assess the functionality of key software features to determine if they work or perfo...

See Details

December 01, 2016

Cloud Networking... The Preferred Choice for The Future

As our universe becomes more robust and, its inhabitants become increasingly more aware of the stability of WAN, it is most certain that the future wi...

See Details

January 31, 2018

Cloud Critical Controls

It’s no secret – organizations are moving to the cloud faster than their security teams can secure them. The daunting task of catching up to the secur...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.