Six Key Alignments for CISO's on Cloud Security

Many CISO's and security teams are struggling with developing and executing an effective cloud security strategy, especially one that can keep up with the new technologies being deployed every day. Security leaders must take a foothold in the cloud to achieve positive outcomes, but first they must understand the fundamental difference cloud brings to the market. Spoiler alert: It's NOT just someone else's data center.

The execution of a cloud initiative is arguably more of a business strategy than a technology decision. This is even more apparent as the chasm between early adopters and the early majority has been crossed in the market. 

No longer relegated to Silicon Valley startups and small businesses, there are few large enterprises left who have not begun to shift to the cloud. One of the major changes is the removal of the burden of provisioning infrastructure, which now is expressed as software and often integral to the application itself. 

An advanced cloud application, and the infrastructure on which it is deployed, is indistinguishable from each other. This means that the application now dictates the infrastructure on which it runs. This is a fundamental shift in focus away from data center infrastructure to application infrastructure. This focus on applications also has modified the nature of security in the cloud to rely more heavily on the application team or the cloud migration team. As a result, traditional security teams often are required to react to the sudden switch to the cloud versus being integrated into the process. 

In addition to this challenge, most security teams lack the training and exposure to the cloud environment to be ready to successfully implement a comprehensive cloud security program. 

Because the conversations between cloud service providers and their clients often are a business strategy discussion, security usually is a lightly covered topic. However, as the early majority group moves to the cloud, security concerns are beginning to create slowdowns in adoption. The cloud service providers’ reaction to this has been to invest publicly in cloud security programs to assuage these concerns. 

While this investment is a great step forward, comprehensive and programmatic cloud security often is a skipped-over inclusion to most cloud migration programs. In this period of early majority adopters of cloud, it is critical that the security community adapts to the new skills and relationships required to build effective cloud security programs. Specifically, security teams need to invest in resources with cloud application development, DevOps and cloud architecture skills. These skills are required to be able to integrate security strategy and controls into the cloud. There is great opportunity to leverage the cloud itself and the resources available in artificial intelligence and analytics for security. The challenge to security teams and CISOs is to make the pivot quickly so they can be included early in this shift. 

Key points on which CISO’s and cloud teams should align:

1. Cloud is a business velocity shift, not a technology choice.
2. It is critical to get security teams real-world application development and cloud architecture experience—either through co-op programs in development teams, boot camps or outside hiring.
3. A joint cloud governance model should be established between the cloud and security teams.
4. Data classification and threat profiles should govern the level of the maturity of security solutions applied to each app. 
5. Teams should focus on core security outcomes when designing cloud security architecture. 
6. Automation and orchestration tools should be leveraged as a way to build better compliance and establish security teams in the cloud.

Developing a comprehensive security strategy before undertaking any cloud transformation is key to minimizing the level of exposure. Enforcing security in cloud workloads is often overlooked and underestimated.