Five Cloud Security Considerations for CISOs

Five Cloud Security Considerations for CISOs

This article was originally published on the RSA Conference site.

How should cybersecurity leadership be adjusting and reacting as cloud strategies and systems expand within their organizations?

When moving to the cloud, the question for CISOs becomes: How do we make sure that our cloud is at least as secure, if not more secure, than the legacy on-premises environment from which we’re moving? It’s an essential question to answer. After all, data from the SANS 2020 IT Cybersecurity Spending Survey shows the biggest factor that is causing existing security architectures to break, and thus causing much of the new security spending, is the rapid movement of business apps and services to cloud-based technologies.

That’s because a move to the cloud is about much more than just migrating workloads to servers hosted by a third party; the cloud represents a new way of doing business, new technologies supporting the business, new rules around ownership and responsibility, and new cybersecurity considerations to take into account.

For CISOs, the path forward into the cloud must be predated by strategy. As you’re devising your cloud security plan, here are five things to keep in mind.

1) Understand Your Business Drivers

Step one for CISOs is figuring out your cloud roadmap, which means you need to assess your organization’s risk appetite and business drivers. There are many different ways to adopt the cloud—you can go with a single cloud provider, multi-cloud or a hybrid cloud architecture; you can dip your toes in by moving one workload to the cloud, take a phased approach or go whole hog into the cloud. From a leadership perspective, it’s really about understanding your business drivers and what critical security controls need to be in place to support these goals. Once you’re able to identify your reasons for moving to the cloud, you’ll be better able to lay out your objectives and roadmap to accomplish what you need to in year one, two, etc.

2) Build a Deep Technical Bench

With the move to cloud, cybersecurity needs to be prepared to evolve. It’s gotten to the point, in terms of industry momentum, where every cybersecurity professional has to be knowledgeable about the cloud to varying degrees. As a CISO, you need to make sure that your security team is staffed with people who know about the features of the various clouds you are deploying, what those services are used for and the configuration settings for that particular cloud. With the current shortage of skilled workers, many CISOs are getting creative and investing in cloud-focused cybersecurity training to reskill current staff.

3) Enable Automation

One of the big concepts of the cloud is that it makes automation substantially easier compared to the pre-cloud environment where people had to set up their own duplicative infrastructures to spin things up. You’re not taking full advantage of all the cloud benefits if you’re not implementing automation and DevOps, too.

4) Focus on Applications

The move to the cloud has abstracted the servers and hardware away, changing the rules of the game when it comes to ownership. Cloud providers operate on a shared responsibility model, where the provider is responsible for certain layers, but the customer is responsible for data and applications. In order to keep all your organization’s information secured, prepare your team to focus more on understanding the application layer, where their responsibilities likely lie. The issue of shared responsibility had a spotlight shined on it last year with the highly publicized Capital One data breach that brought into question whether AWS or Capital One was at fault.

5) Enhance Visibility

In the wake of that Capital One data breach, AWS enhanced some of its services that had played a part in this breach occurring. It also added some tagging functionality that identifies which version of the service is being used. That extra data gives companies more insight into the things that could be going wrong. Visibility — one of the top cloud concerns expressed by respondents to the SANS 2019 Cloud Security Survey — is key in the cloud. This ties back to the need to build a deep team with technical knowledge base. Yes, your team needs to know what attacker behavior and common attacks look like, but they also need to know what features are available within the cloud services that would ultimately help you detect malicious and anomalous behavior. 

About Frank Kim: As a security executive, advisor, and educator I help you shape your strategy, master your message, and champion change to build business driven security programs. For more, visit frankkim.net

Nicholas Hughes

Former CEO of EITR Technologies (successful exit) | Automator of Things | Just a Guy? | The Salt Guy | Pipe Symbol Enthusiast | Are you seriously still reading this?

4 年

Great article! #3, "enable automation", is a huge one. Such an important factor in ensuring consistent deployment of technical controls.

要查看或添加评论,请登录

Frank Kim的更多文章

  • Why I’m Joining YL Ventures

    Why I’m Joining YL Ventures

    I'm extremely excited to announce that I'm joining YL Ventures as their new CISO-in-Residence! So, what does that mean?…

    21 条评论
  • Azure Security Engineer AZ-500 Certification Exam Prep

    Azure Security Engineer AZ-500 Certification Exam Prep

    I recently got the Azure Security Engineer AZ-500 certification and received a number of questions about exam…

    6 条评论
  • How to Create a Successful Cybersecurity Course

    How to Create a Successful Cybersecurity Course

    I’ve been authoring and teaching security courses with SANS Institute for over ten years. While helping to develop the…

    14 条评论
  • Cybersecurity Proof of Life for Startups

    Cybersecurity Proof of Life for Startups

    Customers want to know if they can trust you with their sensitive data. Just as a hostage negotiator wants “proof of…

    8 条评论
  • How to Make Sense of Cybersecurity Frameworks

    How to Make Sense of Cybersecurity Frameworks

    One of the keys to CISO success is to choose a framework to guide the work of your security program and, ultimately…

    27 条评论
  • To Survive and Thrive Here's What CISOs Need to Know About DevOps

    To Survive and Thrive Here's What CISOs Need to Know About DevOps

    I was having a drink with a friend. He took a sip, slowly placed his half full glass on the table and said, “I finally…

    6 条评论
  • Five Keys for CISO Success

    Five Keys for CISO Success

    I once had a meeting with my CFO to talk about security. As you might expect my goal for the meeting was to start to…

    17 条评论
  • Cybersecurity Marketing Made Easy

    Cybersecurity Marketing Made Easy

    I have a good friend and trusted colleague, Jaynie Bunnell. When we worked together we would regularly bemoan the fact…

    6 条评论

社区洞察

其他会员也浏览了