underpin these projects without slowing
down innovation.
Why businesses leave the CISO out
of cloud projects
The CISO was first bypassed when
enterprises started looking to the cloud to
enable flexibility, cost savings and a rapid
implementation of business initiatives.
Unable to keep pace with the hyper-speed
needs innate to cloud transformation, the
CISO earned the undesirable reputation
as the naysayer: “No, it’s not possible to
securely deliver a new cloud service within
such a tight timeframe. No, we’re not able to
guarantee that this service has the desired
levels of security without undergoing a
significant testing period. No, we cannot
recommend investing so aggressively in
innovation at the expense of security.”
These roadblocks are at odds with the
modern enterprise’s hunger for rapid
innovation that cuts costs and aids their
competitive edge. And as leadership teams
have moved to embrace a cloud-first
mindset, the split between operations and
security teams has become more severe.
Businesses are regularly spinning up new
workloads and have, in some ways, lost
www.intelligentcio.com
patience with their security leaders. It’s
easier to leave the CISO out of the picture
until the last minute – in their mind, doing
so helps them to get the project across the
line. They’ve ended up adopting an ‘act first,
worry later’ mindset – a cavalier approach
that leaves them exposed to great risk.
CISOs need to earn their seat at the table.
They need to demonstrate that security is
needed to enable these business initiatives;
to educate their organisation’s strategic
leaders about where the real insecurities
exist within cloud projects; and, crucially, to
reframe how their department is perceived
within the business, so that they’re never
again seen as the obstacle to innovation.
Where insecurities exist within
the cloud
The devil’s in the details when it comes
to cloud: if workloads aren’t properly
configured or protected, any number of new
risks could be introduced to an organisation.
Configuration in the cloud often requires
complex and specialised knowledge
and training. So, it’s highly likely that an
individual lacking the requisite skills or
knowledge could configure something
incorrectly – or just have a false sense of
security when weak security controls are
implemented. These mistakes can result in
cloud deployments being vulnerable to data
breaches and may also lead to lapses in
compliance if customer data is left exposed
or the borders of the regulating sovereign
have been crossed.
Additionally, many organisations fail to test
cloud implementations as robustly as they
would on-prem deployments. Again, this
is frequently the case when security has
been cut out of cloud strategies. Security
teams must be involved in the practices and
processes that will test the security of cloud
development and have proper oversight of
their organisation’s cloud services. These
processes need to be incorporated in the
overall security programme and not treated
as a separate silo.
While the mechanisms for cloud security
differ from that of traditional IT products,
the goals of risk reduction and continuous
compliance are the same. It’s up to the
CISO and their team to understand how to
translate and implement risk reduction and
compliance requirements in the cloud.
To minimise risk and maintain continuous
compliance throughout the hybrid network,
a unified approach is key. That’s why it’s
crucial for the CISO to be involved in all cloud
transformation activities from the planning
INTELLIGENTCIO
39
39