Intelligent CIO Africa Issue 35 - Page 39

underpin these projects without slowing down innovation. Why businesses leave the CISO out of cloud projects The CISO was first bypassed when enterprises started looking to the cloud to enable flexibility, cost savings and a rapid implementation of business initiatives. Unable to keep pace with the hyper-speed needs innate to cloud transformation, the CISO earned the undesirable reputation as the naysayer: “No, it’s not possible to securely deliver a new cloud service within such a tight timeframe. No, we’re not able to guarantee that this service has the desired levels of security without undergoing a significant testing period. No, we cannot recommend investing so aggressively in innovation at the expense of security.” These roadblocks are at odds with the modern enterprise’s hunger for rapid innovation that cuts costs and aids their competitive edge. And as leadership teams have moved to embrace a cloud-first mindset, the split between operations and security teams has become more severe. Businesses are regularly spinning up new workloads and have, in some ways, lost patience with their security leaders. It’s easier to leave the CISO out of the picture until the last minute – in their mind, doing so helps them to get the project across the line. They’ve ended up adopting an ‘act first, worry later’ mindset – a cavalier approach that leaves them exposed to great risk. CISOs need to earn their seat at the table. They need to demonstrate that security is needed to enable these business initiatives; to educate their organisation’s strategic leaders about where the real insecurities exist within cloud projects; and, crucially, to reframe how their department is perceived within the business, so that they’re never again seen as the obstacle to innovation. Where insecurities exist within the cloud The devil’s in the details when it comes to cloud: if workloads aren’t properly configured or protected, any number of new risks could be introduced to an organisation. Configuration in the cloud often requires complex and specialised knowledge and training. So, it’s highly likely that an individual lacking the requisite skills or knowledge could configure something incorrectly – or just have a false sense of security when weak security controls are implemented. These mistakes can result in cloud deployments being vulnerable to data breaches and may also lead to lapses in compliance if customer data is left exposed or the borders of the regulating sovereign have been crossed. Additionally, many organisations fail to test cloud implementations as robustly as they would on-prem deployments. Again, this is frequently the case when security has been cut out of cloud strategies. Security teams must be involved in the practices and processes that will test the security of cloud development and have proper oversight of their organisation’s cloud services. These processes need to be incorporated in the overall security programme and not treated as a separate silo. While the mechanisms for cloud security differ from that of traditional IT products, the goals of risk reduction and continuous compliance are the same. It’s up to the CISO and their team to understand how to translate and implement risk reduction and compliance requirements in the cloud. To minimise risk and maintain continuous compliance throughout the hybrid network, a unified approach is key. That’s why it’s crucial for the CISO to be involved in all cloud transformation activities from the planning INTELLIGENTCIO 39 39