There aren’t many CEOs who do double-duty as cybersecurity experts, but in today’s digitally-transformed world, cyber risk management is an essential part of every leader’s job. CEOs whose businesses make news headlines because of a data breach can testify to the devastation a cyber-attack can cause.
So as your organization makes the move to the cloud, managing security risks should be on the top of your list. You might not know a firewall from a multi-factor authentication framework, but you can ask a few questions that will help your teams prioritize security without losing sight of the bigger picture:
Is your IT culture ready to embrace cloud security?
The cloud dramatically improves speed and cuts capex. Those are compelling benefits, but they can have unintended consequences. If you expect to head to the cloud without taking a hard look at your IT organization’s culture, you may be courting disaster. Here’s why.
The pressure to quickly deliver cloud services can tempt even conservative cloud professionals to take security shortcuts. Consider adopting a “DevSecOps” organizational model to put security on equal footing (and on the same timetable) with DevOps staff. Construct incentives carefully and make sure security is on par with other priorities. Be prepared to shift infrastructure funds to automated security and ops tools.
What regulatory issues will affect your cloud transition?
If compliance requirements don’t affect your organization, congratulations. For the rest of us, meeting mandates is a part of the job. “Cloud” and “compliance” aren’t mutually exclusive, but there are some things to consider.
Cloud solutions are architecturally different from the solutions that dominated when most regulations were conceived. Mainstream tools used to check the compliance boxes, like security incident and event management (SIEM) platforms, become dramatically more expensive when the cloud spins up servers and stuffs log files with abandon.
Victims of some of the most notorious breaches had compliance programs but lacked operational security. If you stop thinking of compliance as a solo act, dollars spent can do double duty to improve operational security. Replace compliance-only products with more automated solutions that leverage compliance results to improve your ongoing security visibility. And make sure your technology partners price their offerings fairly for cloud environments.
Are you prepared to deal with cloud security incidents?
We know by now that we’re never going to firewall our way to perfect security. Your cloud solution will be attacked, and the attackers will likely find an exploitable vulnerability. When the worst happens, you’ll want fast answers to two critical questions (preferably before the press conference): What happened, and how extensive is the damage?
Good news. Your cloud can provide more than enough information to spot and analyze security incidents early and accurately, but you need two things to capitalize: practice and the right tools. Regular red team/blue team exercises find latent vulnerabilities and bulk up your team’s combat forensic skills.
Help your blue team win with cloud-ready tools that automate investigations and spot problems early in the cyber kill chain. But choose those tools wisely - too many alerts will results in “alert fatigue” and desensitize teams to legitimate threat signals.
Do you understand the cloud’s shared responsibility model for security?
You don’t have to be a cloud expert to manage cloud security risks. But the cloud’s shared security model - which defines where your cloud provider’s responsibilities end and yours begin - is one topic you might want to tackle yourself. It’s the crux of the cloud security challenge and it will impact the investments and initiatives you’ll need to be successful.
Advice? Make sure your teams understand shared security and leverage your provider’s services whenever possible. Providers offer a range of security tools, including firewalls, identity and access management systems, IPS/IDS and more - and they’re well integrated with native monitoring services. So don’t add to the confusion by using third party alternatives - even if your team is more familiar with them. When you need something your provider doesn’t have, look for offerings that integrate with your provider’s services.
How will your cloud solution work with third parties?
Today’s IT zeitgeist is all about open. “Open” has clear business benefits: it’s easier to outsource non-critical services to expert 3rd parties, and you can readily monetize the online assets you’ve worked so hard to build. At the same time, open systems can be risky - and once you’re in the cloud there’s no grace period. Halfway measures aren’t going to cut it.
Third parties have been implicated in more than a few breaches. Some risks happens when you grant third parties access to your data to provide outsourced customer service or data analysis. Other risks are associated with the use of someone else’s technology. Your developers - whether you know it or not - almost certainly rely on third party solutions to avoid re-inventing the wheel and to get solutions out faster.
Improved visibility and better situational awareness are the best ways to manage third party risk. Traditionally, IT professionals could only see the full picture by using detailed log files to puzzle together interactions. Automated cloud tools can now provide that picture automatically so analysts can focus on remediation and process improvements.
Welcome to the Cloud!
Cybersecurity is now a board-level topic at most companies. Responsible management of risks in the cloud takes leadership and a fresh approach to IT projects and funding. With effective executive leadership, cyber risks can be managed.
The payoffs are worth it: the cloud delivers business innovations faster, reduces capital expenses, and positions you to be more responsive to market changes. It’s nothing short of a revolution. With the right IT culture, careful planning, and investments in cloud-specific security tools, you can look forward to a secure future in the cloud.