Speaking at the MIS CISO Summit and Round Table in Rome earlier this month, Colley said cloud computing is likely to force many CISOs down the path of developing what he calls counter-intelligence skills.
In a workshop co-hosted by (ISC)² and Information Security Forum (ISF) at the Summit, the two groups warned that cloud computing has significant potential to expose any security weaknesses – professional or otherwise – that should have been addressed already.
Colley said that he gets the impression that there is a need to develop skills in counter intelligence to ensure the CISO can be aware of what people in the business are doing.
This is, he explained, not so that they can slap any wrists, but so that they can better understand and engage in the discussions that are taking place.
"If we achieve this, everybody would be following good practice rather than finding ways around the barriers they believe we put in place", he said.
Colley's observations were echoed by Adrian Davis, the principal research analyst with the ISF, who said that, in recent years, the CISO has not always been aware of every activity within the business.
"The accessibility of cloud services and opportunity for any employee with a company credit card to be able to access a cloud-based resource will change this dynamic and require the CISO to become much more engaged with the business", he explained.
During the Rome workshop, the group suggested that there was a need for top management to be more embedded in the business, offering suggestions that ranged from 'working in a matrix structure' to simply 'walking the floor and talking to people.'
One participant noted that job descriptions for CISOs already suggest the need for a "Superman, who knows the technologies, understands threats, compliance, the business and much more", adding that "we need to develop our skills in this whole new area called cloud as well."
Davis concluded that, when managed strategically, cloud computing can allow organisations to manage risks more effectively, but it can also ruthlessly expose the weaknesses in an organisation.
"The poorer the organisation is at managing risks, the more it is exposed", he said.