The days of debating cloud computing have ended. Most organizations are in the cloud, having migrated applications, data and services in response to advances in technology and recent business transformations.
As evolutions in consumer expectations and technology continue to influence how organizations collect, store and share valuable data, the job of protecting that data from existing and advanced persistent threats becomes even more complex.
CISOs must be ready to assist IT and security teams with the ever-changing world of cloud security. To help, here are three questions every CISO should be able to answer regarding their cloud security posture.
1. Does your risk appetite align to your cloud strategy?
There’s a good chance you’ve worked to understand your organization’s risk appetite. But it’s important to consider risk appetite from a cloud strategy perspective as cloud operating models inherently introduce new security risks.
Many factors can influence an organization’s risk appetite, including the following:
- industry’s regulation and compliance landscape;
- knowledge and experience of all employees;
- number and location of employees;
- hardware and software modernization status;
- IT and business goals;
- maturity of governance processes and procedures;
- prior cyber threat events; and
- unique customer base.
Risk appetite is unique to each business. The CISO of a medical device startup has a different risk appetite than the CISO of a traditional bank and so on.
Once you establish a risk appetite profile, assess if that measure aligns with your organization’s governance, risk and compliance requirements.
Cloud and cybersecurity strategies should operate in lockstep. At a minimum, IT security teams should understand the challenges posed by the different cloud deployment models. They should also be educated on cloud security best practices, including cloud-native security platforms that enable visibility into asset management.
If cybersecurity and cloud strategies aren’t on the same page, it’s time to revisit both.
2. Is your cybersecurity model mature enough for cloud?
This question can be difficult to answer depending on your organization’s security capabilities and prior investments.
Integrating cloud into your existing enterprise security program is not about adding more controls or tools. It requires an assessment of your resources and business needs to develop a fresh approach to your culture and cloud security strategy.
To manage a cohesive hybrid or multi-cloud security program, establish visibility and control, and orchestrate workload deployment via effective threat management.
Gaining visibility with the right tools is fundamental for every security team. Yet, determining whether a security model is mature enough for cloud is not something a CISO knows from overseeing day-to-day security operations. Rather, the answer should be heavily informed by the results of a security posture management assessment.
Perform security posture management exercises on a continuous basis. Such assessments are designed to provide actionable intelligence about an organization’s existing security operations programs and overall breach readiness through constant monitoring and auditing.
Not all cybersecurity models were designed to support today’s cloud operating models. A security posture management tool can automate the identification and remediation of risks across cloud infrastructure environments, including IaaS, PaaS and SaaS. Moreover, you can use cloud security posture management for risk visualization and assessment, incident response, compliance monitoring and DevOps integration. Such assessments can also uniformly apply best practices for cloud security to hybrid, multi-cloud and container environments.
By taking the time to assess the maturity of your cloud cybersecurity model, you are closer to anticipating the moves that IT and security teams may need to take to protect data from the next unexpected technology advancement or shift in consumer behavior. You are also one step closer to optimizing your security strategy to align with cloud-related business requirements.
3. Have you shifted your cybersecurity model left?
A shift left involves incorporating cybersecurity measures and testing best practices throughout the application development lifecycle. The aim is to identify and fix security vulnerabilities earlier in the process. This approach requires investment in a DevSecOps mindset and capabilities. When properly implemented, it can speed time to market, as well as save time and money.
Here are questions to assess your DevSecOps maturity:
- Are your cloud environments optimally configured to reduce risk via automation?
- Have you adopted infrastructure-as-code, security-as-code or compliance-as-code frameworks that incorporate security threat modeling into your architectural design?
Application development has already undergone this shift left thanks to the prevalence of Agile development best practices and advances in cloud technology. For example, automated continuous integration/continuous delivery testing, container platforms and easily consumable public cloud provisioning resources are all becoming more prevalent — so are extended detection and response and security orchestration, automation and response tools. These tools can handle routine security operations center alerts, orchestrate an appropriate response and catalog your service ticket infrastructure so incidents are accounted for — all without human intervention.
As application development and security operations become more automated, this shift left will continue to gain momentum. Make sure your cybersecurity model is keeping up.
About the author
Kristopher Carr has served in the capacity of CIO, CISO, global risk manager and CTO and is a certified high technology crime investigator with over 25+ years of demonstrated success. He has proven executive leadership directing and integrating cybersecurity strategies to business outcomes, utilizing strong enterprise technology infrastructure design and operations experience. Carr has served with multiple international organizations and was responsible for enterprise cybersecurity infrastructure and manufacturing technology programs, incident response and risk management program development and integration, and local and federal compliance within the following industries: Department of Defense, financial services, insurance and manufacturing.