As cloud adoption accelerates within well-established businesses and emerges across nearly all industries and company sizes, security executives have been presented with thematic challenges to managing cloud governance, security, and regulatory risk. Protiviti recently held a roundtable of Chicago-area CISOs and Security Leaders to discuss the thematic challenges, share strategies, and gain insight into the lessons learned by their peers. Topics ranged from how to approach security strategy in the cloud, what trends in automation are enabling security organizations to keep up with the speed of business, understanding cloud requirements/compliance, and how companies are enduring or adapting to technology skill gaps.
Key take-a-ways from the event included getting started with cloud, managing the providers, the skill gap, and resources they can use to augment existing knowledge. More on each follows.
Strategy: Where to Begin?
From a strategic viewpoint, companies don’t move to the cloud for the sake of being in the cloud, they are looking to solve a business problem and achieve specific outcomes. Those problems manifest themselves in issues with time to market, challenging compliance issues, or disparate operational models. Understanding the business strategy and ensuring that the security function aligns with those explicit or implicit strategic drivers is key. “Cloud controls for the most part match traditional IT controls. The difference is in how you implement, monitor, and govern those controls.” While many of the traditional controls (such as alerts on specific administrative actions) exist in the cloud, they are now able to more easily be automated through the extensive cloud API’s. Once a team begins their cloud journey, the organization with its eye open to innovation will reap greater capability gains than one focused on legacy methods exclusively. Embracing the speed of innovation while maintaining an effective control framework in alignment with strategy is the new balancing act.
Proper Management of Cloud Service Providers
Like all third-party providers, large Cloud Service Providers (CSPs) need to be governed with the proper risk management and security scrutiny. While similar to other providers in many aspects, organizations must recognize a limited ability to make material changes during the contract negotiation process and adjust their approach accordingly. While the Shared Responsibility Model is a well-traveled discussion point, how it impacted organizational compliance goals led to a spirited discussion. Pay attention to Complimentary User Entity Controls (CUECs) because many organizations make the mistake of believing that either all leading practices are implemented by default within the cloud environment or that the CSP supports the entire technology stack and its configuration. It is vital to have a thorough vetting and subsequent understanding of activities to be performed by the CSP, by the IT Operations team, the security team, and the Internal Audit or governance function.
People/Training
If qualified and experienced security professionals are in short supply, then individuals who are security focused and cloud-capable are even more challenging to hire. Some of the CISOs had “pods” of cloud security teams, either focused on DevSecOps or general Security Infrastructure & Operations tasks in their organizations. The others asked “how do you find them” and the answer was universal: “You can’t.” All of the members who had those teams had to develop them from the ground up. They identified and trained security champions within their organizations as well as selected core individuals from their security teams to round out the pod. Another important skill gap discussed was that of understanding of the technology and the new options it creates for the business at the executive level. “Aligning executives with cloud capabilities, strengths, and drawbacks was key to success.” A recommendation to close this gap was to send members of the C-Suite to executive-focused sessions at regional and national conferences for the cloud provider your organization has aligned with.
Leveraging Existing Leading Practice Sources
The group discussed the below resources during the event as some of the sources that can be immediately leveraged by any organization looking to gain greater understanding:
- Cloud Service Comparison
- AWS Well Architected Framework
- AWS Cloud Adoption Framework
- AWS Security Best Practices
- CSA – Cloud Security Guidance v4.0
- CSA – Cloud Controls Matrix
Randy Armknecht, Managing Director
Security and Privacy
randy.armknecht@protiviti.com