I recently sat down with Susan Mauldin to hear her perspective on security and the cloud, a hot topic amongst IT and security professionals.
Two things struck me.
First, the CISO role has evolved to managing risks. Attacks are constant, a breach may happen, but how do you limit its exposure? How do you communicate and preserve confidence in your brand? This is similar to other mature business functions. Product leaders live with bugs, even serious ones, but manage around them. CIOs routinely handle system outages and performance issues.
Second, rather than getting hung up on physical ownership, the forward-thinking CISO looks at the cloud as just another third party system with the need for transparency, controls, and trust. Sometimes looking at the problem differently makes it much easier to solve.
I’ve summarized Susan’s observations, or you can watch the full interview below.
Security has gotten more challenging. Over the past couple of decades, information security challenges have grown from simple threats like worms and viruses and website defacements in the early days, through an era of organized crime in the late ‘90s and into the 2000s. In today's environment, fully funded, well staffed adversaries can pretty much get to any asset that they decide to target.
Evolution of the CISO role
The CISO role has evolved in two big ways. First, a level of militarization has occurred to protect against attacks. CISOs look for things that might be active inside the company that would cause them concern and then of course they look to respond, detect, contain and deflect those threats as much as possible. At the same time, CISOs play an increasingly strategic role in managing risks regarding information loss and brand damage – maintaining a line of communication with their executives and board of directors. This contrasts with the historically more narrow, technical CISO focus that evolved from IT network security.
Cloud and Security
Over the last five years security leaders have become much more supportive of the use of cloud for enterprise applications. They now perceive cloud as a business enabler. Security teams aim to provide secure access to cloud services rather than resist them. Each enterprise has a unique culture that needs to be understood, but ultimately it is about trading off risks/reward with the move to cloud.
Securing the cloud
- Cloud is no different from any other third party solution that the enterprise does not directly manage. CISOs should apply typical third party risk management programs, with thorough checklists covering physical security, network security, etc. Added levels of controls over the data itself – such as encryption of the data at rest and in motion and in use and in transfer – are also needed. For sensitive PII data, tokenization or obfuscation of that data would be an additional control.
- Compliance certification provides additional assurances around privileged users – an important area to cover with third parties. CISOs need to come up with a unified control framework around data and the environment and evidence to prove that those controls are working effectively.