Congratulations on your organization’s adoption of cloud computing and your strategic embrace of cloud as a way to improve agility and support digital transformation. Now that you, your business colleagues, and your technical leadership have made this important decision, you need to tackle a vital issue–what to do about your cybersecurity team.
I know what some of you may be thinking. “No worries, we’ve got that covered. We’re outsourcing that to the cloud service provider.” Or, you may think your worries about cybersecurity in the cloud are moot because you already have a rock-solid, tried-and-true cybersecurity framework that has met service-level agreements, avoided headline-inducing data breaches, and ensured regulatory compliance.
Now, before I go any further, let me emphasize a relevant issue about my point of view: I’m not a Chief Information Security Officer, nor do I run cybersecurity for my organization. But in my role overseeing infrastructure, distributed systems, and, yes, cloud, for a leading e-commerce platform company for the travel industry, I’ve seen the dramatic shift from an on-premises security mindset to a cloud security mindset.
What have I learned, and how can those lessons benefit business executives who want to ensure rock-solid security in a cloud architecture? First, it’s important for business leaders to understand that you can’t “lift and shift” your legacy cybersecurity approaches from on-premises infrastructure to the cloud. That’s because most legacy IT shops just don’t have the right frame of reference for how applications are being developed and deployed in the cloud. So don’t expect your CISO to tell you what a piece of cake it’s going to be.
Second, be aware that your security teams are going to need new types of training on cloud architecture so they can properly plan, architect, and deploy your production applications in the cloud.
And finally, you need to ready the organization for a new mindset–one where security teams are tightly integrated from the start with the developers and business units. Call that what you will: “shifting left,” DevSecOps, or integrated security. Those are semantics; your cybersecurity teams are going to work alongside anyone who plans, develops or uses applications.
In today’s cloud-centric business processes, your cybersecurity team must become part of the comprehensive application framework in order to speed the velocity necessary to get into users’ hands faster–and, of course, more securely.
Doing so will bestow upon your organization a host of operational efficiencies, including a higher level of confidence that security policies are being applied in more prescriptive, proactive, auditable, and automated manner. That last part–automation–cannot be emphasized enough. In a business model where applications are being developed, released, updated, re-released–again and again–manual security processes are a killer. They don’t scale fast enough and wide enough, so you’ve got to get your teams out of manual labor like applying patches or updating policies and replace them with intelligent, automated tools.
It’s Not About Cutting Heads
And, before your CFO starts counting the savings by reducing headcount in the cybersecurity operation, understand that moving to the cloud should not be seen as a way to cut full-time equivalents. Instead, you need to think about how those security professionals can be better deployed as an integrated part of the application development and continuous improvement framework.
This is what the often-discussed shared responsibility model for cybersecurity is about. When you hire a cloud service provider, you obviously benefit from their broad and deep experience and expertise. This is not mean you are outsourcing cybersecurity to your service provider.
Having worked previously at Amazon Web Services and being involved in developing their first security exam, I understand the power of this approach. The combination of an experienced cloud platform provider handling security “of the cloud” (hardware and software infrastructure) and internal teams handling security “in the cloud” (customer data, access/identity management, configuration, encryption, and authentication) allows you to cover all the security bases with a minimum of overlap or redundancy.
You’re not reducing your security team’s importance or headcount; you’re just putting them to better use.
Questions Business Leaders Should Ask
So, what do business executives in the corner office or in the boardroom need to know, and what questions should they be asking the CISO about the redeployment of cybersecurity teams as the organization shifts to the cloud?
- How are we integrating security–deeply and from the very start–into the application development pipeline?
- Do your existing team members have the right skills and context to achieve their new mission? And if not, how will they get that?
- Are we actually changing our security practices to make them more proactive, predictive, and automated, or are we applying our traditional approaches to the cloud?
- Can our security team work as equal partners with developers and business unit stakeholders in the rapid pace of DevSecOps in a way that applies security to the process without causing friction to slow everything to a crawl?
I recently read an article highlighting opinions of security professionals about how the move to the cloud affects security team members. One, in particular, stood out:
“Information Security professionals must learn what secure and insecure look like in the cloud, and then apply that knowledge to all the settings exposed by cloud service providers.”
Before the cloud, it was always tempting to view information security team members in the way we assessed umpires in a baseball game: The less we noticed them, the better a job they were doing. But moving to the cloud changes the rules of the game. We need the entire DevOps process to be more focused on security, and that means integrating our security team members into the development process upfront, rather than having them be an afterthought. When they are working shoulder-to-shoulder with developers and business unit members to ensure that applications are always secure and available as part of the normal workflow, they can make a bigger impact and avoid acting as bottlenecks that slow down the process.
So, congratulations again on taking a major step forward in your journey to digital transformation by embracing the cloud. Just make sure you bring your security team along for the ride.
A.J. Wilson is Vice-President for infrastructure, distributed systems, and cloud at Travelport, a leading e-commerce platform provider for the travel industry.