Cybersecurity

Time to Understand and Close the Cloud Skills Gap

Every time a game-changing technology comes around, organizations are forced to scramble to develop, buy, or rent new talent for their IT organizations. It happened when we moved from a mainframe-based hardware model to a PC/LAN-based architecture; it happened when we moved from proprietary operating systems to open systems, and it happened again when we transitioned from physical to virtual infrastructure.

And it’s happening now as we move from on-premises computing to cloud computing. This transition is happening faster than anticipated, because business leaders have recognized that moving to the cloud is much more than just saving on Capex; it’s a way to make organizations faster, more flexible, and more adaptable to changing business needs in the journey to digital transformation. As a result of the rate and scale of this change, it’s putting a lot of stress on in-house IT and security teams to come up to speed quickly on how to support a cloud-first model.

This “cloud skills gap” is real and is growing, and it needs to be acknowledged, confronted, and overcome quickly. If not, many organizations will struggle to leverage the full potential of cloud computing; in so doing, they are likely to lose ground to their better-prepared, nimbler competitors that have put in place a cloud-ready workforce, and in many cases may have been born in the cloud. I recently read about a study conducted by global personnel company Robert Half Technology that pointed out that three quarters of CIOs and IT executives throughout the United Kingdom admitted that many of their IT teams are not up to the task of transitioning to a cloud-based IT model.

Clearly, this trend is not unique to the U.K., or to any geography, industry, or organization size. This cloud skills gap is the “new normal.” So, what do we do about it?

As business leaders, you can’t just order your CIO or CISO go on a college recruiting binge for cloud computing specialists. While some universities and technical institutes are actually offering formal concentrations in cloud computing, there are two challenges associated with this approach: First, there aren’t enough cloud-savvy college students yet, at least not when it comes to adapting those skills to a real-world setting. And second, hiring well-educated cloud technologists really isn’t what organizations need.

We already have many people working in our IT shops and security operations centers with transferrable skills that will let them help their organizations develop, deploy, and manage applications and workloads in the cloud. In a cloud-centric environment, solutions are less about infrastructure and more about working with the DevOps team to spin up a virtual private cloud to support faster and more frequent software releases.

This is causing a re-imagining of the roles and skill sets of IT and security teams in a cloud-first world. For instance, the move to the cloud means that IT hardware has typically been separated–or, “abstracted” as your technical teams will tell you–from the overall computing process. As a result, the shifting nature of skill sets means that you need fewer of the traditional technical skills than was the case in the pre-cloud days. For instance, network administrators need to understand how to automate cloud networking, while storage administrators must upskill to run such tools as S3 and Glacier instead of an in-house storage-area network fabric. Above all, you need smart, adaptable, and inquisitive people who understand cryptography and identity/access management in order to secure data in the cloud.

A few key decision points for your business and technical leaders:

  • Building your teams: In-house talent or outsource? Of course, the answer is simple: Both. Your organization will probably never be able to develop all the necessary skills by re-tooling or promoting existing personnel, so some level of contractors or outsourced managed services will likely be necessary. I’ve always been a fan of developing skills among internal team members, but sometimes you don’t have a choice. Time-sensitive programs often mandate that you need to rent or acquire talent to work alongside and/or integrate with your own people. For some organizations, that’s a tough cultural shift to make–but it may be an essential one.
  • To enable world-class cloud security, throwing more bodies at the problem is probably not the answer. While hiring some cloud security specialists is likely to be a smart move, the real synergies in cloud security come from increased use of automation, analytics, and AI/machine learning. You definitely need people who understand how to safely build and deploy digital assets–particularly if you’re doing any Internet of Things projects–but you need to let technology do the work more often. Hire or train good people who know how to properly configure security controls in the cloud, how to automate monitoring, detection, and remediation processes–and leave the tactical stuff to automation.
  • Identity and access management are the hallmarks of cloud security. You may have heard the phrase “identity is the new perimeter.” Your identity and access management policies need to be rock-solid, and adaptable and intelligent enough to respond “at the speed of business.” Firewalls, intrusion detection, and physical barriers that have long been the focus of your SOC personnel are diminished in the cloud, and are changing to leverage/depend on identity and access management.
  • Certifications matter, and your people need new ones. All your IT and security team members have compiled a number of vendor-neutral and vendor-specific certifications, and they’ll need new ones for cloud. Leading certification and skills development organizations such as the SANS Institute have developed cloud certification programs, offering us a great foundation upon which to build for future cloud-related skills. And that’s just the starting point: Your teams will need certifications in such vendor programs as AWS, Google, Microsoft, IBM, Red Hat, and VMware, to name just a few.

Finally, there are a few things business leaders, in particular, need to keep in mind when it comes to helping their organizations close the cloud skills gap:

  • Patience is a virtue. Many business executives still see the cloud as a way to cut IT costs, when what they should be envisioning for their journey to the cloud as a way to promote organizational agility, responsiveness, and becoming a digital business. Everyone needs to be realistic about demands that puts on your teams, because this is a process, not an event. You don’t just flip a switch and do it overnight. In fact, most industry peers I speak to have experienced “re-starts” as their organizations realize that their initial cloud strategies need to be re-assessed and re-designed. You need to give your teams the time, budget, and resources necessary to re-skill or up-skill employees, and conduct thoughtful analysis to determine how to move IT and Security Operations into the cloud for your company.
  • Data ownership can be the difference between success and catastrophe. In a traditional, data center-based computing environment, business leaders rarely worried about data ownership or sovereignty. But in the cloud, especially in a multi-tenant public cloud, owning the data in every way is absolutely critical for a variety of factors, including compliance, legal, and data governance. This also puts smart risk management policies–driven by the CEO, the rest of the C-suite, and the board of directors–at the apex of the mountain of organizational priorities.

As business leaders, cloud computing may still be a bit ethereal and nebulous, a bit more conceptual than pragmatic executives may like. But rest assured that cloud computing will change the way your organization serves customers, competes, plans for the future, and measures its success. Take the time and energy needed to find new ways to bridge that cloud skills gap.

 

Steven Heist is a technical architect at insurance industry leader USAA, where he is responsible for cybersecurity operations.

 

share: