Your Move To The Cloud Secured
By Richard Jones, Group CISO, SecureLink.
Secured: Such a bold statement, and if someone could give you the answers to achieve ‘secured’, you’d listen, right? I know I would.
IP Expo, London, October 2018 – SecureLink partner with Palo Alto Networks to deliver the message “your move to the cloud secured”.
We are all clouding. We are all seeking to secure our clouds.
My first statement is true, some organisations know they are, others have no knowledge their colleagues are using cloud applications; some of these apps are cool, cheap and they are accessible anywhere – what’s not to like!
For security teams this situation sends shivers down their spines. How can we [security] secure something we know nothing about. According the book of NIST*, in the beginning we identify!
*Other sacred security texts are available depending on which controls you worship.
So, if we fail at this fundamental step, do we simply move on to protect? Many do, many must, many have.
In the context of clouding, and this includes IaaS through to SaaS: Rackspace , AWS, Azure, Dropbox etc – we need a strategy to address identify and protect.
I normally don’t promote, endorse or write about technology. Afterall, technology is often required but is not always the solution. Technologies change, it’s a very competitive space. The right technology for one organisation is not always the right one for another organisation. However, there is a reason SecureLink partnered with Palo Alto Networks.
Technology is essential if we are to gain that foothold in identify. The amount of applications available online today is staggering. Without technology we cannot begin to accurately understand the applications our colleagues are using, let alone protect the data.
Much has been written about technology, and I won’t begin to repeat the tech-experts. I will, however, repeat that without it, you will fail in this quest.
Alongside technology, achieving our goal of identify (and protect) requires security leaders to change their way of doing business. Traditional governance models rarely lecture on successful methods of governance, for these methods, success is that governance is implemented. I believe security teams have an opportunity to deliver success without the traditional ‘no’ approach. Breaking this tradition is the key. Surely, it’s the reason most organisations find themselves in this situation.
“IT Security always say no, so we did it ourselves”.
The key to success lies in the ability to do business. Security teams need to change their approach and adapt to a business mentality. Afterall, the business pays their salary. Cloud apps bring innovation, fast. They allow the business to adapt, innovate, and realise opportunities before their competitors. The key then is doing business safely.
Business leaders are risk takers, they realise opportunities that deliver value to their customers. Security leaders need to be the same. This starts with being in the same room, at the same table, and in most circumstances identifying innovation, bringing ideas to the table, first! Security leaders need to stand shoulder to shoulder with the business, and if things go wrong, security and the business stand together. They took the decision together (both knowing the risks), they stand together, they fall together. Expressing risks then, in business terms is key. Making things happen (quickly) is key. Security leaders need to identify these attributes and build a team that drives the business forward.
Moving workloads to the cloud or using cloud applications requires good security leaders and good technology. Both are available. Think in a different way.