Cloud

3/7/2016
07:15 AM
Amrit Williams
Amrit Williams
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Cloud Survival Guide: 3 Tips For CISOs

To thrive in the cloud era, CISOs must refashion their roles as business enablers, adopt automation wherever possible, and go back to the basics on security hygiene.

We’re undergoing one of the biggest transformational changes in IT since the introduction of the personal computer. We’ve evolved from mainframe to the PC client-server era, to cloud computing and mobile. Companies can now spin-up compute and storage resources in minutes and end-users can access information from almost anywhere, including 35,000 feet in the air.

This brings great opportunities for businesses to redefine themselves, but it also brings new challenges. Among the biggest concerns I hear about are how to keep corporate data secure, regardless of where it resides. Chief Information Security Officers (CISOs) still need to protect the business, but they need to do so facing an increasingly hostile threat environment, transformational IT change, regulatory and compliance initiatives and a serious lack of security talent.  

What’s a CISO to do? I have three suggestions:

Be a business enabler, not a gatekeeper

Despite having “security” in the title, the top priority for any CISO isn’t to just lock data down; it’s to enable the business. No longer can the security team be the department of “no” to end users and executives who want to use new technologies that will help them do their jobs better. This means CISOs need to put an end to draconian policies that restrict behaviors such as the use of mobile devices, cloud apps and new software tools. They need to allow the business to adopt new technologies, especially those that improve productivity and efficiency while lowering costs.

 The shift from restrictive to permissive requires a serious change in the way CISOs think about their role and about security. The correct mindset should mirror the overall IT environment. CISOs need to embrace the dynamic openness of data flows and devices in today’s cloud-based environments where perimeter walls have fallen down, letting data flow into and out of the network. Similarly, it’s futile to hold end users back from the technologies they want to use. The result is rogue and shadow IT that compromises security all the more.

Take advantage of automation
As data, devices, users and workloads multiply, your security team needs to become more agile and efficient by taking advantage of scalable technologies that enable automation and granular control of data, devices, users and workloads. For example, one area where security automation can support modern infrastructure is in the way new code can be developed and delivered. Delivering new code to customers used to take six months. Now organizations can deliver code every hour if they want.

Automation platforms also help IT keep on top of security and improve efficiency during staff shortages. Instead of sticking with manual processes, CISOs can turn to automation and free their personnel to focus on higher level tasks software can’t do, such as analyzing  potential threats, dealing with policy violations and misuse of corporate resources, and adopting innovative technologies to improve the business overall.

Don’t forget the basics
Instead of trying to find a silver bullet to take on sophisticated and stealthy advanced persistent threat attacks, CISOs can benefit greatly from practicing good security hygiene. Things like strong access controls, data encryption, software updates and patching, threat detection and vulnerability management are all basic and easy, yet many companies are woefully inadequate about doing them consistently. Meanwhile, more than 90 percent of attacks take advantage of vulnerabilities and weaknesses that could have been easily avoided. Instead of worrying about so-called “next-gen” technologies, CISOs should look back at best practices from the past ten years and follow them.

Related Content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Amrit Williams has over 20 years of experience in information security and is currently the chief technology officer of CloudPassage. Amrit has held a variety of engineering, management and consulting positions prior to joining CloudPassage. Previously, Williams was the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DorisG987
50%
50%
DorisG987,
User Rank: Strategist
3/12/2016 | 5:51:59 AM
CISO Training
Edgar Perez is teaching a 3 Day Masterclass in Cybersecurity designed for C-level executives and senior managers. Furthermore, he offers cyber security workshops for boards of directors and CXOs worldwide. He is the author of The Speed Traders and Knightmare on Wall Street, and his comprehensive training programs have been widely recognized by the media for his independent and non-biased approach.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
3/7/2016 | 9:25:30 AM
CASB
I highly recommend incorporating a CASB. This will not only help identify shadow IT on the network but allow you to incorporate DLP in the cloud space. As the article stated, you don't want to be a gatekeeper and block things unnecessarily. Ultimately, you are there to support the business but that does not mean you do not want to monitor what type of data is being funneled into the cloud.
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
How Data Breaches Affect the Enterprise
How Data Breaches Affect the Enterprise
This report, offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future. Read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-3912
PUBLISHED: 2018-09-18
Bypassing password security vulnerability in McAfee Application and Change Control (MACC) 7.0.1 and 6.2.0 allows authenticated users to perform arbitrary command execution via a command-line utility.
CVE-2018-6690
PUBLISHED: 2018-09-18
Accessing, modifying, or executing executable files vulnerability in Microsoft Windows client in McAfee Application and Change Control (MACC) 8.0.0 Hotfix 4 and earlier allows authenticated users to execute arbitrary code via file transfer from external system.
CVE-2018-6693
PUBLISHED: 2018-09-18
An unprivileged user can delete arbitrary files on a Linux system running ENSLTP 10.5.1, 10.5.0, and 10.2.3 Hotfix 1246778 and earlier. By exploiting a time of check to time of use (TOCTOU) race condition during a specific scanning sequence, the unprivileged user is able to perform a privilege escal...
CVE-2018-16515
PUBLISHED: 2018-09-18
Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation.
CVE-2018-16794
PUBLISHED: 2018-09-18
Microsoft ADFS 4.0 Windows Server 2016 and previous (Active Directory Federation Services) has an SSRF vulnerability via the txtBoxEmail parameter in /adfs/ls.