Cloud
3/7/2016
07:15 AM
Amrit Williams
Amrit Williams
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cloud Survival Guide: 3 Tips For CISOs

To thrive in the cloud era, CISOs must refashion their roles as business enablers, adopt automation wherever possible, and go back to the basics on security hygiene.

We’re undergoing one of the biggest transformational changes in IT since the introduction of the personal computer. We’ve evolved from mainframe to the PC client-server era, to cloud computing and mobile. Companies can now spin-up compute and storage resources in minutes and end-users can access information from almost anywhere, including 35,000 feet in the air.

This brings great opportunities for businesses to redefine themselves, but it also brings new challenges. Among the biggest concerns I hear about are how to keep corporate data secure, regardless of where it resides. Chief Information Security Officers (CISOs) still need to protect the business, but they need to do so facing an increasingly hostile threat environment, transformational IT change, regulatory and compliance initiatives and a serious lack of security talent.  

What’s a CISO to do? I have three suggestions:

Be a business enabler, not a gatekeeper

Despite having “security” in the title, the top priority for any CISO isn’t to just lock data down; it’s to enable the business. No longer can the security team be the department of “no” to end users and executives who want to use new technologies that will help them do their jobs better. This means CISOs need to put an end to draconian policies that restrict behaviors such as the use of mobile devices, cloud apps and new software tools. They need to allow the business to adopt new technologies, especially those that improve productivity and efficiency while lowering costs.

 The shift from restrictive to permissive requires a serious change in the way CISOs think about their role and about security. The correct mindset should mirror the overall IT environment. CISOs need to embrace the dynamic openness of data flows and devices in today’s cloud-based environments where perimeter walls have fallen down, letting data flow into and out of the network. Similarly, it’s futile to hold end users back from the technologies they want to use. The result is rogue and shadow IT that compromises security all the more.

Take advantage of automation
As data, devices, users and workloads multiply, your security team needs to become more agile and efficient by taking advantage of scalable technologies that enable automation and granular control of data, devices, users and workloads. For example, one area where security automation can support modern infrastructure is in the way new code can be developed and delivered. Delivering new code to customers used to take six months. Now organizations can deliver code every hour if they want.

Automation platforms also help IT keep on top of security and improve efficiency during staff shortages. Instead of sticking with manual processes, CISOs can turn to automation and free their personnel to focus on higher level tasks software can’t do, such as analyzing  potential threats, dealing with policy violations and misuse of corporate resources, and adopting innovative technologies to improve the business overall.

Don’t forget the basics
Instead of trying to find a silver bullet to take on sophisticated and stealthy advanced persistent threat attacks, CISOs can benefit greatly from practicing good security hygiene. Things like strong access controls, data encryption, software updates and patching, threat detection and vulnerability management are all basic and easy, yet many companies are woefully inadequate about doing them consistently. Meanwhile, more than 90 percent of attacks take advantage of vulnerabilities and weaknesses that could have been easily avoided. Instead of worrying about so-called “next-gen” technologies, CISOs should look back at best practices from the past ten years and follow them.

Related Content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Amrit Williams has over 20 years of experience in information security and is currently the chief technology officer of CloudPassage. Amrit has held a variety of engineering, management and consulting positions prior to joining CloudPassage. Previously, Williams was the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DorisG987
50%
50%
DorisG987,
User Rank: Strategist
3/12/2016 | 5:51:59 AM
CISO Training
Edgar Perez is teaching a 3 Day Masterclass in Cybersecurity designed for C-level executives and senior managers. Furthermore, he offers cyber security workshops for boards of directors and CXOs worldwide. He is the author of The Speed Traders and Knightmare on Wall Street, and his comprehensive training programs have been widely recognized by the media for his independent and non-biased approach.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
3/7/2016 | 9:25:30 AM
CASB
I highly recommend incorporating a CASB. This will not only help identify shadow IT on the network but allow you to incorporate DLP in the cloud space. As the article stated, you don't want to be a gatekeeper and block things unnecessarily. Ultimately, you are there to support the business but that does not mean you do not want to monitor what type of data is being funneled into the cloud.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Join Dark Reading community editor Marilyn Cohodas and her guest, David Shearer, (ISC)2 Chief Executive Officer, as they discuss issues that keep IT security professionals up at night, including results from the recent 2016 Black Hat Attendee Survey.