Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

3/7/2016
07:15 AM
Amrit Williams
Amrit Williams
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Cloud Survival Guide: 3 Tips For CISOs

To thrive in the cloud era, CISOs must refashion their roles as business enablers, adopt automation wherever possible, and go back to the basics on security hygiene.

We’re undergoing one of the biggest transformational changes in IT since the introduction of the personal computer. We’ve evolved from mainframe to the PC client-server era, to cloud computing and mobile. Companies can now spin-up compute and storage resources in minutes and end-users can access information from almost anywhere, including 35,000 feet in the air.

This brings great opportunities for businesses to redefine themselves, but it also brings new challenges. Among the biggest concerns I hear about are how to keep corporate data secure, regardless of where it resides. Chief Information Security Officers (CISOs) still need to protect the business, but they need to do so facing an increasingly hostile threat environment, transformational IT change, regulatory and compliance initiatives and a serious lack of security talent.  

What’s a CISO to do? I have three suggestions:

Be a business enabler, not a gatekeeper

Despite having “security” in the title, the top priority for any CISO isn’t to just lock data down; it’s to enable the business. No longer can the security team be the department of “no” to end users and executives who want to use new technologies that will help them do their jobs better. This means CISOs need to put an end to draconian policies that restrict behaviors such as the use of mobile devices, cloud apps and new software tools. They need to allow the business to adopt new technologies, especially those that improve productivity and efficiency while lowering costs.

 The shift from restrictive to permissive requires a serious change in the way CISOs think about their role and about security. The correct mindset should mirror the overall IT environment. CISOs need to embrace the dynamic openness of data flows and devices in today’s cloud-based environments where perimeter walls have fallen down, letting data flow into and out of the network. Similarly, it’s futile to hold end users back from the technologies they want to use. The result is rogue and shadow IT that compromises security all the more.

Take advantage of automation
As data, devices, users and workloads multiply, your security team needs to become more agile and efficient by taking advantage of scalable technologies that enable automation and granular control of data, devices, users and workloads. For example, one area where security automation can support modern infrastructure is in the way new code can be developed and delivered. Delivering new code to customers used to take six months. Now organizations can deliver code every hour if they want.

Automation platforms also help IT keep on top of security and improve efficiency during staff shortages. Instead of sticking with manual processes, CISOs can turn to automation and free their personnel to focus on higher level tasks software can’t do, such as analyzing  potential threats, dealing with policy violations and misuse of corporate resources, and adopting innovative technologies to improve the business overall.

Don’t forget the basics
Instead of trying to find a silver bullet to take on sophisticated and stealthy advanced persistent threat attacks, CISOs can benefit greatly from practicing good security hygiene. Things like strong access controls, data encryption, software updates and patching, threat detection and vulnerability management are all basic and easy, yet many companies are woefully inadequate about doing them consistently. Meanwhile, more than 90 percent of attacks take advantage of vulnerabilities and weaknesses that could have been easily avoided. Instead of worrying about so-called “next-gen” technologies, CISOs should look back at best practices from the past ten years and follow them.

Related Content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Amrit Williams has over 20 years of experience in information security and is currently the chief technology officer of CloudPassage. Amrit has held a variety of engineering, management and consulting positions prior to joining CloudPassage. Previously, Williams was the ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DorisG987
50%
50%
DorisG987,
User Rank: Strategist
3/12/2016 | 5:51:59 AM
CISO Training
Edgar Perez is teaching a 3 Day Masterclass in Cybersecurity designed for C-level executives and senior managers. Furthermore, he offers cyber security workshops for boards of directors and CXOs worldwide. He is the author of The Speed Traders and Knightmare on Wall Street, and his comprehensive training programs have been widely recognized by the media for his independent and non-biased approach.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
3/7/2016 | 9:25:30 AM
CASB
I highly recommend incorporating a CASB. This will not only help identify shadow IT on the network but allow you to incorporate DLP in the cloud space. As the article stated, you don't want to be a gatekeeper and block things unnecessarily. Ultimately, you are there to support the business but that does not mean you do not want to monitor what type of data is being funneled into the cloud.
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22677
PUBLISHED: 2021-05-07
An integer overflow exists in the APIs of the host MCU while trying to connect to a WIFI network may lead to issues such as a denial-of-service condition or code execution on the SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4....
CVE-2021-29495
PUBLISHED: 2021-05-07
Nim is a statically typed compiled systems programming language. In Nim standard library before 1.4.2, httpClient SSL/TLS certificate verification was disabled by default. Users can upgrade to version 1.4.2 to receive a patch or, as a workaround, set "verifyMode = CVerifyPeer" as documente...
CVE-2020-4901
PUBLISHED: 2021-05-07
IBM Robotic Process Automation with Automation Anywhere 11.0 could allow an attacker on the network to obtain sensitive information or cause a denial of service through username enumeration. IBM X-Force ID: 190992.
CVE-2021-21419
PUBLISHED: 2021-05-07
Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts websocket frame to reas...
CVE-2021-27437
PUBLISHED: 2021-05-07
The affected product allows attackers to obtain sensitive information from the WISE-PaaS dashboard. The system contains a hard-coded administrator username and password that can be used to query Grafana APIs. Authentication is not required for exploitation on the WISE-PaaS/RMM (versions prior to 9.0...