In Coalfire's "2023 State of CISO Influence" report, developed in partnership with Dark Reading — security executives in major industries and companies of all sizes called out lack of good governance strategy as one of the top challenges they face in managing cloud migration.
With any move to the cloud, corporate leaders focus intently on leveraging capabilities and harnessing myriad services, with IT often juggling the management of multiple assets in a hybrid environment. CISOs want to take the existing security program and wrap it around newly migrated systems to keep people, processes, and policies as consistent as possible and avoid the need to invent anything new. Updating and unifying standards and procedures usually lands last on the list.
While no single governance model is the right answer for all organizations, governance in the cloud age must, at a minimum, establish oversight, strategy, and enforcement of standards to ensure alignment of operational practices to the objectives and risk tolerance of the organization.
Security governance bridges business priorities with technical implementation like architecture, standards, and policy.
For smaller companies especially, the governance function is sometimes overlooked until it's too late. C-level security executives at firms with 500 or fewer employees ranked governance problems 10 points ahead of their midsize and larger enterprise counterparts.
Optimizing Governance to Bolster Brand Confidence
The report confirmed what I believe to be the essence of business resilience today: setting priorities, communicating effective incident response strategy, preplanning continuity of systems, and assuring continuous compliance.
Business goals and risk management are the best security program guideposts, ensuring that efforts are optimized to focus on the organization's top areas of concern. So naturally, it's becoming mission-critical to optimize governance processes to work effectively in today's hybrid server environments. Increasing infrastructure complexity drives hard questions, such as:
- How do we absorb the operational risk introduced by third parties within our cloud-based ecosystem?
- How do we configure and uniformly apply access policies for employees, customers, vendors, remote workers, IoT, etc.?
- Can we achieve zero trust, and can it be retrofitted to effectively fit into a hybrid environment?
- What's our strategy and execution plan to enable operational resilience with pervasive incident detection and response?
- How do we assure customers and stakeholders of our business's ability to continue operations after a disruption or during a mitigation?
Addressing these questions facilitates a rational, cost-efficient approach instead of the outdated "sky is falling/spend more" mentality that has proven to be unsustainable. With the ever-expanding attack surface of the hyperscale cloud, CISOs can't eliminate risk, nor can they justify impulsive spending on endless identification of threats and scanning for vulnerabilities. Instead, they must respond and remediate problems, reduce costs, and enhance secure product life cycles to bolster brand reputation and customer confidence.
Align Governance Responsibilities to Avoid Conflict
Our research reflects that service delivery across industries is moving further into the cloud every year. Though all on-premises systems are eventually considered candidates for transition, legacy systems aren't going away tomorrow, so we need a pragmatic management style to keep the cloud momentum going while dealing with an expanding attack surface — the other "top two" concern of CISOs in the survey along with lack of good governance.
When developing governance strategies for hybrid cloud operations, it's critical that CISOs understand what services are provided by cloud and SaaS vendors, and that they have clarity on where the responsibilities and liabilities fall. While security professionals are more effectively closing known gaps, security teams still feel most of the heat when there are problems. Cloud vs. on-premises staff may fall into an adversarial pattern that results in attempts to deflect responsibility or engage in finger-pointing.
A well-planned governance model that assigns roles and responsibilities through a RACI responsibility alignment matrix is one of the best ways to avoid these situations. Failure to develop those plans up front can exacerbate the impact of even minor conflicts. Forward-thinking security leaders road map what needs to be done and who's going to do what, well ahead of time. At the onset of any migration or lift-and-shift, savvy CISOs need to start with a clear understanding of "who's on first." Prioritize that forethought by shifting core governance functions to the far-left side of the project management planning matrix.
Great CISOs don't just implement security measures, they build trust by working with business leadership to apply essential governance disciplines that align business strategy, risk management, asset protection, and innovation security while providing guidance to drive execution of security best practices and controls.
Across the board, CISOs in every sector and company size say governance is too often an afterthought. Lack of strategy produces hazards such as potential breach, disruption, and policy failures, as well as interdepartmental friction between cloud and on-prem teams. Whether it's a risk steering committee or a Cloud Advisory Board, good governance keeps the business moving and the supply chain flowing. It's a core competency for all security leaders.
About the Author
Michael Eisenberg is a seasoned information security professional with more than 31 years of experience working across public and private sectors, including two global Fortune 250 organizations (Aon and McDonald's Corporation), the government sector and the U.S. military. As vice president of Strategy, Privacy, and Risk at Coalfire, Michael leverages his experience through a range of security consultative services that help C-level officers build and improve security strategies and deliver cybersecurity programs. He received a master's degree in computer science from Illinois Institute of Technology. Michael holds CISSP, CISA, CISM, and CRISC security certifications.