-Organizations who discovered misconfigured cloud services experienced 10 or more data loss incidents in the last year
-Only 8 percent of IT security executives state that they fully understand the cloud shared responsibility security model
-59 percent of organizations shared that employees with privileged cloud accounts have had those credentials compromised by a spear phishing attack.
-Oracle KPMG Cloud Threat Report.
The last decade or so has seen several organizations experimenting with the cloud, but the pandemic has speeded-up cloud adoption exponentially, in part due to the surge of remote work. Today cloud represents a new way of doing business, in fact cloud is increasingly becoming the ultimate ecosystem for business leaders to grow and operate. With quick speed and customer-centric characteristics like zero downtime, instant cross channel functionality deployment, and real-time performance management, it is an obvious choice for businesses looking for newer, more flexible, and faster techniques of engagement with their customers.
While the time to experiment with the cloud was the story of the past, today organizations are confident in moving more business-critical workloads to the cloud than ever before but growing cloud consumption has created new blind spots as IT teams and cloud service providers work to understand their individual responsibilities in securing data. This confusion has left IT security teams scrambling to address a growing threat landscape and in this ever-evolving digital world, it only takes one successful cyber-attack, like a phishing email, to bring an organization’s website to its knees in minutes. This is where the role of the CISO for an organization becomes extremely critical. Today, a CISO can no longer shy away from the cloud, they need to embrace it and excel at it to ensure their organization’s success and security, especially when 73 percent of organizations have or plan to hire a CISO with more cloud security skills.
Chief Information Security Officers need to play a key role in safeguarding the data increasingly stored in the cloud and mitigating cybersecurity threats, while also ensuring compliance with IT regulations, standards, and policies.
The lift-and-shift of critical information to the cloud over the last couple of years although has shown great promise, but what it also entailed is the patchwork of security tools and processes which has led to an increased number of expensive misconfigurations and data leaks. Therefore, it is imperative for enterprises looking to accelerate their cloud journeys to ensure that their CISOs are part of the process of creating foundational building blocks because cybersecurity risks are at an all-time high.
How can a CISO put the organization’s Cloud Security in top Gear?
Enabling a successful digital transformation and migration to the cloud by executing a parallel security transformation ensures that not only can you manage risks in the new environment, but you can also fully leverage the opportunities cloud security offers. However, the sheer pace at which the organizations today are migrating to the cloud is creating a huge cloud security readiness gap. In fact, as per the Oracle KPMG Cloud Threat report, 92 percent of this year’s research respondents felt that their organization has a gap between current and planned cloud usage and their organization’s cloud security maturity. So, a CISO needs to identify these gaps and try to effectively help the organization to steer the migration securely and successfully.
1. Prepare your company for cloud security – Build a Security Culture
When your business moves to the cloud, the way that your whole company works—not just the security team—evolves. As CISO, you need to understand and prepare for these new ways of working so you can integrate and collaborate with your partners and the rest of your company. Ensure security is not an after thought but is embedded right into the culture of your organization. Ultimately, a security-first culture is essential, where every employee is fully aware of their individual and collective responsibilities in protecting their organization’s data. Constant communication and top-down commitment to ‘walk the talk’ when it comes to developing and implementing cyber-security initiatives is important.
2. Avoid Cloud Security Misconfigurations Risks
As organizations add more and more cloud resources, they increase the likelihood of cloud misconfigurations that can compromise their organization’s security. According to the Fortinet 2021 Cloud Security Report, 67 percent of surveyed cybersecurity professionals stated that misconfigurations remain the most significant cloud security risk facing their companies.
This happens when a cloud user or team specifies settings that fail to provide adequate cloud data security, hackers then exploit these misconfigurations to steal data. Misconfigured cloud set up creates risks for critical environments that can result in unexpected costs and disrupted services. To avoid this, CISOs need to improve their security posture in the cloud, ensure to have a centralized view of all their assets and servers in one place. Finally, detect and eliminate critical misconfigurations, policy violations, and mistakes.
3. Redesigning Cloud Security Strategies
To be able to mitigate and overcome the challenges that cloud security presents, CISOs need a cohesive approach involving strategic deployments. Redesigning their approach to cybersecurity with a holistic strategy gives CISOs a way to eliminate security gaps by using open standards and protocols that integrate all security activities into a single platform. With all security routed to and managed in the same platform, organizations can more rapidly detect, investigate, and respond to threats.
4. Build a skilled Cloud Security Team
Responsibility for breaches in the cloud often does fall back on the CISO, even if the vendor is at fault. So, while educating their senior business stakeholders about the Shared Responsibility model will help. CISOs need to be spending more time and effort building a strong security team, with the right skill sets and educating developers on secure cloud processes, than spending all their time governing and monitoring providers. CISOs need to first understand what the skills are that you really need to have for the cloud, as it is not feasible for them to be able to find out a “unicorn” candidate who is an expert in a certain cloud provider, understands cloud architecture, and has software development skills too.
5. Make Zero Trust your default position
With cloud architectures removing the concept of a secure perimeter around an organization’s data and IT, Zero Trust becomes important. As a CISO it can sometimes feel like the organization looks to you for confidence and reassurance, but to do your job well there is a lot to be said for assuming the stance of high alert and mistrust. Zero Trust Network Access (ZTNA) is exactly that – you do not give anyone, any device, or any cloud service access to anything without a specifically allocated series of authenticated security credentials.
Just as cloud caused a revolutionary rethink around IT architectures, workflows, and cost centers, so it should do likewise for security. While 100% security may not be a practical objective, getting back to the fundamentals of understanding data movement, identifying sensitive PII and company data, and enforcing third-party risk management (even in the cloud) cannot be overstated as a reminder to “get the house in order” with the number of mega-breaches occurring.Runa Tripathy March 03, 2022