Lessons Learned – Practical Cloud Security Strategies

Cloud security is a top area of focus for CISOs across Evanta communities, coming in at number one for CISOs in our annual Leadership Perspective Survey of their top functional and enterprise priorities for the year. As the cloud landscape continues to evolve, so must the strategies that CISOs develop in order to keep their organizations secure. 

At the recent Atlanta CISO Executive Summit, Equifax Chief Information Security Officer Jamil Farshchi led the closing keynote session, along with CISO Bob Varnadoe of NCR, on the lessons they’ve learned in implementing practical cloud security strategies. They discussed strategies to help guide an organization’s cloud priorities, solutions to current and future cloud security issues, and ways to align cloud strategy to business value.  

Here, Jamil, who is also a Governing Body Member of the Atlanta CISO Community, shares some key takeaways from the highly-rated session.
 

What are some strategies you shared at the session about how to guide your organization’s cloud priorities?

We’ve centered our cloud efforts around assurance. It’s easy to think controls are operating properly when they, in fact, aren’t. The cloud makes it easy for us to monitor everything in real time so that we have visibility of where the gaps are, and, in many cases, can close those gaps in real time if and when they emerge. This isn’t possible on-prem.
 

What are some of the challenges that CISOs face in implementing cloud strategies that balance security with business needs?

We discussed four main challenges: 

1. Talent or skill sets and shifting the mindset from on-prem to cloud. Don’t underestimate the behavior change component.
2. Overly aggressive timeframes. It always takes longer than expected, which leads tech to start lifting and shifting, cutting corners on security requirements, etc. As timelines drag on, morale can also decline.
3. Underestimating the impact on budgets. The cloud often comes with an assumption that it will be cheaper, but it never is. Cloud costs will force a shift from capital expenditures to operating expenses, and managing them requires much more discipline and scrutiny on spending.
4. Lack of vendor variety. Depending on the cloud provider, be cognizant that the security vendor options may not be robust.
    

What were one or two lessons learned from your own cloud journey that you can share with the broader Evanta CISO community?

These were my top lessons learned: 

1. Leverage the cloud as holistically as possible. Don't take an approach where you're still heavily reliant on-prem — this half-pregnant approach will increase complexity, increase costs, and slow you down (a good example of this is identity and access management).
2. Be very strong willed as it relates to requirements. If you don't hold the business and IT to requirements like golden image utilization, lift and shift (don't allow it), etc., then your brand new shiny cloud environment will just become a cloud-based duplicate of your old on-prem environment.
    

What are some strategies you recommend to help CISOs align their cloud strategies to business value?

These five simple things go a long way toward maintaining buy-in and avoiding surprises:

1. Cooperative governance
2. Clear requirements
3. Assurance to provide visibility
4. Detailed planning
5. Regular executive visibility
    

To learn more from your security peers and participate in discussions on topics like cloud security and more, find your local Evanta CISO Community and join today.