Victor Hsiang
Information Security Director
GATX
MODERATOR
Diane Brown
Director, IT Risk Management
Ulta Beauty
PANELIST
Richard LaFosse
CISO
Kraft Heinz
PANELIST
Nitin Raina
VP - Cyber & Information Security
ThoughtWorks
PANELIST
July 2020
Whether you are cloud-first or just starting out on your cloud journey, CISOs in the Chicago region agreed that proper governance and guardrails were the keys to successfully securing the cloud. Facing relentless threats, shifting technologies and a sprawling attack surface, today’s CISO must know the way through the cloud like never before.
In this community town hall, participants explored how CISOs are embracing cloud-dependent strategies, and how CISOs can meaningfully inform the security of those systems. To set the stage, Chicago CISOs responded to a survey prior to the town hall indicating the following:
22% are continuing standard business operations at a reduced level
23% expect to return to standard business operations in the next 6-12 months
37% are spending the majority of their time on leadership strategy
25% say their primary concern is keeping the business running
This conversation was moderated by Victor Hsiang, information security director, GATX. Victor was joined by Diane Brown, director of IT risk management at Ulta Beauty, Richard Lafosse, CISO at Kraft Heinz, and Nitin Raina, VP - cyber and information security at ThoughtWorks. During the conversation, they shared how they have been navigating their journey to the cloud.
Evolving Cloud Strategy
Whether you were an early cloud adopter or just now entering the cloud, there are common challenges and successes across the board. A shared challenge is the concern around data privacy and ensuring appropriate roles are assigned. Success can be seen in increased speed and improved reliability and availability. Cloud is driven from the top-down, and the goal is to ensure business users get access to data in a secure and seamless manner.
Cloud means different things to each company and CISO. Having strong leadership buy-in to push a cloud agenda is critical to long-term success, and the guiding principles of security can help move the journey forward quickly. CISOs need to put the right governance and processes in place and teach teams to operate efficiently and securely in the cloud.
Securing Seamless Cloud Workflows
CISOs need to have a strong grasp of their business partners’ requirements to understand what data needs to migrate to the cloud and determine the best controls to put in place. A proper governance structure can often be overlooked, so a shared responsibility model is key. Those that operate in the cloud have more leeway, so there must be proper guardrails in place. Finding that perfect balance is critical in ensuring CISOs maintain a solid relationship with their cloud users. If you put in the work to make your security model easy to follow, automation can then augment those processes.
It's hard to retrofit security in the cloud, so lead with security and leverage native tools for easier implementation. Augment those native security tools with third parties when necessary. Partners that are just getting in the cloud space are more willing to offer a long proof of value to determine if their tools will work in your environment. This can give the confidence to prove that a tool works and is a good fit for your organization without a financial impact to the company.
Dynamics in the cloud are new and can change, but overall it’s the same as on-prem. It’s not the “what,” it’s the “how.”
Relationship with Cloud Vendors
CISOs must have a trusted relationship with your cloud partners from a governance, incident response, and privacy perspective. Build your relationships early and ensure they understand your business requirements, especially when PII or sensitive corporate information is involved. It is easier to complete implementation when you have a solid relationship with your provider. Once they understand what your business goals are, they can really lean in to support you.
Another avenue for success is partnering with up-and-coming start-ups. If the appetite of the business leans towards cutting-edge services, work with new groups. Advise them to pivot and influence them to enhance their work to make strides towards identifying gaps in tools and maturity. Joining customer advisory boards can give you access to new features and products before they hit the market.
by CISOs, for CISOs
Join the conversation with peers in your local CISO community.
