Navigating Through the Cloud

Introduction

Securing a Rapid Digital Transformation

More than four months into a global pandemic and economic crisis, business leaders are navigating the second half of an unprecedented 2020. In Evanta’s pulse survey in July, 18% of CISOs said that business operations have returned to normal, with most CISOs (40%) expecting business operations to return to normal in the next 6 to 12 months. As they look ahead, security leaders are determining what’s next for the security of the remote workforce and their cloud strategies.

Evanta communities comprised of C-level executives from around the world have been gathering virtually since the beginning of the crisis to share ideas, collaborate and problem solve. After more than 60 virtual gatherings, four leaders are sharing takeaways for the larger CISO community on what they have learned and what they are doing next.

Security at the Forefront: 3 Themes

CISOs representing the world’s leading global organizations met virtually over the past four months to discuss cybersecurity and business continuity amidst the challenges of a remote workforce. While balancing those security needs, they have also shifted some of their focus to their original objectives for the year. 

In these Evanta virtual gatherings, participants discussed the resilience of their teams in managing increased security threats and navigating through the cloud. 

Three themes emerged from those discussions among CISOs.

1. Acceleration of Cloud Strategy

Cloud strategy has not necessarily changed – but it has accelerated.

1. Securing Cloud Workflows

Pair the right knowledge with simple tools in order to succeed.

1. Making Vendor Relationships Count

Earned trust is crucial to strong vendor relationships.

1. Acceleration of Cloud Strategy

CISOs report that COVID-19 has not necessarily changed their cloud agenda – but it has accelerated it.

With some exceptions, CISOs did not significantly change their cloud strategy amid the pandemic, but COVID-19 has accelerated the agenda for some. Security leaders are reporting that their organizations see tremendous opportunity in the cloud – as long as security is embedded in the strategy from the outset.

• One significant challenge over the past few months was the increased demand on cloud services due to more remote workers.
• It’s vital that security teams have cloud security capabilities; otherwise, the security function cannot grow with the business. 
• Some CISOs are taking advantage of their business evolution to implement a cloud architecture that works better for the organization – with a focus on security first.

As one CISO notes, “There are solutions out there, but it is crucial to think about your requirements, what you’re trying to achieve, and what the threat risks are.”

Community Voices

The days of temporary remote work have long passed, and we’re seeing companies move permanently to a more flexible environment. These remote workers introduce new security problems, which indicates the importance of practicing a culture that prioritizes security. Strong security behaviors, and the training and attentiveness they require, are critical. Educating teams on the current threat landscape is now more important than ever.

Gerald Beuchelt
Boston CISO Community
 

The cloud enables us to set up guardrails, which allow employees to work within structures with the right policies implemented…. It was okay to be fairly slow with security five years ago because you needed to build a physical box in a data center. Now, it’s three clicks, and you need to move fast, or you’ll be unable to meet customers’ needs or bad actors will find a way around.

Jon Fredrickson
Boston CISO Community
 

When COVID hit us, it was part of the design because we had invested in cloud. The message is – this is by design, and really, we’re going to accelerate our cloud adoption… Often, we have to test equipment in simulation. Now, we can use the cloud in a resource request model as needed, which saves money.

Martin Bally
Detroit CISO Community
 

It’s establishing identity as a cornerstone to delivering applications securely. Our organization was pretty mature in its cloud strategy… If we wanted to pivot away from VPN, we could move more quickly toward a flexible, identity-driven architecture. The cloud is going to be a huge driver. It’s really the engine of digital transformation in this era.

Arun DeSouza
Detroit CISO Community

2. Securing Cloud Workflows

When CISOs embrace cloud, they are embracing some level of complexity.

In order to create seamless – and secure – workflows across multiple cloud services, security leaders recommend focusing in on a small number of key vendors. They also suggest realigning their team structure toward security managers, rather than technical experts, to steer those external parties.

• It is important to understand the impact that cloud security strategy has on execution throughout the business. 
• It's difficult to retrofit security in the cloud, so lead with security.
• Leverage native tools for easier implementation and augment those native security tools with third parties when necessary.

Security leaders do not need more tools, one CISO notes, “They need the right knowledge paired with simple tools in order to succeed.”

As another CISO says, “My highest-level best practice for seamless cloud is to try to operate how the cloud was designed -- don't try to bend a solution into a new shape it was never built for.”

Community Voices

Security teams have to focus on validating the security posture of employees and emphasizing security best practices more than ever before. There will be more responsibility on CISOs and their teams to help users understand the threats and more responsibility on the end user to be vigilant. Security training and awareness will be paramount to keep employees secure as companies move to a dispersed workforce model.

Gerald Beuchelt
Boston CISO Community
 

Robust APIs are important for SaaS products so that they can talk to other things. If all the crown jewels of an organization are in a CRM, or a limited number of apps, make sure they talk well together and can be configured well so you can replicate your governance.

Jon Fredrickson
Boston CISO Community
 

You have producers and consumers of cloud services. What do you tackle first as CISO? Basic blocking and tackling are often the issue.

Martin Bally
Detroit CISO Community
 

You’ve got to have a cloud security playbook for all the services you sign – including people, process, and technology, in that order. We have a 54-question survey for cloud providers that includes questions about privacy because the risk of non-compliance is so high.

Arun DeSouza
Detroit CISO Community

3. Making Vendor Relationships Count

CISOs say that with cloud partners, it all comes down to trust. 

Earned trust is crucial to strong vendor relationships, along with confidence that the vendor has its own robust security team. “You really need to develop a good relationship with your partners that is built on trust,” one CISO said.

• CISOs must have a trusted relationship with cloud partners from a governance, incident response, and privacy perspective.

• Build vendor relationships early and make sure they understand your business requirements.
• Ensure that everything shown in the contract accurately reflects what has been discussed and agreed to in the requirement stage.

Another CISO notes, “It really is a partnership on security, especially when it comes to privacy concerns.” Others also agree that understanding vendor development roadmaps is key.

Community Voices

It’s important to have the right tools in place to ensure your employees are properly armed to carry out online security best practices. When it comes to evaluating providers, you ultimately need to trust the cloud vendor before onboarding them. Working with companies that have security teams, if you can get a statement about their security program and posture, you can get a sense about their product.

Gerald Beuchelt
Boston CISO Community
 

Ensuring all new relationships show that accuracy and transparency of the product development roadmap is spot-on.

Jon Fredrickson
Boston CISO Community
 

When I think of a partnership, I think about us having insight into their strategic roadmap and vision… One of our vendors came to us with a cost reduction first during this crisis. Those are the ones we stay with in the long haul.

Martin Bally
Detroit CISO Community
 

Strategic alignment between the CISO and the cloud provider is important. Cost optimization is a constant challenge. We are talking with our partners and trying to work with the ones we really value on this.

Arun DeSouza
Detroit CISO Community

Conclusion

The cloud has allowed CISOs to pivot and quickly move things to digital platforms during this time of unprecedented disruption. Many CISOs report that their businesses recognize the cloud as a great enabler and cost saver – in addition, the organizations are also beginning to see that the cloud can greatly reduce cyber risk.

Finding best practices when it comes to cloud is a moving target, and CISOs recognize a need to be growing and evolving their cloud strategies as the industry changes. They also believe that it is important for them to take the lead in cloud strategy and think like visionaries. 

CISOs believe cloud is the next step on the path to digital transformation. As one CISO states, “From a security perspective and the evolvement or our digital journey, we are putting an emphasis on our cloud strategy.”

Special thanks to all participating companies.

by CISOs, for CISOs

Join the conversation with peers in your local CISO community.