Monday, July 27, 2015

Why security leaders must seize the opportunity to implement cloud and improve security

This article first appears on CSO Online, on 7/16/2015.

There is no question the rate of migration to cloud computing continues its meteoric rise. Eighty two percent of enterprises have a hybrid cloud strategy, up from seventy four percent in 2014 (RightScale State of the Cloud Survey, January 2015). As this shift lumbers ahead, security remains a major barrier to cloud services adoption.

A recent CloudPassage survey of more than 250,000 respondents indicates that seventy one percent are planning or have implemented some kind of cloud environment. Almost half of the survey respondents said that cloud security is a barrier to cloud adoption, while forty one percent identified data loss or leakage risks as concerns. And nine out of ten respondents indicated they are moderately or very concerned about public cloud security.

Is this a problem for IT security leaders?

I think it is a great opportunity to champion the move cloud computing for three chief reasons:

  • Cloud computing and services free existing resources to focus on governance, management, and strategic planning 
  • IT security can help the business make decisions focused on risk identification and reduction 
  • Helping to lead this change reveals IT security to be part of the solution, not a hindrance, thus justifying a “seat at the table” in the boardroom 

Time and the marketplace have revealed that in most cases, cloud providers are operating more secure, more scalable data centers.

First step: overcome resistance 

In my experience, most resistance to the adoption of the cloud stems from internal fatigue, borne from the increased pressure to deliver faster and better with fewer and fewer resources. It is easier to fret about the availability of resources to manage daily operations than to spend mental energy planning for future needs. Most leaders – and their companies -- need help justifying the change of gears necessary to move from operational planning to strategic planning. For cloud computing to be truly successful, organizations require a methodical adoption strategy. Specifically, the plan of action must take into account the risks while reaping the rewards. It is critical to understand that ad hoc, untested methods of utilizing cloud services result in increased risk, expenditures and liability.

Map your criteria to expected benefits 

 I believe IT security leaders need to jump beyond these challenges to cloud adoption, by mapping a logical strategy and criteria for justifying, selecting, and facilitating cloud services deployment. This plan helps those in a leadership position divorce themselves from what I perceive as commoditized administration tasks in operations, in favor of focusing on governance and risk management, strategic planning, and oversight. Let us look at how developing a solid plan for cloud services will help IT security professionals lead the charge.

One easy-to-understand strategic approach is to define the benefits of cloud adoption as an offset of operational tasks. Frequently cited as a means to reduce costs, shunting the daily security operations functions to a cloud services provider is a wise move. Delegation can allow IT security leaders to free up team members who may be focusing heavily on security patching, vulnerability scanning, compliance validation, user revalidation, and other repetitive tasks. These same resources can now pivot in more strategic roles, governing the patch management process; evaluating the results of continuous monitoring; ensuring that user management aligns with the business’ objectives. As we are constantly asked to do more with less, does it not make sense to utilize our full-time staff properly, by executing projects and initiatives which add business value?

A second method for leading your IT organization to the cloud is to correctly identify the benefits associated with adoption of this new model of computing. Many assume that risks will increase when moving a service or function beyond the company’s traditional boundary. I advocate utilizing the NIST Cybersecurity Framework for IT security teams that are just starting a risk management program. It combines recommendations and best practices from COBIT, NIST 800-53, ISO 27001, and other standards while outlining a common language for risk management. Using a reference such as this will help IT security leaders clearly articulate how cloud adoption will affect risk. I believe that in many cases, overall risk can be reduced by providing services from a cloud provider.

Finally, IT security leadership must be seen as a critical enabler of business value. With respect to cloud adoption, the leader must ask himself, “how can we focus on what our business does best?” Many would agree that cloud services and technologies bring speed, agility and flexibility to businesses. And licensing what a business consumes versus having IT service what is consumed removes the need to continually upgrade and maintain product lifecycles. The business value statement revealed is that IT, and specifically IT security, can focus on the strategic planning needed for the future. This level of acumen brings security into the realm of managing the organization, ensuring that those in the boardroom appreciate the value IT brings to the table. Security leaders must seize the opportunity to reap the rewards To conclude, IT security leadership must promote the adoption of cloud technologies or run the risk of being marginalized. Rather than reacting to what I believe to be an inevitable shift toward a new computing model, IT security professionals have an amazing chance to lead their organizations toward what Gartner calls digital business. This requires the shifting of security operations and other repetitive tasks to cloud services, properly identifying the real risks and opportunities to offset them, and communicating the business value of cloud computing to the organizations leaders.