A few years ago, ESG (and other) research indicated that security concerns posed the biggest impediment for more pervasive use of cloud computing. What happened next? Business executives and CIOs found that cloud agility, flexibility, and potential cost savings were too good to pass up, creating a “cloud or bust” mentality. Naturally, CISOs had to do their best and go along for the ride whether they were ready or not.
So, how’s cloud security going at this point? ESG research indicates it is still a work in progress. As part of a recent survey, cybersecurity professionals were presented with a series of statements about cloud security and asked whether they agreed or disagreed with each one. Here are some of the results:
- 69% of cybersecurity professionals strongly agree or agree with the statement: “My organization is still learning how to apply its security policies to public/private cloud infrastructure.”
- 62% of cybersecurity professionals strongly agree or agree with the statement: “It is difficult to get the same level of visibility into cloud-based workloads as we have on our physical network.”
- 56% of cybersecurity professionals strongly agree or agree with the statement: “My organization’s current network security operations and processes lacks the right level of automation and orchestration needed for the cloud.”
- 52% of cybersecurity professionals strongly agree or agree with the statement: “The security team does not have the appropriate staff level to manage network security operations for cloud infrastructure.”
Taken together, there are still wide cloud security gaps associated with people, processes, and technologies.
Proper Cloud Security Steps
What can CISOs do to bridge these gaps? Based upon lots of qualitative and quantitative research, here are a few tips:
1. Get training. Many of the deficits described above are a consequence of on-the-job cloud security training. Yes, cybersecurity professionals will pick things up but by the time security pros figure things out, cloud security will lag way behind where it should be. Since cloud computing demands a new attitude and skill set, it’s worthwhile to invest in appropriate hands-on security education up front. Ambitious members of the cybersecurity staff will recognize the career opportunity and pursue cloud security training with gusto.
2. Use cloud security as an organizational change agent. CISOs have long lamented about their desire to drive information security closer to the business. Well, cloud computing provides a perfect opportunity to force this change. Cloud security policies, controls, and even application security can be far more effective if they are integrated into early stages of business planning and application development lifecycles. ESG has found this to be true in practice – cloud computing leaders tend to have security baked into disciplines like DevOps and data center operations rather than bolting on security controls once cloud-based workloads are already deployed.
3. Consider cloud security as a tabula rasa. ESG has noted that organizations tend to struggle when they try to force fit traditional security controls into cloud computing. Often, they end up wasting time, scrapping these efforts, replacing traditional controls with cloud-centric controls, and then struggle to catch up with cloud proliferation. Yes, it’s worthwhile to try to emulate existing best practices with cloud security but smart CISOs will approach this with an open mind and look for the best security controls that gracefully support the nuances of cloud security out-of-the-box.
4. Look for help. While the cloud is still new and scary to a lot of cybersecurity professionals, cloud popularity has produced a growing population of cloud security specialists. CISOs should do a lot of background checks on their vendors by grilling management, field engineering, and reference accounts. With the right level of due diligence, you’ll be able to separate the helpful and real cloud security specialists from a long line of posers.
Jon Oltsik is an ESG senior principal analyst and the founder of the firm’s cybersecurity service. Read more ESG blogs here.