The cloud is a challenge for CISOs, especially if they aren’t included in migration plans early enough. How can they adopt a more strategic approach?
The role of the CISO has changed a lot in recent years, said Andy Ng, Cyber Practice Partner at EY, introducing a virtual roundtable in association with Tanium. Ng said CISOs had gradually become more concerned with digitalisation and the cloud, and during the pandemic had also had to manage a rapidly expanded remote workforce.
Attendees at the briefing, all experienced CISOs and cyber-security experts from a range of sectors, agreed that the responsibilities of the role had changed and that CISOs are having to respond by thinking more strategically.
No more “lift and shift”
Part of this is driven by changes to cloud migration itself. As one attendee put it, “The cloud has been emerging for the last 20 years”. It obviously isn’t new, but what is new is a change in approach. Five or six years ago, said one attendee, companies were happy to “lift and shift” their existing on-premises approach to the cloud. Now they want transformation, so the new cloud environment must be an improvement on the old one.
This is a challenge because the organisation has to deal with technical debt and legacy systems, rather than simply transfer them to the new environment. That can add complications because these systems will need to be rebuilt or replaced by a similar application, and that may open up vulnerabilities that weren’t there before.
The CISO’s job isn’t to say no to cloud migration. If the business wants it, then it will happen. But the CISO must ensure that cloud migration can happen securely. The problem is that if they aren’t involved early enough, the whole process can be slowed down by trying to ensure compliance and security concerns are met.
Focus on people and culture
That’s why strategic thinking is vital. All attendees agreed that CISOs need to be involved at the outset of the cloud migration journey or, where those journeys have already begun, as soon as possible. It is important to put aside the technological concern and ask what the business strategy is and what the business goals are. Then the CISO can work towards a solution.
Getting the right solution in place, attendees suggested, is a matter of people and culture. Once again, technology solutions are not necessarily the vital focus. One attendee told how he had given engineers a tool to find vulnerabilities in their apps, and asked them to test them before coming back to him. What he found was that, as a matter of pride, they fixed the vulnerabilities they found before reporting back. He had managed to help them understand the process and found a way to effectively extend his security team.
It still isn’t easy, however. The CISO must now ensure security across an extended supply chain. It isn’t just the organisation’s security that is relevant but the security of suppliers, and even that of your suppliers’ suppliers. Gaining visibility of the vulnerabilities there is a challenge for two main reasons. First, many cloud vendors have flaws that aren’t always possible to fix. Second, big cloud providers are often unwilling to share the information the CISO needs to assess security.
There is a lot to learn, attendees agreed. Very few people can explain how to complete a cloud migration journey successfully because so few have done it. Most are ongoing, even if they are in their third or fourth phase by now. The role of the CISO is likely to have to keep evolving for some time yet.