A few days ago, I had the privilege of attending a boardroom discussion of CISOs at the virtual NYC CISO Summit on the topic of Rethinking Security and Governance in the Public Cloud. The boardroom discussions are great since they serve as an opportunity to benchmark various CISO topics, and to discover challenges that the community is facing.
It's clear from our discussion that the ways in which we build technology value have changed drastically. Shifts of monolithic software to microservices, waterfall development to agile, IT to DevOps, and data centers to cloud form the foundation of the ‘digital disruption’ revolution executives are leading.
With this evolution, it is clear that orgs must re-invent how they govern and secure in this “new world.” The old control points of IT, firewalls, and endpoints simply don’t cut it in the new world of cloud development. Today, CSPs look after the infrastructure and for enterprises, the new control points now center around identity, data, and the workload itself.
Our session was attended by 23 CISOs from public and private companies from a variety of industry verticals including Finance, Insurance, Retail, and more. In our group, all CISOs expressed some challenges with the complexity of the public cloud. For larger or more security-mature organizations, the complexities included a lack of integration between multiple departments including, DevOps, audit committees, and operations.
Compliance and security go hand-in-hand in the public cloud. While we have all heard CISOs and CIOs on numerous occasions exclaim but of course, compliance is not security. An organization can be completely compliant and yet quite vulnerable to a data breach. Many of the data breaches in the last decade have involved organizations that had passed many compliance-related audits. Being compliant does not necessarily mean the same as having a good cloud security posture.
Many CISOs in our group think differently on this topic. For them, an organization cannot claim to have a good cloud security posture without first attempting to align against and comply with some standards framework. More importantly, these CISOs are trying to drive home to their senior executives and board members that it is impossible to be compliant against any data protection standard unless they also have an appropriately good posture. This is used to drive budget allocation for important security initiatives using compliance dollars.
Our group’s CISOs are seeing privacy become a real hot button topic with board members with the advent of GDPR and similar regulations. They are beginning to see asks from the board to be educated on these topics and informed about the state of “privacy compliance” of the organization. Many of our group’s members see this has a huge challenge as many cannot effectively answer “where is my data?”, “who can access my data?” and “when has it been accessed?” They foresee many difficult discussions that will wrestle with questions like: “who and what exactly do we do with our customers’ data” while “not stopping the business” or increasing risk.
Cloud complexities will continue to grow. The widespread adoption of cloud-native computing, micro-service based architectures, containers, and serverless has led to an explosion in the number of ways that people and non-people identities can access sensitive data in public clouds. While this leads to incredible innovation, if ungoverned, it leads to a boatload of risk. Many CISOs must address the need for modern cloud-native organizations to find and prevent vulnerabilities tied to interrelationships between identity (human and non-human) and data.
Finding and eliminating complex identity and data access risks, in a way that aligns with how applications are developed today is a big challenge for security teams. Many CISOs struggle with operational workflow and remediation which prevent them from integrating seamlessly to eliminate risk in complex environments. Early cloud security systems have focused on simpler cloud network setups and sent too many alarms to the wrong teams. The CISO teams think that a new cloud security model needs to be heavily focused on identity and data.
Shifting left needs clarity. Some CISOs felt very strongly that this was their (very frustrating) Achilles heel. There is still significant work to be done, particularly in the areas of including security in the CI/CD pipeline sooner. Although there is an industry-wide push to shift left, greater clarity is needed on how teams’ daily responsibilities are changing, because it impacts the entire organization’s security proficiency.
Building on the success of this boardroom session, we’re looking forward to ongoing, productive conversations that have focused on key data security issues including compliance, data governance, identities, and more. With this evolution underway, it is clear that leaders are re-inventing how they govern and secure in this “new world” and we are here to help.