A Letter to the Modern CISO: Part 1

Are You Feeling Cloud Security Imposter Syndrome?

The typical cloud is likely less secure than an organization believes it is, and that is because most security professionals do not have a clear picture of their entire cloud. How did they get here? Well, enterprise digital transformation has historically placed so much value on speed in development, that cloud security has fallen by the wayside. Many organizations find themselves moving to the cloud once the business discovers it can offer them major cost savings and increased efficiency, but their procedures, tools, dashboards and security strategies are consistent with on-prem days. 

Cloud CISOs, while cloud-based application development has brought great benefits to your organization, it has eviscerated the traditional security controls you had in place. Cloud growth has created unique risks that your current tools cannot manage. When previously tried and true tool sets and strategies begin to collapse, your frustration increases, leaving you feeling exposed and out of place. CISOs today are feeling Cloud Security Imposter Syndrome

After spending the past six years working to secure the cloud for industry leading organizations, I have seen it all and I can empathize. I’ve come to learn that securing the cloud is a challenge with no magic bullet, but if done correctly, the cloud delivers security far better than anything before possible on prem. 

In this three-part blog series, I will examine three major cloud security challenges modern CISOs and organizations are struggling with, based upon industry research. First, it will highlight the reality that many organizations are running blind to a myriad of risks in their cloud environment. Second, I will examine the role DevOps has come to play in securing your cloud, and how to better utilize DevOps teams moving forward. Lastly, this series will explore how the paradigm has shifted and why Identities form the security boundary of your cloud, and not the network.  Finally, this essay aims to bolster your reputation as a cloud CISO by arming you with research findings and recommendations, help you leave behind Cloud Security Imposter Syndrome, and get you recognized as the pioneer who made your cloud a showcase of exceptional security.

Lack of Visibility is Putting Your Company, Your Reputation, and Your Job at Risk

Ignorance is not bliss; in fact it is putting your company, your reputation as a security professional, and your job at risk. Yes, that is a strong statement, but is not an indictment of intention. Instead, it is meant to point out where many professionals working in cloud security currently are, and act as a call to action to get you where you need to be.  Previously, Sonrai Security hired Osterman Research to conduct an independent research report looking into The Good, The Bad and The Ugly of Cloud Security.  The findings confirmed the anecdotal experiences and hypotheses of many CISOs. The greatest takeaways regarding enterprise perception were:

  • 86% of Enterprises consider their cloud environment to be “Business Critical.”
  • 75% of organizations state that cloud security risk is at best “not getting better” or more alarmingly “getting worse.”
  • 80% of security leaders are concerned about Identity and Data Security.
  • Almost half of all respondents are concerned about lack of visibility across their cloud.
cloud ciso osterman research

Examining the level of investment into training and support of the cloud, the study found almost 50% of respondents stated that their organization:

  • Is not appropriately funding education and training for the teams, supporting and/or responsible for securing the cloud.
  • Is not appropriately staffing their cloud operations and cloud security teams.

What these conclusions make glaringly clear is that while the cloud is critical to the business, there is a lack of visibility into the risks it entails. Additionally, there is widespread underinvestment into the processes responsible for securing the cloud. As such, it reports that the state of the cloud is getting worse. 

Over the first six months of 2022, Sonrai Security’s Research team conducted an analysis of our customer base. The analysis found that most of the organizations were unsuccessful in achieving what Sonrai defines as the most basic state of security for their cloud through the Sonrai Security Maturity Assessment. Of those that were able to meet the basic needs, a very small percentage of them are able to get past the basic state. Essentially, most organizations are either not prioritizing, or unsuccessfully attempting to secure their cloud.  

While the statistics on their own are alarming, the resulting risks due to them are even worse.  Over years of protecting clouds, and working with organizations large and small, I have seen the following risks, many of which were completely undetected until their partnership with Sonrai: Travel manifests found in publicly exposed data stores accessible without authorization; VPN access and transmissions secrets exposed to all Identities across a large organization; Cloud access secrets exposed to the Internet without authorization and auditing enabled; and multiple vulnerable VMs, exposed to the Internet, with Identities attached that have access to highly sensitive data and the ability to manipulate, ransom, steal and delete said data.

My experience over the years has led me to conclude most security leaders are blind to the risks in their cloud, putting not only their company, but their individual reputations, at risk.  The lack of visibility is one of today’s greatest cloud security concerns, and it needs urgent consideration, as your cloud has likely already gotten away from you. Shedding light on your cloud means unearthing, prioritizing, and helping your business manage risks in every corner of your cloud. In tandem, this is only possible by dedicating the appropriate budget to find, educate, and train the Security and DevOps teams – first on the basics of cloud, and then on how to secure it. 

The next blog of this three-part series will define the current security crisis among DevOps teams and explore further Sonrai Security research available 3/9.

Editor’s Note: This blog series is derived from a contributed piece originally available on Help Net Security.