nobeastsofierce - Fotolia

Cloud deployments signal shift in CISO's role

CISOs have more influence in enterprise cloud adoption, from the procurement of cloud services to controls and policy enforcement in layered environments.

It's a common misconception that most cloud deployments occur to save money. Initial savings was once the primary driver -- but not anymore.

More organizations cite speed of deployment, scalability and central compliance management as key contributors to cloud projects, according to a September 2015 SANS Institute survey. (Disclosure: I'm the SANS analyst who authored the survey results.)

As more enterprises deploy workloads to the cloud, the role that security plays grows in importance. Many organizations are asking security officers for greater input before cloud deployments, although budgeting for security, especially in business units, is still lagging on these projects.

The CISO role will need to evolve from "policy and compliance" to "policy and enablement," said Joey Jablonski, vice president and principal architect of big data at Cloud Technology Partners, in a 2015 blog post. Why is this the case? Cloud computing deployment is happening with or without the security team since the perceived benefits far outweigh the drawbacks (in most cases). The security team needs to grasp this crucial distinction: We're not the team that says "no" anymore. We're the team that says "yes, but let's be careful."

Hazy on network security controls

An October 2015 SANS survey on hybrid data centers (I wrote that report, too) found that 44% of organizations cite lack of visibility into the cloud provider's network environment as the biggest challenge to setting up security in the cloud. This is a consistent theme -- we don't know what we don't know -- and cloud providers aren't obligated to disclose details about the security of their networks. But it is information that many businesses desire to help them make informed decisions before entrusting their data to a third party whose infrastructure may rely on other services. 

Enter the CISO -- master of distilling lots of ambiguity and unknowns into something remotely resembling a sane risk-based perspective. In many organizations, whoever performs the CISO role is a direct liaison to the technical side of security. He or she is responsible for translating arcane details into concepts that executives can grasp so that the company can make the best possible decisions in an increasingly complex technology landscape.

We're not the team that says 'no' anymore. We're the team that says 'yes, but let's be careful.'

First, any third-party infrastructure or data deployment brings new risks, some of them uncontrollable. Does the decision make sense from a risk tolerance standpoint? Second, the security team will need to evaluate the cloud provider's controls and policies alongside any vendor management and legal reviews that IT and other departments perform. Third, many design and implementation details require input and operational maintenance from the security team, especially in a platform as a service or infrastructure as a service project.

CISO migration to cloud

Much of this work is tactical in nature, so where should security leaders focus their efforts? First, they will need to interface with the vendor management and procurement teams to ensure they have the required security criteria for cloud computing deployments: What controls are required, based on the type of data involved? What is an acceptable response in a SOC 2 report or ISO 27002 certification? Likewise, the legal team will need assistance to understand the data breach notification requirements, data lifecycle requirements and other contractual stipulations that focus on security. In this way, the CISO plays a critical role in educating other teams on what the organization needs and expects with regard to security and compliance requirements in the cloud.

Things are only getting more complex, and this includes the increasingly common use of layered cloud deployments (vendors and providers using cloud themselves), geographical data location considerations that include changing laws and regulations like Safe Harbor, and new attacks and vulnerabilities that may affect cloud provider environments. Business executives want to leverage technology to further the goals of the enterprise but may not fully grasp the risks that come with outsourcing major aspects of infrastructure and application deployments. CISOs will need to constantly educate other senior executives about the changing technology and security landscapes related to virtualization, containers and overall cloud technology.

In addition, security as a service options for encryption, identity, configuration and vulnerability management may offer new capabilities that the security team needs to properly secure software as a service and other cloud computing deployments. The CISO will need to explain what these new products and services bring to the table.

Drawing the line with business units

In some ways, this leads us back to business drivers, and we get to the less enviable parts of the CISO's role. Many business unit and operations teams will come to the table with proposals for cloud projects that sound amazing -- incredible features, rapid implementation, unlimited scalability and so much more! The CISO will need to temper this enthusiasm a bit with the sobering truth of security overhead; most of the cloud providers that these teams will want to use don't offer much in the way of security controls, and additional tools and services will frequently be needed to meet internal or industry and regulatory standards. The CISO will need to be involved in projects at the earliest stages to ensure that cost models include security controls and services needed to protect the organization adequately as business units move forward.

Remember: We're enablers. This means being honest and open about the risks and additional costs associated with cloud use, which won't always make the CISO role popular. The good news? The CISO has never been the most popular executive in the room to begin with, so…keep on doing what you're doing.

About the author:
Dave Shackleford is the owner and principal consultant of Voodoo Security LLC; lead faculty at IANS; and a SANS analyst, senior instructor and course author. He previously worked as CSO at Configuresoft; as CTO at the Center for Internet Security; and as a security architect, analyst and manager for several Fortune 500 companies. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.

Next Steps

The CISO's role in cloud procurement

Do CISOs need cybersecurity training?

How CISOs can promote interdepartmental cooperation

Dig Deeper on Hybrid and Private Cloud Computing Security