How to make CISOs comfortable with cloud security

A cybersecurity talent shortage and concerns over data breaches has many CISOs delaying cloud migrations.

Virtually all organizations are moving some workflows and assets to the cloud. But concerns over security controls and a talent shortage has many CISOs worried, with 40% of companies slowing migration due to these issues, according to a recent report.

While 83% of IT professionals said they store sensitive data in the public cloud, only 69% said they trust the public cloud to keep their data secure, the report found. Cloud security issues are rampant: One in four organizations that use Infrastructure as a Service (IaaS) or Software as a Service (SaaS) have had their data stolen, according to the report. Meanwhile, one in five said they have experienced an advanced attack against their public cloud infrastructure.

"We get a lot of inquiries in terms of how to protect your data in the cloud, how to move your identities to the cloud, and how you do network security," said Andras Cser, vice president and principal analyst at Forrester. "A lot of times we see folks even holding off of security projects in this area."

But the reasons that CISOs often distrust cloud security are more nuanced than some reports might suggest, said Daria Kirilenko, director for information risk research at Gartner.

"Many CISOs think that vendor security is actually a lot stronger than theirs, but ultimately they think that if a breach does happen at some of these vendors, they will still be liable for the fallout," Kirilenko said. "That's the major reason for their perception of the cloud as something that should be viewed with caution."

CISOs also tend to believe that their security team does not have the proper skills to implement a cloud strategy at their organization, Kirilenko said. "The CISOs believe that ultimately they're unprepared to support the organization in its rapid adoption of cloud," she added.

Many security teams lack the knowledge of what cloud security should look like at their organization, as most traditional security practices can't be transplanted to the cloud environment, and instead must be rebuilt, Kirilenko said.

"They're unprepared and ultimately they believe that they will bear the responsibility ultimately if something goes wrong," Kirilenko said.

Building a cloud security team

Responsibility for breaches in the cloud often does fall back on the CISO, even if the vendor is at fault, Kirilenko said. CISOs should educate their senior business stakeholders about the fact that cloud security is shared between vendors and the internal team, she added, as many security issues arise when internal stakeholders make a mistake.

"It makes a lot more sense for CISOs to be spending time and effort building a strong security team, and educating developers on secure cloud processes, than spending all their time governing and monitoring providers," Kirilenko said. "They're going to get better results if they spend effort on building that strong security team, easing the implementation of cloud security for developers who right now are actually going around security. Often times they don't correctly implement cloud security, and this increases the risk of using their cloud vendor."

SEE: Cloud migration decision tool (Tech Pro Research)

Cloud operations, cloud architecture, or cloud security workers are usually responsible for cloud security, but it's common to see more traditional security workers struggling with the new platforms as well, Cser said.

When it comes to building a cloud security team, it's typically not feasible for companies to seek out a "unicorn" candidate who is an expert in a certain cloud provider, understands cloud architecture, and has software development skills, Kirilenko said. Instead, CISOs should consider their security team as a portfolio of skills.

"You need to first understand what the skills are that you really need to have for the cloud," Kirilenko said. "A lot of times, it's actually not super important to find individuals who are aware and know the inside and out of each individual provider. That's something that these individuals can develop over time."

Instead, you should build a team with individual strengths that add up to a collective security whole, Kirilenko said. For example, one worker may have the necessary software development skills, while another is strong in enterprise architecture, and another in solutions architecture.

CISOs should also keep in mind that they don't need to build all cloud security using only their own team, Kirilenko said. Some companies set up a cloud center of excellence, and rotate people in and out from different functions, such as applications and infrastructure, and use those individuals to strengthen security at the organization.

"A lot of successful companies don't see their internal security resources as a limitation, because they understand that setting up a cloud strategy is something that the organization should do collectively," Kirilenko said.

CISOs should also make adhering to cloud security guidelines easy for developers, Kirilenko said. Another practice of successful organizations is developing a common security platform that houses APIs and reference architectures that developers can use to quickly understand how to implement security guidelines in their applications.

"Think in terms of how to ease the burden on your stakeholders to do the secure thing—you need to make the secure way the easy way," Kirilenko said.