The Cloud’s Effect on Evolving Security Roles
Businesses have changed how they operate in countless ways during the coronavirus pandemic, including accelerating migration to cloud technologies.
Before COVID, businesses had the luxury of managing the cloud transition at their own pace. But when the pandemic hit, ushering in a new era of remote work, many businesses moved to cloud-based technologies without necessarily giving those tasked with cybersecurity time to prepare.
No one has felt the impact of the cloud transition more than IT teams–and, most of all, chief information security officers. It’s no exaggeration to say that cloud-based infrastructure has imposed an entirely new set of priorities on CISOs and IT staff. In this blog post, we’ll explore how the cloud has redefined security roles and what CISOs can do to adapt to the new reality.
The cloud has changed the IT role forever
The cloud transition hasn’t caused businesses to lay off IT staff. Rather, it has forced IT teams to evolve and develop new skills and capabilities in the face of new responsibilities.
As we noted in another CYREBRO article, the role of IT has traditionally focused on protecting a primarily static network environment. But in a world of cloud-based technologies where organizations no longer have a single, large perimeter, the role has become more complex. Today IT professionals must have the ability to evaluate different solutions from different vendors, ensuring the secure integration of each solution into the technology stack.
In this era of large-scale cloud adoption, IT professionals must also form and nurture relationships with vendors, as Atlassian has noted. Gone are the days when IT teams took over all responsibility for maintaining software immediately after the point of sale. Today IT teams must stay in constant communication with vendors to ensure that updates are delivered in a timely manner and that any security flaws are quickly patched up.
Finally, moving to the cloud means everyone in an organization must take responsibility for cybersecurity to some extent. IT teams can reduce security risks by establishing data protection policies, encrypting sensitive data, setting limits on how users share data, and preventing data from moving to unmanaged devices, according to McAfee’s recommendations. But it is also essential that IT teams train staff to use cloud services responsibly and turn staff violations into teachable moments.
CISOs have new priorities now
The traditional role of a CISO has been to safeguard their organization against cyber threats and reduce potential risks, as noted recently in Tech Beacon. CISOs and security teams had a reputation for dragging out approvals of new software or hardware for months, leading others to view them as barriers to technology adoption.
In this new world of fast-paced technology adoption, it is incumbent on CISOs to help facilitate the uptake of cloud-based tools–and on other C-level executives to involve CISOs as early as possible when bringing in new cloud solutions.
AS PwC noted in its 2022 Cyber Global Digital Trust Insights report, CISOs must move out of the technology trenches and broaden their outreach – learning from the CFO (chief financial officer) how to talk about the financial implications of risk, for example, in a language the board understands, or working with the product manager to devise developer-friendly ways to secure applications.
This change may require a mindset shift for many CISOs, the report further noted. CISOs interact most frequently with chief information officers and chief technology officers and less frequently with other leaders such as CFOs and chief marketing officers, according to a PwC survey on the matter.
“CISOs will need to spend more time with these business partners to begin to speak their language and better understand their business imperatives,” the PwC report summarized.
Where external cybersecurity providers fit in
A 2021 study by the International Information System Security Certification Consortium, better known as (ISC)² estimated the number of unfilled cybersecurity positions at 2.72 million. Although an (ISC)² survey of cybersecurity professionals found that 40% viewed cloud security as a top priority for professional development, only around 20% of professionals reported holding one of the main cloud security certifications (e.g. CCSP, AWS CCP, CCSK).
The talent shortage has put all the bargaining power in the hands of the cybersecurity professionals, much to the detriment of businesses. As Deloitte has noted, onboarding and training for even Level 1 analysts can last almost a year, but the average tenure of these analysts is only about two years–a low return on investment.
Given the difficulty in attracting cybersecurity professionals, not to mention the complexity of securing a perimeter-less cloud environment, it is no wonder small and medium businesses are turning to managed Security Operations Center (SOC) providers for protection.
A good (and most importantly, cloud-based) SOC can be the most effective means of governing your IT system and all devices that have access to it. Having a cloud-based managed SOC doesn’t mean you go need to go out and replace your IT team. At its core, a managed SOC monitors your infrastructure for new threats and escalates the most urgent alerts, freeing your IT team to focus on other tasks.
Like it or not, cloud-based solutions are here to stay–and will only become more important for businesses with time. Rather than resist change, CISOs and IT professionals should embrace it–updating their skillsets and capabilities to ensure they remain relevant in the new era. And where possible, CISOs should also consider the help of outside forces–such as a good cloud-native security provider.