Three security leaders help you prepare to lead to a more secure cloud

A recap of the Leading Security Change series focused on the mindset and approach needed to move your organization to a more secure cloud

1 cloud
Davide D'Amico (Creative Commons BY or BY-SA)

Are you moving to a more secure cloud?

I recently asked, “Do executives think you are relevant to cloud security decisions?” as a response to the finding that 61% of companies see moving to the cloud as an executive and board-level strategic move.

With that much focus, it’s natural to assess if we’re part of the process.

In many cases, the answer is no: 34% of organizations focused on moving to the cloud cite IT (including security) as the chief cause for the delay.

But it doesn’t have to be that way. The cloud may actually be our opportunity to address the real problem: how we protect the information our organizations depend on. The key is in the mindset and approach.

And that’s the purpose of this program. Here is a summary of the inaugural Leading Security Change (a series) program with the insights shared by the expert panel on how to drive the success you need.

2 lead
Nolan N Debi John (Creative Commons BY or BY-SA)

Make the decision to lead

As a security leader, you have three basic choices:

  • Lead the effort to a more secure cloud

  • React to the decisions of others, likely with choices you wish were different

  • Get left behind entirely

This series is called “Leading Security Change” for a reason: to share the mindset and actions necessary to exhibit leadership through change. This first program explores what it takes to lead your organization to the cloud.

The program includes a roadmap, insights from security leaders, a recorded and transcribed panel, a reflection, and this summary. Flip through the balance of the slides to get a sense and follow the links for more detail.

3 strategy
Sumeet Basak (Creative Commons BY or BY-SA)

Three strategic considerations when moving to the cloud

The roadmap of the series lays out a way to structure the approach to the cloud. Your strategy needs to include three key areas:

  • Selecting: informing and defining criteria to guide the business to solutions that benefit them while protecting information

  • Protecting: once the decision for a specific solution is made, the process of understanding the environment and architecting the best way to keep information safe

  • Operating: the process of measuring, evaluating, and adapting the controls, approach, or solution based on changing needs and available options

Read the balance of the roadmap for additional insights and questions to answer at each stage. Then check out what the experts shared to improve your approach.

4 identify
Sarah (Creative Commons BY or BY-SA)

Lori MacVittie: Lead, follow, or get out of the way of cloud

Lori MacVittie is consistently recognized as a thought leader in the cloud space and one of the first people I turn to when I have a cloud question.

In Lead, follow, or get out of the way of cloud Lori shared a host of experience, including:

“Leading the way means identifying what you can change and what you can’t and moving from a strategy based on implementation to one based on outcomes. Rather than requiring a network firewall to control access to back office applications, policy should be defined in terms of the outcome: back office applications must be gated and auditable. Moving from an approach that specifies how to one that specifies what will enable IT leaders to seek out solutions that fit each model and lead the inevitable transition rather than try to react after the fact. Specifying how is tactical; what is strategic.”

5 assess
NASA Goddard Space Flight Center (Creative Commons BY or BY-SA)

Joan Pepin: Insider secrets for a security leader to assess a cloud provider

Joan Pepin is a CISO and VP of Security for a cloud-based company. That means she both consumes cloud service from others and addresses the concerns of customers.

Joan’s unique experience as a consumer and provider was the basis for Insider secrets for a security leader to assess a cloud provider, including:

“With the unique position of both providing and consuming cloud services, I’ve invested a lot of time working to understand -- and comply with -- the standards we chose. I’ve prepared my team to explain why we made the choices we did, and demonstrate compliance.

When it’s my turn to evaluate others, I frequently run into a troubling situation where a vendor claims compliance. Always with a smile. Since I know to dig deeper, it’s common to discover that they are simply relying on the attestations of the IaaS provider in place of their own.”

6 seize
Alan Levine (Creative Commons BY or BY-SA)

Scott Wilson: Why security leaders must seize the opportunity to implement cloud and improve security

Scott Wilson finds himself in the enviable position of getting hired specifically to guide an established company to the benefits of the cloud, securely.

With that background, Scott explained Why security leaders must seize the opportunity to implement cloud and improve security, including:

“One easy-to-understand strategic approach is to define the benefits of cloud adoption as an offset of operational tasks. Frequently cited as a means to reduce costs, shunting the daily security operations functions to a cloud services provider is a wise move. Delegation can allow IT security leaders to free up team members who may be focusing heavily on security patching, vulnerability scanning, compliance validation, user revalidation, and other repetitive tasks. These same resources can now pivot in more strategic roles, governing the patch management process; evaluating the results of continuous monitoring; ensuring that user management aligns with the business’ objectives. As we are constantly asked to do more with less, does it not make sense to utilize our full-time staff properly, by executing projects and initiatives which add business value?”

7 security
Dennis Jarvis (Creative Commons BY or BY-SA)

My reflection: the cloud forces better security for everyone

In a series loaded with practical experience, many things stood out. But the “one thing” is the power of the cloud as a forcing function. It is how cloud improves security across the board. Everyone benefits.

Migrating to cloud solutions forces us to think and act different. That’s needed. And it’s good. Embrace the opportunity to pivot to think about function. Focus on outcomes. Start by asking my favorite question: “What’s the problem we’re trying to solve?”

Learn more about how this question reveals the path to progress by reading How the cloud improves security for everyone.

8 change
Phil Whitehouse (Creative Commons BY or BY-SA)

Lead the change you need to improve security

Whether resistance is futile or not, cloud-based solutions are driving security change. While the method is different, this is the change we wanted.

It’s the change we need. We're just getting started.

Leading your organization to a secure cloud solution is a potential to enhance security. You might actually be able to get the controls you’ve longed for. Better, someone else takes over the basic responsibility that affords you the time and energy to focus on higher level and more valuable tasks.

The purpose of Leading Security Change is to reframe and introduce challenges as solutions. The research and discussions around cloud give me more to share. Look for updates in my regular column on Translating Security Value.

How’d we do for the first one? What topics do you want to see covered next? How can I improve the program for your benefit?