Cloud – a game changer for IT security professionals
Securing the IT landscape is becoming increasingly complex. Security officers and professionals must deal with a multitude of 'moving parts' within an organisation, such as people, culture, legacy, integration, politics, stakeholders. The list goes on.
Even though Chief Information Security Officers (CISOs) of today are more empowered than ever to keep the organisation 'safe', their success is only as good as the level of awareness and buy-in from the rest of the organisation – from board level to the administrator on the ground floor.
However, in many instances, the security strategy itself is being challenged to take a subsidiary role to demands for ever-faster performance and delivery.
One of the most significant challenges facing today's CISO is figuring out how to secure and protect the cloud and its consumption, says Steve James, executive director at Puleng Technologies.
Speaking at Puleng's recent `Securing the cloud-enabled workforce of the future’ workshop held in association with security vendors Exabeam, Netskope and Okta, James said: "Cloud is making security officers rethink, review and revise everything, while trying to align security needs with business strategy, amid a global shortage of IT security skills."
According to Laurent Bourhis, customer success manager at Netskope, there are an estimated 170 000 unfilled cybersecurity positions globally.
Meanwhile, the cloud has changed the way people work, allowing them to be connected at any time, from anywhere and on any device, effectively pushing the network perimeter beyond the organisation's control.
"We have to find ways to make security simpler. Despite the fact that more and more sensitive data is flowing across the Internet, many organisations either don't realise the risk attached to this, or fail to take adequate steps to protect the data, until they actually face a breach," Bourhis said, adding that, “in any event, hackers are often months ahead of current security measures in most organisations.”
In addition to the shortage of skills, the IT security teams face a host of other challenges, not least of which is conflict and tension between IT and business leadership.
"Infrastructure is no longer leading the business because business can't wait 12 months to get an application. Applications are required much faster. However, we still have to find a way to secure them before they go live," he added.
One way in which some organisations try to deal with this is to institute what Bourhis termed 'crude controls’ that block access in some way. The problem is that this often leads to friction within the organisation, with concerns that these controls could damage business productivity. As a result, IT could find itself having to create exceptions and workarounds, which themselves are security risks.
Another major challenge is the lack of a cloud security strategy or documented cloud security policies in most organisations. "How many of you have an AWS policy in place?" he asked the room filled with IT security experts. Barely a hand was raised. "We cannot solve our security problem using the same solutions we have always used," he continued.
Top five issues facing CISOs
Bourhis listed five of the most critical issues that security professionals would face over the next five years:
1. Intelligent integration that would redefine platforms.
2. The need for smart processes that would enable security solutions to scale to cover all aspects of the cloud.
3. Security infrastructure located in the cloud itself – Security-as-a-Service (SaaS).
4. The rise of the Secure Access Service Edge.
5. The merger of the cloud and the Web.