Look at any industry data and you’ll see a consistent trend – the march toward cloud computing continues to gain momentum. According to ESG research, 75% of organizations are currently using public cloud services (note: I am an ESG employee). This is dominated by the use of SaaS today but ESG research reveals that 38% of organizations use IaaS while 33% use PaaS. The research also indicates that these numbers will continue to increase in the future.
Now before you short HP and double-down on AWS, there is also a potential fly in the ointment – the global cybersecurity skills shortage. ESG research indicates that 46% of organizations say that they have a “problematic shortage” of cybersecurity skills in 2016, up from 28% last year. ESG also asked survey respondents to identify the area where they have the biggest cybersecurity skills shortage. Not surprisingly, 33% say that their biggest deficiency was cloud security specialists, followed by 28% who pointed to a deficiency with network security specialists, and 27% who have a shortage of security analysts – pretty scary stuff when you think about cloud security defense along with incident detection and response for cloud-based cyber-threats.
Yup, I get it: The cloud computing train has left the station and there’s no stopping it now, but it certainly won’t reach Eurostar speeds if there aren’t enough cybersecurity professionals with the right cloud computing knowledge to support this transition.
Given this imbalance, what can CISOs do to support cloud computing business initiatives AND mitigate risk appropriately? Here are a few suggestions:
1. Start with cloud visibility. CISOs must know what they are up against so they can educate business executives and map out a strong risk mitigation strategy. This means embracing things like Amazon’s CloudTrail and Salesforce APIs, exploring CASB visibility solutions from Elastica, Netskope, and SkyHigh, and integrating cloud monitoring data with current security operations and SIEM tools from IBM, LogRhythm, and Splunk. The goal here is simple – workloads running in the cloud should have at least as much visibility as those that reside in corporate data centers. Armed with this situational awareness, CISOs and business executives can make educated, data-driven, and real-time risk management decisions.
2. Add strong controls – everywhere possible. To decrease the attack surface, these should be fairly comprehensive, encompassing who gets access to what services in the cloud. Consequently, CISOs should bolster network security controls using network proxies (i.e. Blue Coat) and/or NGFWs (i.e. Check Point, Cisco, Forcepoint, Fortinet, Palo Alto Networks), and identity and access management tools (Centrify, Okta, Ping Identity), while locking down cloud-based sensitive data (i.e. CipherCloud, Symantec, and Vormetric). Oh, and it also makes sense to manage privileged accounts with tools from BeyondTrust, CyberArk, Dell, or Thycotic.
3. Investigate cloud-centric security solutions. The pervasive cybersecurity skills shortage means that many CISOs won’t have the resources to cobble together their own security technology infrastructure. Organizations in this situation should look for cloud security technology experts like Illumio, HyTrust, Trend Micro, and vArmour. These guys are way ahead in terms of cloud security skills and solutions so they may be able to help organizations bridge their own skills gaps.
4. Get aggressive cloud security training as soon as possible. The industry at large recognizes the need for more cloud security skills training. CISOs should begin by encouraging the security team to peruse all of the training resources available from the Cloud Security Alliance (CSA), and this document from NIST is also worth distributing and reviewing for starters. SANS offers some basic training on cloud security fundamentals, and ISC2 now provides a certified cloud security certification. Of course, classroom education should be complemented by ample hands-on experience. After adequate training and practice, senior cybersecurity team members should be tasked with mentoring the more junior staff.
CISOs beware, you may be headed for danger ahead. You could face angry business managers if you attempt to slow down cloud computing adoption. Alternatively, you could face an angry mob of regulators and customers is poor cloud security oversight leads to a data breach. The time to act is now.