Security has become a hot topic in the tech world over the past year. Between the Facebook scandal, the WannaCry cryptoworm, and countless other malicious data breaches, security is being compromised all over the world, and every company is functioning under the concern that they’re next. Tech Republic reports that this has caused a decrease in migration to cloud software, which 31% of companies say they distrust to keep their data secure. One in four organizations that use Infrastructure as a Service (IaaS) or Software as a Service (SaaS) have had their data stolen, so it’s no wonder more and more chief information security officers (CISOs) are starting to inquire about how they can use cloud services without sacrificing cyber security.
“Many CISOs think that vendor security is actually a lot stronger than theirs, but ultimately they think that if a breach does happen at some of these vendors, they will still be liable for the fallout,” says Daria Kirilenko, director for information risk research at Gartner. “That’s the major reason for their perception of the cloud as something that should be viewed with caution.” CISOs are also becoming increasingly concerned with the lack of specialized cloud skills within their own security teams, and thus are not going to be competent in implementing well-secured cloud services. “They’re unprepared and ultimately they believe that they will bear the responsibility ultimately if something goes wrong,” Kirilenko says.
Even if the vendor is the one who makes the mistake, liability falls on the CISO if there is a security breach. But mistakes can often begin with with shareholders, so it’s important that CISOs educate their shareholders on the relationship between the vendor and the internal security team. “It makes a lot more sense for CISOs to be spending time and effort building a strong security team, and educating developers on secure cloud processes, than spending all their time governing and monitoring providers,” Kirilenko says. “They’re going to get better results if they spend effort on building that strong security team, easing the implementation of cloud security for developers who right now are actually going around security.”
Building this strong security team is easier said than done, so it’s helpful to know what qualities make a good one. Companies often want one employee with extensive, detailed knowledge of cloud security, cloud architecture, the specific system that the company uses, and has baseline software development skills. This kind of employee, however, is rare if not imaginary, so companies should look at other strategies.
By hiring multiple employees with specialized knowledge and expertise in different niches regarding security, companies can build comprehensive and well-rounded teams. Organizations can often build cloud security by using external resources like a cloud center of excellence, where they rotate people in and out of certain functions depending on what updates and changes they are looking to make. “A lot of successful companies don’t see their internal security resources as a limitation, because they understand that setting up a cloud strategy is something that the organization should do collectively,” Kirilenko said.