“To stay relevant and ahead of the competition, CEOs across industries are prioritizing growth and speed of innovation over cost.” — McKinsey & Company, 2019
McKinsey’s quote above embodies any reason why businesses are moving in droves to the cloud. Simply put, cloud itself is growing at hyperscale because CxOs are demanding it. In the 2019 report, McKinsey found that the top two priorities of CEOs were revenue acceleration, improved agility and faster time to market. These findings are highly relevant for security professionals because they underscore the need to modernize not only tooling, but more importantly, how security teams are structured.
As the CSO of the public cloud at Palo Alto Networks, I get the amazing opportunity to work with security teams around the world. In an effort to shed light on how some of the largest organizations have structured their cloud security teams to respond to CxO demands, I’ve curated (and anonymized) two case studies.
Case Study #1: Begin with the End in Mind
A security manager working at a global animal health company was tasked with securing the rapid buildout of cloud infrastructure in both Azure and AWS clouds. He initially assigned a security systems administrator as the cloud lead from his team but quickly realized the sysadmin was in over his head.
The security manager said that during their weekly project reviews, he and the sysadmin had many conversations about how the sysadmin was interacting with his peers in the cloud business office. The security manager would give the sysadmin suggestions on how he could better advocate for security and ensure things were being done securely. Though he realized that since he hadn’t taken the time upfront to document what success looked like from a security perspective, he wasn’t putting the sysadmin in a position to be successful.
Over the course of the next week, the security manager cleared his calendar and worked closely with the sysadmin to document their cloud security strategy.
The security manager said they created success metrics for each area as well as milestones. The result was 100 percent clarity for both of them as well as the rest of the team who would eventually get involved. After another two weeks, something else became apparent: he didn’t have the knowledge and skills in-house to keep up with the pace of their development and IT teams. The two worked with a trusted partner to bring in short-term resources to fill critical skills gaps.
Looking back over the first three months of the project, the security manager realized that had he taken the time to deeply understand the project requirements, he would have brought in help from the beginning. He said he completely underestimated the knowledge and time it would require to transform the way they approach security in the cloud. He thought they could utilize most of their existing process and security tools but this wasn’t the case. In the end, they opted for a Cloud Native Security Platform (CNSP).
Case Study #2: Collaborate Outside of Security
A director of cloud security for a global professional services company was tasked with building out a cloud security team, establishing a global cloud security standard and working with IT to get new security controls deployed. Her biggest challenge was trying to figure out how to do all this herself while simultaneously building out a new team.
She had done many cloud security projects as a security architect in the past but this was her first time owning it from start to finish. She said she really felt isolated from the rest of the security team as well as IT. Even though she reports to the CISO, she received no direction from him other than to “make the cloud secure.”
She knew she couldn’t do all the work by herself as she was expected to build a cloud security team. The cloud security director had to execute quickly and not think like an architect.
Over the course of the following month, she scheduled numerous one-on-ones with peers in security, IT, risk, compliance, finance and legal. What she gleaned from these conversations was invaluable. Not only did she build relationships and allies but she was able to bring together groups that all had several goals in common: business acceleration, managing risk, reining in cloud spending and regulatory compliance. With this new view into requirements, she set to develop her strategy, milestones and resource requirements.
She said that once she had documented these important elements of the project, she met with her manager (the CISO) and presented her strategy in only four slides. After making some adjustments based on his feedback, she got the green light to proceed.
Over the course of the next six months, she hired three full-time employees and two contractors. She also held bi-weekly briefings with the colleagues she met in her first month on the job. In the end, the security director said the build-out of the cloud security team and implementation of security standards was successful because she had a plan that included feedback from outside of security. Had she tried to do this in isolation, one can only imagine that the outcome would have been far from optimal.
Team Composition Is the Key to Business Acceleration
As the above two case studies show, how you structure your cloud security team is critical to enabling business acceleration. McKinsey points out that 52% of CIOs cite security requirements and compliance constraints as their biggest challenges to delivering on agility objectives. With this challenge, security teams are in an amazing position. With the right organizational structure, they can not only alleviate these CxO challenges but actually anticipate and solve them in advance.
For more insight from security thought leaders, Cloud Native Security Live, 2020 Virtual Summit is your opportunity to learn from the experience and expertise of developers, DevOps pros and IT leaders who all have so much at stake in container technologies and DevSecOps. Hosted by Prisma, from Palo Alto Networks, in partnership with The New Stack, you can still virtually attend this event held Feb. 11, 2020, for a full day of discussions about cloud native security — brought to you online wherever you may be.
Feature image from Pixabay.