As I travel the globe talking with security professionals and C-suite executives, I get asked a lot of questions. How do I make my cloud more secure? What do you think of technology XYZ? Which cloud is better? What steps can I take to not get breached like X company?
But for whatever reason, one key question I’m rarely asked is about how to structure a security team for success in the cloud.
But why do security professionals not ask me this question more often?
As technologists, we like shiny new security toys. However, there is a cost to focusing on the toys and not the humans who are expected to manage our bright shiny tools. If you take the right approach, humans will be the first place you focus your efforts when aiming to secure the cloud.
The most important issues in life are solved with questions, not answers. — Andrew Sobel
Follow the Leaders
Organizations that have moved successfully to the cloud while keeping their cyber risk in check typically follow similar patterns. Cloud isn’t just another project. It is understood from the c-suite down to be the driving force behind all digital business hype (for good reason). Leadership reinforces this message by dedicating resources to what’s become commonly known as the Cloud Business Office (CBO).
Following a similar approach, it is common for forward-thinking security teams to carve out a dedicated cloud security group. The play for security teams is to ensure the cloud security team not only has representation but leadership in the CBO. If your organization does not yet have a CBO, take the lead and advocate for getting one created. This will not only provide the governance and oversight needed in your cloud program but will positively elevate how the security team is viewed. There is a financial cost, however, but keep in mind the team is also not designed to last forever (more on this below).
Resources assigned to the CBO should not only be dedicated but also relieved of any legacy operational responsibilities. This approach, while initially expensive, will pay dividends in the form of risk reduction and business agility many years into the future.
Set Expectations Clearly
The scale of your organization will often dictate the size of your cloud security team. Rather than focusing on numbers, instead, focus first on the mission. What are you hoping to achieve? What does wild success look like? How will you know when you’re finished? Developing a cloud security mission and strategy doesn’t have to be a multiweek event. It should, however, involve feedback and input from beyond the security team. The end result of this process should be a clearly articulated one-page document that answers the questions posed above, while also making it clear that the cloud security team isn’t designed to last forever.
Just like other revolutionary technologies before it, the public cloud will eventually become commoditized and not require a dedicated security (or IT) function. Organizations that have reached this point of maturity call it by another name: DevSecOps. The cloud security strategy document then becomes the organizational North Star. Taking the time upfront to get extremely clear on vision and strategy makes for easier decisions down the road.
Staffing for Success
Many CISOs when working to build out a cloud security team often assume they need to hire someone with many years of experience in the cloud. Instead, hire from within. Who on your team has shown the strongest propensity for learning and taking on new challenges?
Remember, APIs and shared responsibility are the main differentiators in public cloud. If someone is a solid performer on your existing team and loves to learn, you just might be looking at your future cloud lead. When it comes to cloud security architecture, design, standards and implementation, there is a role for consultants and contractors. The most successful security organizations let their internal resources set the strategy and lead the execution. External resources are then utilized for a short period of time to supplement and fill gaps as internal teams learn and mature. If you choose to go this route, be sure to include metrics-driven knowledge transfer as a key deliverable in the statement of work.
Things to Remember
- Create a cloud-focused team within your security organization.
- Make it clear from the outset that the team will eventually merge into the broader security team when organizational maturity meets your pre-defined metrics.
- Create a mission statement that clearly outlines what success looks like as well as key milestones.
- Task existing team members with figuring out cloud security while still expecting them to continue with their regular day jobs.
- Let the cloud security group work in isolation from development, IT, finance, legal or compliance.
- Assume you have to hire someone new to lead the cloud team.
To connect directly with security thought leaders, Cloud Native Security Live, 2020 Virtual Summit is your opportunity to engage and interact with other developers, DevOps pros and IT leaders who all have so much at stake in container technologies and DevSecOps. Hosted by Palo Alto Networks in partnership with The New Stack, join us on Feb. 11, 2020, for a full day of discussions about cloud native security — brought to you live online wherever you may be.
Feature image via Pixabay.