The continuous stream of security breaches that dominate business news cycles caused executives and boards to notice. Now they are acting.
As the security leader, are you even part of the conversation?
We like to think so, but two findings from a recent survey suggest not.
Based on the Cloud Adoption, Practices and Priorities Survey Report from the Cloud Security Alliance (CSA), decisions concerning the security of data in the cloud shifted from IT to the boardroom -- with 61% percent of companies indicating that executives are now involved in such decisions.
Executive involvement is a good thing.
The question, then, is are the executives including you in the process?
The report also revealed that 34% of respondents indicated that a lack of knowledge and experience on the part of IT and business managers was a main reason for slow or lack of adoption.
If your fellow leaders think you lack the knowledge and experience, are you really included in the conversation? Are you part of the decision making process?
If cloud-based solutions are part of that plan, then we need to make sure we have -- and make available -- the experience and knowledge to help the business make better, more confident decisions.
At the pace they expect.
3 Ways Security leaders need to get in the conversation
I asked Jim Reavis, CEO of the Cloud Security Alliance, how security leaders can prepare themselves to be an active part of these conversations. He suggested the following:
- Enterprise consumers of cloud need to spend more time working together for consumer advocacy. The fastest growing base of cloud adoption is enterprise users. They are losing power if they are not working together.
- Security leaders need to very forcefully push back on overzealous regulation that did not anticipate the rise of cloud. They need to focus on the spirit of regulation.
- Show great involvement in industry standards bodies, like the CSA and other groups. The time is running out before standards get locked in.
In other words, we need to make the time to get involved in the industry, in our organizations, and in any pending legislation that threatens to create bigger problems down the road.
The key is making the investment in how we distill and communicate the issues. Business leaders looking to cut costs, gain advantage, or otherwise meet objectives by moving into the cloud look to overcome obstacles and objections.
This is a time for solutions.
It means clarifying priorities with the ability to rapidly explain options, outcomes, and how to meet the variety of requirements from within the business, from customers, and to stay in compliance with regulations.
Other lessons from the report
Jim also explained the importance of the additional findings in the report.
"Many of the IT cloud applications that are considered rouge might actually perform important business functions and will represent the foundation of IT in the future. Having better insight into enterprise usage of cloud is fundamental in creating greater security posture with respect to cloud usage overall.”
That means adopting a different approach. These are applications and approaches our colleagues in the business need. Shutting them down and blocking them out is not a likely option.
Instead, Jim and CSA suggest considering the following:
- Implement egress monitoring capabilities (aside: this means actually incorporating it into your operations)
- Proactively find cloud-based substitute applications for any cloud applications that they have risk issues with. Removing them without a replacement will not solve the problem, just prolong it.
- Build a cloud security architecture that actually makes adopting cloud easier. One example is having a better federation strategy so that new cloud applications can be adopted without risk of credentials being exposed.
These suggestions set the stage for a more positive approach that helps the business advance while protecting assets and information.
This report signals a needed shift
It’s a brief, but important read. While we continue to face challenges, I see the trend as an opportunity.
We have the chance to work on aligning our efforts with the priorities of the business. We can reveal options that help them meet their goals, while protecting information.
We know security is now an executive and board-level concern. Are they counting on you as a resource?