Whether clouds above your head ruin your day with a storm or offer you respite from a hot sun is often a matter of perspective. As organizations consider the role cloud plays in their solutions, whether this is a burden or opportunity is a matter of perspective.
I recently asked, “Do executives think you are relevant to cloud security decisions?” (link) as a response to the finding that 61% of companies see moving to the cloud as an executive and board-level strategic move.
With that much focus, it’s natural to assess if we’re part of the process. In many cases, the answer is no: 34% of organizations focused on moving to the cloud cite IT (including security) as the chief cause for the delay.
As a security leader, you have three basic choices:
- Lead the effort to a more secure cloud
- React to the decisions of others, likely with choices you wish were different
- Get left behind entirely
This series is called “Leading Security Change” for a reason: to share the mindset and actions necessary to exhibit leadership through change. To help, a panel of three security leaders with experience successfully navigating to the cloud with increase security shares their experience in writing (links here) and in a virtual panel discussion (July 21, 2pm Eastern -- register here).
Here are some considerations to frame this series and your own journey.
Cloud? What do you mean when you say “cloud?”
A recent picture making the rounds on the Internet points out that “cloud” is just a fancy term for someone else’s computer. Good for a laugh, it also sets the stage for a productive conversation about the opportunity at hand.
There is a time and place to explore the nuances and details of the various cloud-based offerings and solutions. For this program, the concept of cloud is simply the opportunity to offload processing, storage, and the like to “someone else’s computer.”
The key is to guide the process in a way that protects information while increasing value.
What problem are we trying to solve?
With a mind fueled by negativity and a necessary focus on exploring the downside of risk, it’s easy to consider anything cloud another threat. In that vein, the cloud is the problem. It becomes another on a seemingly endless list of risks we have to address.
It turns out the cloud may actually be our opportunity to address the real problem: how we protect the information our organizations depend on.
Leading your organization to a secure cloud solution is a potential to enhance security. You might actually be able to get the controls you’ve longed for. Better, someone else takes over the basic responsibility that affords you the time and energy focus on higher level and more valuable tasks.
The three key aspects to consider
That means leading the effort to include cloud (however you choose to define it) in your strategy has at least three key areas to consider:
- Selecting: informing and defining criteria to guide the business to solutions that benefit them while protecting information
- Protecting: once the decision for a specific solution is made, the process of understanding the environment and architecting the best way to keep information safe
- Operating: the process of measuring, evaluating, and adapting the controls, approach, or solution based on changing needs and available options
This is the opportunity for security to get involved early enough in the process that key considerations are included. The leadership opportunity is to incorporate security as a benefit to the business, and not an obstacle.
Guide the organization through a process that identifies and captures a way to consistently address each of the following:
- What problem are you trying to solve?
- How to scope
- How to assess
Ideally, protecting the data in the cloud is related to the selection process. Regardless of how well matched and complete the selection, the process of protection is based on what you can actually do. It requires an investment of time and partnership with the provider to explore at least the following areas in order to develop an appropriate approach (matched to your risk):
- Who’s doing what, and why?
- How is access controlled?
- How is the data protected?
Start with some basic questions:
- What can you do?
- What do they do?
- What is for their protection?
- What is for your protection?
- What can they do, even if it costs extra?
While selecting and protecting solutions is necessary, the bulk of our time is often spent on the consumption of the services. The leadership approach is to develop clear and documented processes to:
- Measure performance and risk (yes, performance)
- Evaluate the functioning of controls and protections, including when new options are available
- Periodically assess value and improve (the current solution as well as the entire selection and protection process)
Join the conversation to advance your leadership opportunity
As a roadmap for your journey and for this series, look for the insights and experiences of the panelists next week. Comments are welcomed below, on twitter, over email, and during the live virtual panel discussion on Tuesday, July 21, at 2pm Eastern.
Use this program to guide how you lead your organization and accelerate the change.