As part of the move to the cloud, everything in the enterprise is being transformed—from infrastructure all the way to modern application development. Nowhere is this change more important than in the role of the CISO.
At the Modern SOC Summit, Dave Frampton, VP Security Solutions at Sumo Logic, spoke with Yaron Levi, CISO at Dolby Labs, and Bill Shinn, Senior Principal, Office of CISO at Amazon Web Services (AWS), about the role of the CISO as part of an organization’s journey to cloud-native.
Key considerations for CISOs
To kick off the discussion, Dave asked what aspects of moving to the cloud are not well understood from the CISO perspective. Yaron offered up three points he feels are important for CISOs to remember:
First, many organizations still don't understand the shared responsibility model of being in the cloud. It’s often not clear in their minds who is responsible for what from a security standpoint and that can lead to security gaps in infrastructure and software. As he puts it, “If you read the terms and conditions for the cloud service providers, you may not be covered as much as you think you are.”
Second, he says, is the compliance aspect of the cloud. When it comes to attestations, you need to provide your own, separate from those of your cloud provider.
Finally, those organizations who have been on-premises often think that moving to the cloud is your basic “lift and shift” project, when, in reality, it is so much more complex than that.
From Bill’s perspective, from elastic scale to infinite logging and analytics services, cloud-based security can offer a different and more cost-effective way of working. Running on-premises security is no longer the only way to get the job done. As he pointed out, one advantage of cloud-based security software and services is a shorter and more efficient acquisition cycle. You can run proof-of-concept tests and deploy faster using pay-as-you-go cloud services rather than invest in fixed infrastructure and long-term software contracts. “There are a lot of advantages to having that more dynamic environment,” he says, “including faster iteration and experimentation.” That said, Bill adds, “don’t forget that with these new technologies and frameworks, education and training is a huge part of the work.”
Changing the approach to security
Traditionally, CISOs protected and defended a single perimeter. When moving to the cloud, the perimeter has not disappeared, as Yaron points out. Instead, he says, it is actually multiplying and becoming more complex. Rather than a single data center with firewalls and a well-defined perimeter, the CISO is now dealing with cloud infrastructure, different platforms, services, and software—each with their own level of security.
The challenge for the CISO, then, is how to handle all that complexity in setting up and maintaining strong security. A related challenge is how to scale up security to cover the increased control planes and complexities of a cloud-based enterprise. For Yaron, the answer is moving away from a centralized security organization. As Yaron points out, “You no longer have a single data center and security operations must change to reflect that. In many cases, you can look at decentralizing security operations by pushing a lot of these responsibilities closer to where the work is actually done.” But, a caution: moving completely to a decentralized, edge-based model has its own pitfalls, including gaps in security where attackers can slip in. It’s important to find the right balance between centralized and decentralized security operations based on your security needs.
Collaborating across the enterprise
With the availability of low-code and no-code solutions in the cloud, different teams in the enterprise can make their own decisions about what software to use, and that only adds to the challenges of the CISO role. As part of decentralizing the security operations work, the CISO is becoming an evangelist about security across the organization’s departments and regions, educating other teams, and getting their buy-in about the importance of security. Yaron borrowed a line from Spiderman to emphasize his point: “With great power comes great responsibility.” Working with teams to help them understand risks and vulnerabilities will become increasingly important work for the CISO as teams move to the cloud and make their own decisions about apps and security.
“Tune in” for the rest of the conversation...
Listen in as Yaron, Bill, and Dave continue their look at the changing role of the CISO, including:
Growing into the CISO role
Creating security in apps from the ground up
Building and retaining talent on security operations teams
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.