Public cloud adoption is now the norm, not the exception. In fact, Gartner research shows that 94% of organizations agree that the public cloud is a critical part of their digital business initiatives. While this trend toward cloud migration has many benefits, it has also created significant disruption to cybersecurity functions.
In almost every respect CybersecurityAll security functions, including common domains and security function clusters, must be delivered in the cloud, but the current cybersecurity operating model and skillsets are primarily designed for on-premise, not for the cloud.
Cybersecurity leaders cannot ignore the inevitability of cloud adoption and the changes it brings. They must adapt their operating models – team structures, communication paths, skills, and more – to support a world where cloud is part of every business.
No dedicated cloud security team required
effective Cloud Security Supporting the democratization of cloud usage without compromising security requires adopting cloud-native skills and tools and partnering with business technologists. Gartner research shows that two-thirds of organizations have a dedicated cloud security team. Chief information security officers must determine the right approach for their organization based on the complexity of their environment and the need for a transformation in their security approach.
Incorporating cloud security capabilities into an existing security cluster can be effective if your security approach is aligned with a cloud-native approach. Organizations that start with on-prem controls and then incorporate these capabilities into an on-prem focused security cluster may struggle to transform their approach, resulting in less effective and more costly security.
The importance of codifying your cloud operating model through a CCOE
The cloud security organizational model should be tailored to the organization's specific cloud operating model. As more organizations move more business processes to the cloud, it will be important to ensure that their cloud security posture is supported by the right team and skill mix and fits into their cloud operating model.
A key element in orchestrating the cloud is the creation of a cloud center of excellence. The CCOE becomes a central point of consultation that helps to settle the confusion and establish governance, and eventually takes care of itself as knowledge is disseminated and absorbed into the distributed organization. Cloud governance is a key element in mitigating the risks of cloud adoption.
The CCOE is typically sponsored by executive leadership because its responsibilities go far beyond cloud governance. It is a consulting enterprise architecture function, typically staffed by cloud enterprise architects. The organization's Cloud Computing Council (CCAC) typically provides strategy and policy feedback to the CCOE. Security and Risk Management (SRM) typically has at least one representative on the CCAC, so it has formal authority to influence the CCOE. There should be a direct working relationship between the CCOE and Security and Risk Management (SRM). SRM team.
What to avoid when organizing for cloud security
There are many different approaches to organizing cloud security, all of which can be successful. However, there are some obvious strategies that impede cloud adoption and consistently lead to negative outcomes. Cybersecurity leaders should avoid the following approaches when organizing their teams:
- Cybersecurity teams aren't involved in cloud initiatives at all. There must be Cybersecurity Without a cybersecurity team involved in cloud adoption and operations, operational priorities and goals are set without sufficient (or any) consideration of security consequences. This leads to poorly secured or inadequately secured applications, which often lead to delayed commitments and problems. Cybersecurity The team is engaged and in “catch-up mode.”
- Cybersecurity teams dictate everything without coordinating with business or operations. Equally bad is prioritizing security over operations, an approach that typically fails to take advantage of the elasticity of the cloud, slows innovation and operations, and overwhelms security teams trying to manage the environment.
- Lack of collaboration between security, cloud engineering, and the CCOE: Adopting a cloud provider requires collaboration within your organization's teams just as it requires shared responsibilities with the cloud service provider. This strategy leads to conflicts over reporting structures and team alignment. Established silos and structures that create conflicts over ownership impede good security decisions and deployment practices.
Cybersecurity leaders must raise awareness of and avoid falling prey to known organizational approaches that have failed to deliver effective security in cloud deployments. Closely align the cloud security approach with the cloud operating model and assign appropriate responsibilities based on this operating model.
Charlie Winkless Gartner analysts provide additional analysis on cloud security at: Gartner Security & Risk Management SummitThe event will be held June 3-5 in National Harbor, Maryland.
Image: SiliconANGLE/Ideogram
Your vote of support matters to us and helps keep our content free.
With just one click below you can support our mission of providing free, rich, relevant content.
Join the YouTube community
Join a community of over 15,000 #CubeAlumni experts, including many notable figures and experts, such as Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more.
thank you