Do It Right
Once the decision has been made to move to the cloud, data security may get left behind. After all, it’s difficult to enforce data security in the cloud:
- Tools must be scripted to vendor-specific cloud APIs.
- DevOps tends to bypass IT.
- Platforms and versions are heterogeneous.
- Centralized control environments such as Active Directory are less common.
However, by understanding what innovative enterprises have done to make IT a strategic asset, the chief information security officer (CISO) can turn challenges into opportunities. When treated as a roadblock, security expenditures are an opportunity cost, both in terms of IT budget and in terms of usability. When treated as an enabler, security expenditures allow employees to work more freely without putting the business at risk. That freedom speeds up business decision making, lets you deploy new capabilities faster, and increases profitability. So, for example, an enabling outlook would consider what services IT can provide to make DevOps more efficient.
For companies in regulated industries, compliance can impose overhead with no real improvement to data security. That overhead, if spent on meaningful defensive measurements rather than on merely demonstrating regulatory compliance, could actually move the needle on data protection. Smart CISOs start with protecting the business in a meaningful way, then demonstrate compliance based on policy controls that serve the business, rather than trying to shoehorn risky data security practices into an external compliance regime.
It helps when IT security personnel can view the needs of the business from a few different perspectives:
- Profitability: How can IT security help employees work efficiently, both on premises and offsite, at the same time that we’re keeping bad guys off the network? Remember, it’s not enough to help, you also have to be able to demonstrate that you’re helping.
- Business Continuity and Disaster Recovery (BCDR): What are our procedures for responding to everything from disk corruption on a business-critical application server to complete loss of a datacenter?
- Public Relations: What lessons have we learned from Anthem, OPM, Sony, Target, U.S. Steel, etc., and how are we better prepared now so that we don’t become front page news?
Defend Your Case
With a credible data security plan implemented, consider the following:
- Compliance: How can we demonstrate compliance, both at the Board of Directors’ level and at the auditor level, with these measures in place? Policy enforcement plays a surprisingly important role here since, without enforcement, you don’t have the audit trail you need to prove ROI. By implementing some aggregated reporting based on the audit trail, plus documenting processes, you’re prepared to handle any audit. To learn more about this topic, check out Data Security Requires Policy Plus Enforcement.
- Trends: What is our position vis-à-vis long-term trends (Bring Your Own Device, Multi-Factor Authentication, DevOps, Agile, etc.)? The point isn’t that you’ve adopted any or all of those trends. Rather, the point is that you’ve considered them and can explain to a senior business decision maker where those trends belong on the roadmap, and why.
Enjoy the Ride
Whenever there is a lack of checks and balances in the operational environment, there is an opportunity for the CISO. The CISO has a variety of tools at her disposal, including stated business goals, software solutions and automation, internal policies and procedures, and industry guidelines and best practices. There’s a right, albeit always changing, mix of these tools for every business. It’s a worthy career challenge to lead the charge.