Olivier Subramanian, Account Principal at Contino, considers whether the role of the CISO is evolving
As we race towards 2021, it’s vital that CISO’s can ride the crest of a wave as IT embraces the latest innovations of Public Cloud and DevOps ways of working.
Why is there a disconnect?
Change often brings about a sense of fear and anxiety, and therefore a reluctance to shift to a new model or way of working. This sense of ‘being outside your comfort zone’ prevents individuals and organisations from executing real change and embracing the Public Cloud.
What happens when old world thinking and behaviours are applied to the new world?
We often see disappointing and frustrating outcomes! The CISO and the security function becomes a blocker, instead of enabler.
Traditional vs Cloud.
Understanding the difference between the old and new world is a key ingredient when enabling change.
Security must be an Onion
The traditional approach to IT security was to ensure the edge was secure and that the doors and windows were closed, thus securing the perimeter. I call this the Egg model
The changing threat landscape of public cloud is forcing the adoption of a strength and depth approach to security with controls on each component of the architecture. I call this layered approach the Onion model.
The Shift Left
The adoption of modern DevOps delivery techniques is helping to shift security to the left. This involves building security controls into the platform and application, performing automated security testing as part of the Continuous Integration process, and the introduction of continuous compliance assessment at build and run.
The rate of technology change
Given the scope and pace of change, it is unrealistic for an individual to remain completely up to date on all things cloud
The modern CISO must become an enabler to ensure that the business achieves agility and value of running its services in the Public Cloud.
The journey to Enabler
Trust the cloud
The starting point is to trust the cloud and the CSPs. As a CISO you need to validate the respective security and governance controls yourself to build trust.
Each CSP lists the standards and compliance they have achieved through audit reports and attestations. See: –
It is important to satisfy yourself that these independent audits provide sufficient information to meet your security and compliance requirements. Do this with the support of your CSP representative or a partner organisation that has experience in building solutions in highly regulated environments.
Analyse the Threat Landscape
When you move to the Public Cloud it is important to review the threat landscape and identify the threat actors. The primary Actors to consider are:
- Bad Company System Admin – Company admin that has access inside your cloud environment and takes negative action
- Bad Company Tenant – This is where there is a malicious activity happening within your cloud tenancy that impacts others
- Bad CSP System Admin – A Cloud Service Provider admin that has access to the cloud fabric and takes negative action on customer services
- Bad CSP Employee – A Cloud Service Provider employee that takes negative action
- Naughty Neighbour (in the Cloud) – Another tenant in the Cloud taking action on other tenants
- Eavesdropper – Listening in to ingress/egress traffic collecting customer data
- Malicious external party – A party not associated with the customer or the CSP that seeks to access the Cloud
- Supply Chain attack – A party that takes action on the CSP upstream supply chain.
Identify Key Threats
The next stage is identifying the key threats to your Public Cloud environment across the supply chain.
Some example could be:
- Unauthorised code – has someone introduced weak or malicious code
- Data Breach – customer data is copied
- Customer Admins have “god” status and full control – this increases the blast radius of human error or malicious actions.
- CSP Admins have “god” status.
- The DevOps tool chain is not controlled – fully automated pipelines allow bad or malicious code to be deployed automatically.
Having built your knowledge, work with your senior engineers and CSP architects to identify all the mitigations that are needed to manage the threats identified.
Enable the IT Security Community
This is where the modern CISO can make a massive difference to the business. By driving security to the heart of your organisation’s culture.
I recommend three steps to drive this culture change.
As a starting point I recommend that the IT Security teams should build their knowledge in the following key concepts:
- Software Defined Networking and Zero Trust Architecture
- Disk and network Encryption
- Key and Certificate management
- Cloud Network security devices
- Policy management
- Identity and Access Management
- Public and Private interfaces in the Public Cloud
Adopt the cross functional team concept by embedding empowered security personnel into engineering teams. They have delegated authority and knowledge to make relevant security decisions that are within the bounds of the project.
The final task on the journey is to educate the wider business community and be seen to champion IT Security and how it can empower the business.
There are few options that can be used:
- Targeted workshops: knowledge sessions for different parts of the business such as high-level sessions for the C-suite and technical deep dives with engineering teams
- Training/L&D/education plans: make resources available for the development of security-focused learning paths
- Community of Practice: create a Security Community of Practice to boost shared knowledge and learning
As IT has embraced the latest innovations of Public Cloud and DevOps ways of working, is it time for your organisation to sea change as well?
The journey to becoming a Modern CISO is rooted in trust. Trust the cloud and CSPs and enable the IT Security teams and community to drive change.