Over the past few months, we have seen a marked increase in the number of CISOs and CIOs questioning whether their organizational strategies around cloud security are meeting their actual needs. The call to “bring economics into technical risks and operations” is creating a cottage industry of combined data analytics and data security organizations, capitalizing upon this shift.
In our experience, quantification is useful as a metric, but in practical terms, C-level confidence in security is tied to three things: visibility into security from an incident and event perspective, the ability of the security plan to meet regulatory requirements, and a sense that their teams and platforms are keeping pace with a rapidly changing (read: expanding) environment.
The first item, visibility, is perhaps the most important element of any strategic investment intended to reassure the board of the worthiness and efficacy of investments made in security and compliance. As organizational complexity rises — especially when that increase is occurs by way of the introduction of cloud managed services, such as Google Apps, Salesforce, Workday, etc. — the capabilities of the security team to stay on top of the exposure risks via new vectors often declines. Historical security models are typically driven by log file analysis, desktop control, and network-level hardware/software investment. However, the trend towards “data exfiltration”, where key pieces of sensitive data are moved into cloud platforms, brings with it a decreased level of access to these types of data sources.
A decline in visibility carries with it increased risk of data loss as well as regulatory risk. For over a decade, CIO roles have been seen as being “keepers of corporate data,“ and over the past few years have been increasingly seen as being the responsible party for ensuring compliance with a variety of data-related legal requirements: Sarbanes-Oxley, PCI-DSS, the EU Data Protection Directive, and so forth. Absent awareness of where and how sensitive data is being stored, shared, and used, CIOs know that their organizational ability to meet these statutes is lacking. In other words, their capabilities are failing to meet legal requirements, even where infrastructure changes have been driven by specific business requirements. This tension is perhaps one of the most significant reasons for why C-suite confidence in security planning has declined.
Overall, the pace of change is accelerating, not slowing. 67% of CIOs have implemented so-called hybrid cloud models; not only is data, both sensitive and non-sensitive, propagating more widely and rapidly than ever before, but the capability of any “point solution” to provide visibility and thus compliance is dropping.
Restoring confidence means solving the foundational problem of awareness. What we at CloudLock see changing over the course of the coming months and years is the rise of cloud-specific security platforms and strategies, rather than the shoe-horning of on-premise security into an ecosystem that is increasingly divergent from the assumptions and environments which created them. Provider-locked solutions, compliance solutions that fail to account for multi-tenant cloud hybridization, and data loss platforms that only cover yesterday”s exposure vectors (e.g., email and messaging) without accounting for mobile devices, BYOD-style hardware access to corporate data, and third party vendor access into the enterprise cloud will simply not scale quickly or widely enough to meet these CIOs” needs.