Cloud
How to Embrace a Cloud Security Challenge Mindset
CISOs responsible for tackling cloud security challenges need to rethink traditional security practises, protect apps and infrastructure they don’t control, and justify enterprise security investments. Trend Micro’s Bryan Webster told the AWS SecurityLIVE! audience it can all be done—by embracing ‘cloud values’ and leveraging the existing skills of cloud development teams.
Back in June, Trend Micro predicted enterprise security operations centres (SOCs) would be more or less fully responsible for cloud security by 2026. It’s definitely not that CISOs need more to do, but with public cloud services so central to enterprise IT—to the tune of $600 billion in spending by the end of this year—an enterprise-wide function is required to protect them.
Bryan Webster, Trend Micro’s VP of Product Management, explained why this poses challenges in a recent AWS SecurityLIVE! segment. To start with, cloud environments are dynamic, rolling out apps and spinning up infrastructure to drive agility and create value. New content, code, and features often emerge on a daily basis, if not multiple times a day.
Traditional enterprise cybersecurity doesn’t move that fast. It’s typically reactive, not proactive, and less directly connected to business outcomes. So how can CISOs manage risk and meet the security expectations of the business at ‘cloud speed’?
The keys are to adopt a cloud mindset, embrace the cloud ethos, and leverage any cloud expertise that’s immediately available.
Cloud security: From control to collaboration
One of the first things CISOs have to accept is that, in the cloud world, complete control is not an option. While it’s been years since enterprise networks were walled gardens, as long as infrastructure was physical there was some intrinsic security because deployment and configuration had to funnel through IT. That ‘forcing function’ kept infrastructure and security tightly coupled.
Now cloud teams and app developers create their own infrastructure on the fly. And they do it with one objective: to create value for the business and for customers, something no one wants security to get in the way of.
Since CISOs and SOCs are no longer the only gatekeepers, they need to find ways to work with cloud teams and app developers—to help them deliver value while protecting the enterprise. That requires a dedicated effort to build mature, sustainable, cooperative relationships with revenue-generating groups inside the organisation.
New tricks needed
Security and development teams specifically need to communicate and collaborate around mitigation and remediation because classic measures can risk doing more harm than good in the cloud security context.
Traditionally, if a server in a data centre was compromised, the IT security team could isolate it with confidence because they knew what would happen when they took the hardware offline. That’s not the case with public cloud containers or serverless functions. On their own, security teams can’t necessarily predict the impact of a particular mitigation step. The cloud folks need to weigh in.
Toward a proactive approach
As mentioned, classic enterprise security tends to be highly reactive. An alert goes off because a suspected threat is in the network and the SOC team works to find it, identify it, and respond accordingly. That’s starting to change with the adoption of attack surface management and attack surface risk management approaches, but it’s still early days.
In the software world, looking for early signals of what could go wrong, and making changes before it does, is more of an established practise. SOC teams have a lot to gain by building more of this kind of proactivity into their operating procedures. And the good news is it’s fairly easy to do in the cloud context because everything is an API call away and visibility isn’t so elusive.
A cooperative, proactive approach requires the SOC and cloud teams to discuss the risks that need to be mitigated, what can be deployed at speed, and how to respond when issues occur—driving the enablement of security functions into dev teams without expecting it to look like it used to in the IT world.
Where will cloud security skills come from?
Another stress CISOs face is the well-documented, worldwide shortage of cybersecurity skills. To date, they’ve leaned on managed services, lobbied vendors to come up with new security tools, and—more recently—looked to generative AI to help lower-skilled staff do more and higher-skilled professionals work faster on what really matters.
Now CISOs also have to find people with cloud security skills to augment their teams. And they themselves need a better understanding of cloud technology and how developers work—the ‘whys’ of the cloud reality. They don’t necessarily need to know how to create a container or EC2 instance, but they should appreciate how technologies enable speed and why teams choose the topologies they do.
Fortunately, even though the cloud field is also struggling with a talent crunch, most organisations have cloud personnel responsible for app and infrastructure security. SOC leaders can turn to them as high-value sources of knowledge, and as champions of cloud security at the enterprise level.
These champions can help translate why cloud security matters to the business and how it contributes to value delivery—resolving the tension between value centres and cost centres where security can feel like a tax.
As of yet, there’s no standardised way to quantify the business value of cybersecurity, though it’s clear that avoiding losses has a value. Some organisations, such as Omdia, are working on frameworks to define and calculate “return on security investment”, acknowledging that traditional ROI measures fall short because, “...the best result from investing in security technology, services, and controls, is that ‘nothing happens’... [which] hardly sets the CFO’s heart rate going....”
More businesses taking out cybersecurity insurance may help. For example, if a company can’t be insured without deploying an endpoint detection and response (EDR) solution, the business case for that particular cybersecurity solution, at least, gets more concrete.
Don’t ‘SOCify’ cloud security: cloudify the SOC
It will be years before the average enterprise security team is fully ‘cloud-competent’, especially because of how quickly that world keeps changing. Keeping up with new threats, tools and mitigation techniques, and with evolving cloud technologies, software, and development practises—and then operationalizing all that knowledge—is a lot to ask of CISOs and enterprise SOCs.
This is why they need to rely on the available expertise of their enterprise cloud and app development teams. As the SOC takes on more cloud security responsibilities, it will be vitally important not to try to fit public cloud security into existing SOC processes and tools. The dynamic, proactive, value-generating nature of cloud is the way of the future, so SOCs should adopt all the cloud security processes and tools they can and adapt their existing approaches accordingly.
Next steps
For more Trend Micro thought leadership on cloud security, check out these other resources: