I had the pleasure of speaking with Greg Jensen, Sr Principal Director of Cloud Security at Oracle about his take on the current state of cloud security and the Oracle and KPMG Cloud Threat Report.
Throughout our conversation, Greg stresses that many cloud transformation projects outpace the security needed for them, which can negatively impact the workloads used in the cloud project itself. It is a problem that many organizations are dealing with and the number and sophistication of attacks is growing at a very rapid rate.
Why do you think cloud security is still challenging? Is it primarily the dramatic growth or the lack of maturity or is it something else?
Well, I think a lot of this, Mark, really goes back to the fact that we still continue to see many cloud transformation projects that are evolving faster than the security and the compliance programs that support it, making it challenging to adapt with it.
What I mean by that is, you and I both know we can just grab a credit card out of our wallet and log onto almost any enterprise cloud platform provider today and we could have a service up and running with business-critical data uploaded in about 10 minutes. But then realistically how long will it take for my business, my company and for me to actually have tied it back into a DevSecops process capable of monitoring a compliance program that our line of business is tied into. Also, how do I ensure my Chief Data Protection Officer and my Chief Privacy Officer are aware of it? It ends up taking three weeks to a month to make everyone involved in this program aware of. Hey, let's just say it's two weeks and that's called a pace Gap, you know, we've got these challenges where we really can start uploading and running these workloads in the cloud far faster than the security and the risk programs are able to catch up to it. So, I think we're going to have this challenge for quite a while. We're going to have these for a long time to come where our development configuration monitoring programs really lag behind the onboarding of these services, but I think the great part is there's more awareness about this problem now than ever before.
Do CISOs truly have a seat at the C-suite table yet? Or are we still seeing the disconnect that has been widely reported?
Yeah, you know it really has two parts to it. I think first of all you're going to hear some interesting feedback on this when you talk to the CISOs and C-levels, you know. I think there's going to be some really strong theories out there. Many would say, “I'm having tremendous success”. I personally feel the CISOs are doing far better today than they were a year or so ago. They would likely say in short; they have that seat at the table. I think where they're making far better strides now are in the downward engagement into the line of business. My concern is, are they really getting the seat at the table in the line of business? That's where there's been these challenges in the past. When a line of business, let’s say your Finance team, is deciding hey, let's grab that credit card and spends $30 on a Microsoft application that does a little processing of Finance figures to create a pretty chart and plugs into our ERP system. They say well no one's going to care that we did that. Well, actually a lot of people care about it, because it is sensitive data. This happens often, as people generally weren't engaging a CISO about the “small stuff”. They weren't engaging the security team. Well nowadays what we're seeing in some of these large organizations in the finance sector, for example, a lot of the banks are doing this. We're seeing some key industry bringing in the role of the Business Information Security Officer (BISO). I've been to some recent security conferences where I've had BISOs in the room after I described this and they've come up and talk to me about their role, which is really interesting. Some of these BISOs actually report into the line of business and some say they report into the CISO.
The BISOs functional role is to really bridge that conversation between the line of business and the CISOs themselves. So, this helps the BISO have that visibility into the goals and objectives of let's say that finance team or maybe it's the HR team, but also it helps that HR leader or the finance leader to really understand the importance of security without taking the eye off the ball. It helps them to have a better understanding of what the goals of the CISO are and really of what both teams are trying to accomplish collaboratively together. So, I really like that this BISO role is being instituted in a lot of these larger organizations and I hope over the coming years we’ll see this on a more frequent basis. I don't see this becoming more mainstream like in every business where there's a CISO, but I do think in larger businesses you will see this on a more common basis.
Putting it All Together
In speaking with Greg, he emphasized the need for all of us to do better and to truly understand our roles and responsibilities in securing the cloud for organizations. Interestingly, he also pointed out the growing use of BISOs (Business Information Security Officers) in many larger organizations to ensure that security is incorporated more tightly with the lines of business and their goals that contribute to the organization’s overall success.
Interested in learning more? Read the remaining two blogs in our series as we continue our discussion with Greg. Next up, we’re talking about the Shared Security Model and the importance of the visibility for cloud security.