For many businesses, it’s no longer a question of whether to move to the cloud, but rather how to deliver cloud solutions securely. Many IT leaders recognise they need to make security central to their organisations’ strategic business goals, but how?
At a recent executive dinner – co-hosted by IDC, Akamai and Rackspace – we were joined by IT and security leaders to unravel the security implications of multi cloud. In this blog, I’ll share the strongest themes of the evening and practical insights on tackling the complexities – or ‘grasping the nettle’ as it was described – such as achieving organisational alignment and understanding security across multiple clouds.
Forget ‘lift and shift’
The consensus is that traditional non-cloud security approaches won’t necessarily protect organisations using the cloud. If the Board argues ‘We’ve always done security this way, so we always will’ chances are, that ‘way’ is outmoded.
And if you do end up ‘lifting and shifting’ procedures once workflows move to the cloud, expect gaps in coverage and an ability to operate securely. Those procedures struggle to deal with the agility and speed that cloud offers. Security must adapt and become equally flexible to shed the perception of being ‘a necessary evil,’ or ‘something we have to do’.
Many guests saw security as enabling business, not stopping progress. By taking away the risk to data and workflows moving across multiple cloud services, innovation is possible without taking chances on governance. This protects reputations and supports revenues in the long term. I sensed many delegates want the positive contribution security makes to the business to be recognised and embraced, which leads us to…
How to avoid business strategy and security strategy mismatches
An extension of the restrictive ‘lift and shift/we’ve always done it this way’ mentality some professionals are challenging, is the ‘retrofit’ mindset. This is where security must be engineered into business strategy, after it’s left the Board room.
Security is enhanced and solutions more coherent when the CISO is plugged into the highest level of business strategy, from the onset. Some of the work here will be about analysing proposed strategies against the current security gaps, then developing bespoke solutions concurrently to support the business strategy.
When CISOs secure a seat at the strategy table, they need to be prepared to be more ‘business-orientated’ and take security ‘out of the corner.’ For some, that means giving more thought to how they’re going to reposition security as enabler, not a blocker.
Security, not compliance, first
Leading with security makes you more compliant. Leading with compliance does not make you more secure.
This is something we heard at the event and that I strongly concur with. Some guests shared their concerns about businesses being wed to ‘compliance-first’ postures.
We would argue this is leaving these organisations vulnerable to attack. Conversely, shooting for a gold standard in data security as your top priority will have the natural consequence of generating compliance as a by-product.
Security-first moves beyond tick-box exercises and introduces a fresh mindset that’s prepared to develop cloud-centric solutions, capable of staying ahead of the latest threats across multiple clouds.
Secure the supply chain
Working with multiple cloud vendors and related third parties can complicate the picture on governance. It’s important to understand the shared responsibilities around keeping your data safe, as it flows across various services.
A gap analysis is valuable, as is an appreciation that securing the supply chain is about far more than switching on the native security features of cloud platforms. While these are often compelling, businesses need oversight of where those shared responsibilities begin and end along the supply chain.
Create a ‘single pain of glass’ on security
This ‘single pain of glass’ was something discussed by our dinner guests, many of whom saw the value of working in partnership with specialist security professionals. This can mitigate security fears whilst enabling higher standards of compliance and greater innovation. It may also provide a clearer view of the supply chain.
Learn from others’ cloud journeys
Finally, a quick word on avoiding some of the common pitfalls when migrating to multi cloud. Look at your competitors’ cloud enablements – see what you can find on what went well and not so well.
These lessons are likely to include avoiding vendor lock-in. This kind of thing is simply no longer necessary in the multi cloud world. There may be dissenting voices who go along with 3-5-year contracts because, ‘We’ve always done it that way,’ or prefer a single platform solution to avoid complexity. However, this complexity can be mitigated through the support of a specialist hosting partner. In addition, multi cloud can prove to be more secure, providing data is spread across multiple environments.
Read on to discover six key perspectives from IT leaders around security in multi cloud, in this blog by Danny O’Neill.