The tug of war between infosec and the C-suite on cloud security
"When it comes to cloud visibility, CIOs and CISOs can either be the problem or the solution," said FireMon's Tim Woods.
Between the security organization and nontechnical business leaders, differing views of cloud security challenges can leave all concerns unresolved.
Companies are unintentionally deploying solutions that muddy and add complexity to cloud and on-premise environments. Challenges emerge for security practitioners, including an untrained workforce and tools that lack integration.
The roles are in a constant battle between deploying apps in a timely manner and making sure the apps are secure.
The roadblocks force companies to use manual processes and native security controls, according to FireMon's 2019 State of Hybrid Cloud Security survey of more than 400 security practitioners.
C-suite members, however, say the absence of a centralized view of information in tools and too many tool suites and management consoles pose the greatest challenges.
"When it comes to cloud visibility, CIOs and CISOs can either be the problem or the solution," Tim Woods, VP of technology alliances at FireMon, told CIO Dive in an email.
The roles are in a constant tug-of-war between deploying apps in a timely manner and making sure the apps are secure. The trade off between security and performance often makes the latter the winner. But reporting structures and the chain of command are changing.
"We're seeing may CISOs report directly to the CEO, which enables them to become peers with their CIO colleagues, rather than subordinates," said Woods. A cohesive partnership between C-suite officials allows for "security by design and default."
Still, about 60% of respondents say their company's deployment of cloud-based business services is outpacing their ability to secure them.
Where the troubles lie
Compliance, migration issues, cyberattacks and a lack of cloud expertise are the top inhibitors for moving to the public cloud, according to the survey. Insufficient visibility, training and control are the leading challenges for securing a public cloud environment.
"Think of it as a form of 'spell check' for app deployment in the cloud."
FireMon, VP of tech alliances
The cloud skills gap "epidemic" is reminiscent of the cybersecurity skills crisis, said Woods. The solution for companies unable to acquire the expertise they need is technology, such as tools that can monitor and manage cloud configurations.
"Think of it as a form of 'spell check' for app deployment in the cloud," he said.
Using manual and native tools are neither sustainable or cost-effective, said Woods. Instead, it's an "antiquated approach to security," which creates more risk.
Cloud data breaches are primarily due to human error connected to servers, storage or firewalls — deployments — in the cloud, according to Woods.
The majority of respondents, 59%, use two or more firewalls in their cloud environments, according to the survey. Of those firewall users, more than two-thirds use two or more public cloud platforms.
Automation will help eliminate the threat of human error while using technologies capable of DevOps integration and end-to-end visibility.
"IT security teams are no longer mired in rule writing and manual processes, next-gen technologies and processes can be leveraged without added risk, and security can finally move at the speed of business," said Woods.
Intent-based security helps reestablish a centralized security management and reconciles the siloed departmental and "best-effort" way of managing security. All lines of authority can address security while also dedicating equal attention to business intent, compliance intent and security intent, said Woods.
Follow Samantha Ann Schwartz on Twitter