The pace and scale of cloud adoption in the past five years has been nothing short of breathtaking. By 2022, nearly six out of 10 businesses have migrated to the cloud, according to research by the software firm Flexera. Meanwhile three-quarters of firms already using cloud services plan to increase their expenditure over the next year.
It is critical that cloud security keeps pace with this rapid migration to protect corporate systems, intellectual property (IP), and sensitive data from fast-evolving threats.
Paramount and Aon CISOs shared their actionable insights on cloud security. Here are their key takeaways:
Paramount shows how to reap the benefits of secure cloud migration
Media giant Paramount is a prime example of a multinational company that has securely migrated to the cloud, transforming its entire “script-to-screen” product journey in just five years, the company’s CISO Pete Chronis shared.
From storyboarding and film editing to customer payment and content access, critical processes the full length of Paramount’s content lifecycle can now be carried out in the cloud.
“Companies like Paramount invest heavily on intellectual property – TV shows, movies and news programs,” says Chronis. “Our company and others like it need to protect that investment in intellectual property, protect the consumers who subscribe to our services, and protect our employees.”
His key takeaway was that firms like Paramount need to take a holistic approach to cloud security. To achieve this all-important holistic approach, Chronis says CISOs need to determine their baseline security posture, assess what assets are most critical and devise a plan to address those needs, while also being transparent about achievable objectives.
He says CISOs also need to build strong relationships and balance the needs of their stakeholders. This includes balancing the needs of senior executives, and their desire for lower risk with the operational realities on the ground.
Fast-track growth and avoid costly digital debt with a ‘paved road’ approach to cloud security
David Damato, CISO at financial services giant Aon, spoke about the benefits of adopting a so-called “paved road approach” to security. He says investing in a well-structured and well-thought-out cloud strategy, which moves in lockstep with DevOps, and expands with company growth, pays long-term dividends.
The paved-road approach involves creating secure repeatable patterns. These enable you to lay the road on which your developers can roll out their products at speed, using that secure, sustainable and scalable foundation.David DamatoCISO, Aon
Due to the fact that infrastructure teams, network teams and engineering teams – to name but a few – are involved in the transition to the cloud, this process should be conducted in a deliberate and orderly manner, rather than expecting the application team to assume the responsibility for everything, says Damato. Education is also incredibly important in this process.
“Often, organizations just open up the cloud to developers who haven’t necessarily worked in the cloud before and they start to incur tech debt because everyone starts to do things differently and in a non-repeatable and insecure fashion and you have to go back and fix it,” says Damato. “Laying that road first, and bringing people on that journey is incredibly important to building a secure model that is sustainable and scalable.”
Security and DevOps teams should join forces to reveal new commercial opportunities
Powerful strategic solutions present themselves when security and DevOps collaborate, Damato says. This is because teams can unify their insights and quickly reveal the bigger picture. He used the example of incident response to illustrate his point.
“When security and DevOps teams join forces, it’s possible to measure how much time, effort and resource is spent dealing with recurring incidents,” he observes. “You can then work together to analyze whether it makes more sense to respond to, and fix each incident individually, or whether it’s more economical to take preventative actions up front to stop the issue from happening in the first place.”
Shared platforms lead to better security insights
Ryan Kazanciyan, CISO at Wiz, says that larger organizations can obtain more reliable indicators of security maturity, across different teams and functions, when security and engineering share common platforms and datasets.
“Useful security metrics require consistent coverage and visibility across infrastructure, systems, and applications," says Kazanciyan. “With that coverage in place, leaders can more accurately compare risks across different products and services, discern why certain security issues might be externally found (such as through bug bounty programs) versus self-discovered, and evaluate where ‘shift left' efforts are most needed.”
View the full Wiz CloudSec360 series now for more industry-leading insights and analysis on secure migration to the cloud.