Cybersecurity has been rapidly moving to the cloud, driving organizations to cloud-based solutions from third-party vendors instead of self-owned and maintained network security devices and software. One such cloud offering is Secure Access Service Edge (SASE) which is based on a combination of Software-Defined Wide Area Network (SD-WAN), Security Service Edge (SSE), and Zero Trust Network Access (ZTNA). This service offers scalability, flexibility, cost-efficiency, and innovation and enables organizations to support remote work, cloud migration, and digital transformation initiatives in ways non-cloud-delivered technologies cannot.
But these new technologies also bring some challenges and risks to organizations from complexity, compliance, and governance. SSE and ZTNA offerings (by design) do not allow enterprises to have control over versions and upgrades that they would normally have when managing their own network security appliances (e.g., firewalls). And SSE and ZTNA offerings are likely to have different (hopefully better) security standards and practices than an enterprise's in-house cybersecurity program.
As the CISO role evolves with these moves to the cloud, CyberRatings recommends that CISOs adapt by shifting priorities from operating security programs to overseeing (monitoring and auditing) outsourced security programs. This is where a rigorous certification can help. To that end, MEF and CyberRatings.org recently announced a partnership to launch a new SASE Certification Program to provide confidence to enterprises. Certifications will include SD-WAN, a Zero Trust Framework, and SSE (Threat Protection).
Adapting Organizations: Monitoring & Auditing Vs. Operating
While operating a security program means running the cybersecurity program on a day-to-day basis, including overseeing the security devices and software, auditing outsourced security programs requires checking the quality and effectiveness of the cloud-based solutions that provide network security services for the organization. To that end, we recommend that CISOs evaluate the skillsets of their employees and the culture of the cybersecurity program as priorities shift from operating to overseeing.
Do current employees have the right skills and mindset for their new roles and responsibilities? Can the right training and development opportunities help them move from an operations day-to-day role to a monitoring and oversight role? Are they able to check the quality and effectiveness of the cloud-based solutions that provide cybersecurity services for the organization? In which cases should new employees be hired?
Often, cybersecurity practitioners avoid audits of their work as they see them as intrusive, disruptive, or threatening. Now they will be the ones doing audits of third-party work (SSE, Managed Detection and Response (MDR), ZTNA providers, etc.). This requires a culture change that welcomes audits as a tool for oversight and an opportunity to improve security programs.
To make the transition as smooth as possible, CyberRatings recommends creating a clear career path and progression plan for employees, as well as clearly defined roles, responsibilities, expectations, goals, and outcomes of each position in the cybersecurity program and how they relate to the oversight function.
To create this culture change, CISOs may want to take some steps:
- Communicate the vision and goals of the cybersecurity program and how oversight and auditing support them.
- Encourage a mindset that welcomes feedback, seeks improvement, and values transparency and accountability.
- Foster collaboration and trust with their external partners by communicating regularly – sharing information and feedback. Resolve any conflicts promptly and constructively.
Recommendations for cybersecurity in the age of cloud
CyberRating recommends that CISOs communicate the need to adapt to this change to all appropriate executives and directors (e.g., CEO, CIO, CFO, and the Board). CISOs should prioritize the time needed to develop a strategy and action plans for evolving their organization’s capabilities from operating/running security programs to overseeing/monitoring security programs that are run by others. Include compliance with regulatory requirements in your planning and the cost of monitoring and overseeing third-party vendors in your ROI calculations and budgets.
We also recommend CISOs develop a discrete program to identify the roles required to execute their cloud strategy and the skill sets needed for each role. And we recommend CISOs devise a plan to migrate the culture of their company’s cybersecurity program to one of operational oversight.
Vikram Phatak is CEO of CyberRatings.org and a MEF member.
(Editor’s note: This article is part of our regular series of articles from the industry experts at MEF.)