Adapting to the Cloud Era of Cybersecurity: How CISO’s Priorities Are Evolving

With the move to the cloud, CISOs must shift priorities from operating security programs to overseeing (monitoring and auditing) outsourced cybersecurity programs.

Adapting to the Cloud Era of Cybersecurity: How CISO’s Priorities Are Evolving
(Credit: John Williams RF / Alamy Stock Photo)

Cybersecurity has been rapidly moving to the cloud, driving organizations to cloud-based solutions from third-party vendors instead of self-owned and maintained network security devices and software. One such cloud offering is Secure Access Service Edge (SASE) which is based on a combination of Software-Defined Wide Area Network (SD-WAN), Security Service Edge (SSE), and Zero Trust Network Access (ZTNA). This service offers scalability, flexibility, cost-efficiency, and innovation and enables organizations to support remote work, cloud migration, and digital transformation initiatives in ways non-cloud-delivered technologies cannot.

But these new technologies also bring some challenges and risks to organizations from complexity, compliance, and governance. SSE and ZTNA offerings (by design) do not allow enterprises to have control over versions and upgrades that they would normally have when managing their own network security appliances (e.g., firewalls). And SSE and ZTNA offerings are likely to have different (hopefully better) security standards and practices than an enterprise's in-house cybersecurity program.

As the CISO role evolves with these moves to the cloud, CyberRatings recommends that CISOs adapt by shifting priorities from operating security programs to overseeing (monitoring and auditing) outsourced security programs. This is where a rigorous certification can help. To that end, MEF and CyberRatings.org recently announced a partnership to launch a new SASE Certification Program to provide confidence to enterprises. Certifications will include SD-WAN, a Zero Trust Framework, and SSE (Threat Protection).

Adapting Organizations: Monitoring & Auditing Vs. Operating

While operating a security program means running the cybersecurity program on a day-to-day basis, including overseeing the security devices and software, auditing outsourced security programs requires checking the quality and effectiveness of the cloud-based solutions that provide network security services for the organization. To that end, we recommend that CISOs evaluate the skillsets of their employees and the culture of the cybersecurity program as priorities shift from operating to overseeing.

Do current employees have the right skills and mindset for their new roles and responsibilities? Can the right training and development opportunities help them move from an operations day-to-day role to a monitoring and oversight role? Are they able to check the quality and effectiveness of the cloud-based solutions that provide cybersecurity services for the organization? In which cases should new employees be hired?

Often, cybersecurity practitioners avoid audits of their work as they see them as intrusive, disruptive, or threatening. Now they will be the ones doing audits of third-party work (SSE, Managed Detection and Response (MDR), ZTNA providers, etc.). This requires a culture change that welcomes audits as a tool for oversight and an opportunity to improve security programs.

To make the transition as smooth as possible, CyberRatings recommends creating a clear career path and progression plan for employees, as well as clearly defined roles, responsibilities, expectations, goals, and outcomes of each position in the cybersecurity program and how they relate to the oversight function.

To create this culture change, CISOs may want to take some steps:

  • Communicate the vision and goals of the cybersecurity program and how oversight and auditing support them.

  • Encourage a mindset that welcomes feedback, seeks improvement, and values transparency and accountability.

  • Foster collaboration and trust with their external partners by communicating regularly – sharing information and feedback. Resolve any conflicts promptly and constructively.

Recommendations for cybersecurity in the age of cloud

CyberRating recommends that CISOs communicate the need to adapt to this change to all appropriate executives and directors (e.g., CEO, CIO, CFO, and the Board). CISOs should prioritize the time needed to develop a strategy and action plans for evolving their organization’s capabilities from operating/running security programs to overseeing/monitoring security programs that are run by others. Include compliance with regulatory requirements in your planning and the cost of monitoring and overseeing third-party vendors in your ROI calculations and budgets.

We also recommend CISOs develop a discrete program to identify the roles required to execute their cloud strategy and the skill sets needed for each role. And we recommend CISOs devise a plan to migrate the culture of their company’s cybersecurity program to one of operational oversight.

Vikram Phatak is CEO of CyberRatings.org and a MEF member.

(Editor’s note: This article is part of our regular series of articles from the industry experts at MEF.)

Related articles:

About the Authors

Vikram Phatak, CEO, CyberRatings.org

Vikram Phatak is CEO of CyberRatings.org, which he founded in November 2020. As one of the industry’s foremost thought leaders and a veteran of testing cybersecurity products for over 20 years, he has extensive experience in cybersecurity technologies protecting networks, endpoints, and the cloud. Mr. Phatak founded NSS Labs, Inc. in 2007 and grew the company from a small test lab to a global leader in security product testing, becoming a go-to source for trusted, independent, fact-based guidance on security product efficacy. Previously, Mr. Phatak founded and led several Internet and cybersecurity companies, including Lucid Security and Intermedia Sciences Group, one of the first Internet service providers and security consulting firms in the U.S.

MEF

MEF is a global industry association of network, cloud, and technology providers working together to accelerate enterprise digital transformation through a better-together ecosystem. MEF delivers service standards, LSO frameworks and APIs, and training and certification programs for services, technologies, APIs, and professionals. The MEF 3.0 Framework enables automated delivery of standardized Carrier Ethernet, IP, Optical Transport, SD-WAN, SASE, and other digital services across multiple provider networks. For more information visit MEF.net and follow us on LinkedIn and Twitter.

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights