4. Culture and process change m
May be the greatest and most pervasive challenge to organizations seeking to leverage cloud computing. The people, processes, and tools used to secure premise-based solutions cannot simply be transferred to the cloud. As just one significant example, at companies employing services from multiple cloud providers, technology management skills and solutions must be augmented with skills and solutions for managing multiple provider relationships.
Multiple vendors offer solutions intended to automate, orchestrate, standardize, and improve visibility into and protection of cloud- and premise-based resources and services. However, tools alone will not deliver an integrated, actionable view of an organization's security posture.
A security-centered culture, combined with effective planning and policies, will tame the most challenging security challenges, in the cloud and across the entire organization.
A strong start is to follow the recommendations of experts such as the Australian Signals Directorate (ASD) and the US Computer Emergency Readiness Team (CERT).
They agree that simple steps, such as timely, comprehensive patching of operating systems and applications, application whitelisting, and restriction of administrative privileges, can mitigate up to 85 percent of targeted cybersecurity threats.
The use of external clouds and CSPs offer users with an opportunity to enhance their security profile – but it is not a given, especially since many providers are not transparent about their offerings and processes.
Small business owners, IT, audit and risk executives should vet the CSP for threat performance and conformance to one's regulatory compliance and security minimums, include corporate and regulatory requirements into the contract, and validate compliance quarterly, at a minimum.
If one does not have the skills to do it internally, there are outside firms that one can use to provide the security services.
About the author
Mr. Braunstein serves as Chairman/CEO and Executive Director of Research at the Robert Frances Group (RFG). In addition to his corporate role, he helps his clients wrestle with a range of business, management, regulatory, and technology issues.
He has deep and broad experience in business strategy management, business process management, enterprise systems architecture, financing, mission-critical systems, project and portfolio management, procurement, risk management, sustainability, and vendor management. Cal also chaired a Business Operational Risk Council whose membership consisted of a number of top global financial institutions.