The Cloud and Cybersecurity

By Vibhav Agarwal, Senior Manager of Product Marketing, MetricStream

Tomorrow’s digital enterprise is at war today. War not only with external cybersecurity hackers and viruses, but also within the organization itself – a conclusion based on my discussions with information security managers and cloud architects around the world. While most executives understand the importance of a business driven, risk management-focused cybersecurity model, they do not address cybersecurity as an organizational issue, but more as a compliance or IT checklist issue.

As business models transform, becoming the leading and modern digital enterprises of the future, we see a shift in other areas as well. This is the age of the customer, and in a digital world, customer service or dis-service can be decided by one successful phishing attempt on an organization’s website. As recent events have proven, a successful cyber-attack has the ability to not only bring the organization down to its knees in minutes, but makes getting up quickly nearly impossible.

Furthermore, as business leaders lean more and more on the Cloud as a default choice for newer, faster systems of engagement with customers, new complexities come into the picture. Fast speed and customer centric front-end application characteristics like zero downtime, instant cross channel functionality deployment, and real time performance management make the cloud an ideal environment. But cloud and cybersecurity – how do we take care of that?

There are five key things that every IT Manager and Architect should think about as they aspire to be the CISO of tomorrow’s leading digital enterprise:

1. It’s a Business Problem: As custodians of sensitive customer information and business value delivery, the CISOs of tomorrow should understand the importance of keeping data safe and secure. CISOs should ensure that they are part of a core team looking at the organizational risk appetite, which includes aspects like loss of IP, customer information loss, business operation disruption, and more. The CISO should present the organizational cybersecurity risk in the context of business by correlating IT assets and their residual scores with their business importance. The trade-offs of newer cybersecurity investments versus the status quo need to be examined from a more strategic and organizational perspective, rather than mere annual investment or upgrade perspective.
2. The First C of an Effective Cloud Strategy Is Controls: The focus needs to be on controls, not on cost. If the CISO of tomorrow is not able to effectively implement controls with regards to data segregation, data security and infrastructure security, then the cost of keeping the data in the cloud can be prohibitive. Incorporating the right set of controls into your organization’s cloud deployments from the start and establishing a sustainable monitoring mechanism is key to ensuring that cloud investments have a positive trade-off from a total cost of ownership perspective.
3. Effective Governance and Reporting is Not an Afterthought: Keeping business stakeholders informed on IT policies and controls from the start, especially those critical to business operations and cybersecurity, is important. The CISO of tomorrow should put in place a granular governance and reporting mechanism to encapsulate not only the organizational IT assets and ecosystem, but also cloud deployments. This system should handle all risk and compliance reporting related-requirements and their correlation with the business operations in order to make sense to business heads.
4. Is the Business Continuity Plan in Place: Cyber attack planning and response is one of the biggest challenges for the CISO of tomorrow. With cloud-based infrastructure, the problem gets even more complicated. Having a clear incident response strategy and manual, a well-defined business impact analysis, and a mass notification and tracking mechanism are just some of the aspects that will be highly critical for ensuring that business disruptions are handled in a tightly coordinated manner. Again, having business context is important to achieve this.
5. Should we Consider Cyber-Insurance: Indemnification against cyber attacks and the resulting loss of reputation, data and revenue is going to become a trend fairly soon. The CISOs of tomorrow should monitor the need and requirements of getting cyber insurance proactively, and counsel business stakeholders appropriately. This will be an important hedging strategy to minimize possible financial losses from lawsuits, business disruptions and data losses.

Today, with ubiquitous Internet connectivity, cloud-based IT ecosystems and an ever-evolving cyber-engagement business model, cybersecurity is a growing social and business issue. The CISO and CIOs of tomorrow need to ensure sustained support and focus from top management if they want to succeed in their cyber-fortification efforts. They also need to enhance their horizons across the business context, financial aspects and wider strategic objectives to guarantee that the organization’s data security is evolving in line. If the digital enterprise of tomorrow wants to grow and innovate, the question is not “are we doing enough today”, but rather, “are we thinking enough about tomorrow?”