The state of Cloud Security - 20 leaders, 30 minutes and a lot of sticky notes

We recently had the pleasure of co-hosting a cloud security event with Netskope who gave a preview of its findings from its ‘Future of Security Tour’ which included feedback from 750+ CISOs and 50+ events. 

After Netskope's CISO for EMEA, Neil Thacker presented, we facilitated a roundtable session on the state of cloud security with 20 IT and Cyber Security leaders which produced many observations (via sticky notes) which we have since grouped into themes and analysed below.

I know this is far from an exhaustive current state but this is our analysis of the 60+ observations shared in our 30 minute roundtable session.  I look forward to your feedback.

---------------

The Board now understands the benefits of the cloud in terms of doing things faster and doing things better.  To strengthen this relationship, we need to do more to articulate a cloud strategy and debunk the myth that the cloud is inherently insecure. 

We have much to do to deliver on cloud security starting with defining what good looks like in the cloud in terms of policies, standards and assurance processes.

People: Roles, responsibilities and engagement models need to be better defined. This includes the shared model with cloud vendors as well as reducing friction between first (IT and lines of business), second (operational risk) and third line (internal audit) functions. 

Once we have a structure in place, we need to fill it with more cloud expertise. We know we cannot rely solely on hiring. We need to develop our own people, both to secure our organisations and to ensure our people stay relevant as the cloud gets even more widely adopted.  We agreed that cloud knowledge is a pre-requisite to cloud security and see cloud security as more of a change in syntax than it is the introduction of entirely new security concepts. 

Finally, many of us are seeing better engagement with users. We need to continue strengthening this relationship. Even vetted cloud services will introduce new features that will be attractive to users but weaken security if we don't partner with them properly.

Process: We recognised a need to improve governance while products are being envisioned, built, deployed and managed. This requires cloud expertise as well as changes in assurance processes to match the different ways of working the cloud introduces. 

Technology: We can better leverage automation tools which are native to the cloud and can improve resilience. We should also leverage security products built in the cloud.  Foundationally, these can help us gain visibility of what we are consuming in the cloud and how secure these assets are.  

---------------------

I want to thank all of our participants for being open to a slightly less conventional and highly interactive roundtable format.  I am using this method a lot now and love how it drives balance both amongst participants and in the nature of the observations being shared (in case it’s not clear in the top left of the image – RED is good, BLUE is bad and GREEN indicates potential).