Who owns cloud security?
Given what’s at stake, it’s no surprise that 62 percent of respondents expressed a desire for their security operations centers (SOCs) to control network traffic and data to ensure adequate protection in a cloud environment. Half of them would settle for awareness of network traffic and data.
Gaining control or even full visibility might be a challenge for many organizations due to the structure of the groups that manage the cloud environment. While security operations are responsible for cloud security at 69 percent of the respondents’ organizations, cloud operations (54 percent) or network operations are also involved. This has resulted in confusion over who is taking the lead for cloud security and how teams should collaborate. In fact, 48 percent of respondents said that lack of collaboration among teams is the biggest roadblock to identifying and reporting a breach.
“Often, companies split responsibilities among the network, security and cloud,” says Clavel. “Each have distinct budgets, distinct ownership, and even distinct tools to manage these areas. Gaining visibility into the cloud to secure it requires breaking down the communication walls among these three organizations. The same security tools that are deployed on-premise will be able to also secure the cloud – so cloud and security teams need to communicate.”
What type of person should take point on the organization’s cloud security? It will need to be someone or a team with the right skills and ability to commit long term. “Find the person or the team able to move toward the new cloud security paradigms fastest, and allow them to build your security strategy for the next three to five years,” says Govshteyn.
“In the last few years, this tends to be the IT operations team or an enterprise security team, but there is always an architect-level individual contributor or dedicated cloud security team at the core of this effort. This new breed of security professional can write code, spend more than 80 percent of their time automating their jobs, and view the development teams as their peers, rather than adversaries,” says Govshteyn, adding that at technology companies security is sometimes a function of the engineering team.
Although boards of directors are taking great interest in security these days, they won’t help at the ground level. “In reality, much of the critical decision making when it comes to cloud security today comes from technologists able to keep up with rapid pace of change in public cloud,” he says.
Further complicating the task of securing the cloud for more than half (53 percent) of the respondents is the fact that their organizations have not implemented a cloud strategy or framework. While nearly all those organizations plan to do so in the future, it’s not clear who is leading that initiative.
Sign up for CIO Asia eNewsletters.