The cloud acts a forcing function. It's evident in technology. You suggest it goes further.
Cloud culture extends beyond cloud technology. It becomes ingrained in the people, the tools and all the ways we think about and approach business challenges. It's hard for companies to embrace this at the level it needs to be adopted, which is why it's important to challenge outdated perceptions or notions in order to start that cerebral shift away from what we've always known, to what we now need to understand. This is a very different paradigm than most IT folks are used to, so companies need to work on building a culture around the cloud that embraces DevOps and thinks differently about its processes and people.
If you don't understand how and where your people interact with applications and data, than you're operating blindly. It's about more than just protection. Of course, protecting data is key to compliance and security, however without context about activities happening within and around the applications and the data, your security posture becomes the weak business link. Security isn't a smash and grab. Bad actors spend time within your environments, poking around. If you have the context to understand when a behavior is breaking the baseline of expected activities, you can leverage that context to immediately identify and eliminate that threat before they walk out with the crown jewels and create business nightmare.
You suggest that a security leader not only "start small," but to actively seek out and engage with a group externally. Where do they go?
Start anywhere. Start small. Start in non-mission critical apps and data because those are the ones that are easily available and less vulnerable to missteps. Start in the dev environment - not in production. You have a sandbox of servers established - start from there to gather insights and visibility and ramp from there. Be thoughtful and don't attempt to force fit point solutions not natively designed for the cloud. Get to know the solution first; understand how cloud-native differs from enterprise point solutions, because they are inherently different.
Also, find a company that is already steeped in the culture and ask them questions. At Threat Stack, some of our favorite clients are other security companies. We use the technology ourselves to monitor our own security and we love educating other companies about cloud security. It's also rewarding for us to see customers begin to gain that deeper level of insight and visibility that understanding context in the cloud provides. You would be amazed at what you find; both internal and external. Actions which potentially put your business at risk are constant. Knowing when it's happening is extremely powerful - you can't protect against what you can't see.
Sign up for CIO Asia eNewsletters.