When I meet with board members to discuss cloud security, I find that they typically fall into one of two groups.
The first, and smaller, group includes those who do not support moving company data to cloud platforms because of security concerns.
The second, and larger, group includes those who are concerned about cloud security, yet have already embraced the cloud, whether deliberately or inadvertently. They and their companies are using such platforms as Office 365, Salesforce and Amazon Web Services, which means they have decided that the cloud is somewhere to put data. They have already made the move to the cloud, but they didn’t necessarily consider the security risks in their decision to do so.
Regardless of which group your board falls into, it is essential for CISOs to get involved in the cloud conversation so that they can communicate to those at the highest level of the organization why security should not be an afterthought. To that end, here are the four things I suggest that CISOs stress to board members during these (somewhat awkward) conversations about cloud security.
1. The cloud is just another risk
It is much easier for board members to grasp the importance of cloud security when it is framed in terms of risk to the business. Board members make decisions about risks every day, and the cloud is just another one of those risks. In any cloud security discussion, board members should be asking themselves the same question they would ask in any risk conversation: How are we reducing the risk of material impact to the organization when deploying data to the cloud?
Each cloud application is a different set of data that each organization will need to assess differently. For example, if a company is storing public-facing marketing documents in the cloud, the risk of that materially affecting the business if the documents were to be leaked is not too high. On the other hand, if the company is storing the source code library of a new product in the cloud, the risk of material impact if that source code is leaked is much higher.
2. Native public cloud security is not enough
Boards should understand the basics of what the public cloud is and how it is secured. Almost every cloud provider has some form of native security built into its platform. Oftentimes, people assume that any type of security offered by these providers is sufficient, but that is far from the truth. Companies and public cloud providers share the responsibility in cloud security, where the security of the platform infrastructure is handled by the cloud provider, and the security of the data is the organization’s responsibility.
The reality is, data in the cloud is only as secure as data stored anywhere in the organization. Therefore, if you would put additional security measures in place to protect data that does not reside in the cloud, you should go to extra lengths to protect data that does. Additionally, your cloud security measures should be thoroughly integrated with the rest of your security architecture and communicate with it in a highly automated manner. This way, the organization stands a much greater chance of preventing a cyberattack from resulting in a successful data breach.
3. Cloud security is not a different type of security
Oftentimes, cloud security is thought of as a different “type” of security that requires a different approach. When I encounter this opinion, I always ask the same question: Wouldn’t it be ideal to manage the security of cloud services in the same way the company manages security behind the perimeter, in the data center and on mobile devices?
Not only is this possible, but if there is any hope of preventing successful cyberattacks – whether in the cloud, on the network or on endpoints – boards should be supportive of a consistent approach to managing security across the enterprise. CISOs know that the management and orchestration of multiple security approaches and products complicate security environments, leaving more room for error, risk and their associated costs. Highlighting those risks and potential costs is something the board can appreciate, understand and therefore prioritize correctly.
4. A prevention philosophy includes securing the cloud
The most progressive boards I meet with are embracing a prevention philosophy when it comes to cybersecurity. The foundation of this philosophy is having consistent visibility and protections across the enterprise, whether in the data center, behind the perimeter, on mobile or in the cloud. With help from their CISOs, these board members understand that, in order to stop bad things from happening, prevention should be the main goal and basis of any security investment decision. For CISOs looking to get their boards to think this way, it is essential to demonstrate how a holistic approach to security – including how the cloud is secured – can ultimately mitigate risk to the business and prevent successful cyberattacks.
This article is published as part of the IDG Contributor Network. Want to Join?