As cloud-first becomes more dominant in organizations
looking to balance risk, cost and agility, the role of the CISO will change
dramatically. The CISO and their team
will have to evolve from policy and compliance (P&C) to a model of policy
and enablement (P&E).
Many CISOs have organizations today focused on the
identification of threats or organizational security and violations or
corporate security policy. Activities can include application scanning, penetration
testing, event monitoring and identification of vulnerabilities in homegrown
applications.
As organizations move more applications to cloud platforms,
the role of the CISO and staff will evolve to support the business units that
are driving the migration and new application deployments. The CISO support for the business units will
come in the way of education and enablement to allow the business to be
successful when using cloud resources. The CISOs role will become about
engagement with lines of business to provide enablement and advisement. The role of the CISO, to effectively enable
the organization, will be about establishing habits and education about
securely managing the business, picking vendors and implementing new
technology.
The key with this shift in focus will be for the CISO to be
seen as an enabler and partner to the business.
The primary driver for most business organizations leveraging cloud
resources is the ability to quickly deploy new capabilities to enable staff to
be successful. The CISO can partner with
the business with this goal in mind, realizing that security enablement can be
done in parallel to deployment and enable, rather then prevent, new
capabilities from being deployed.
Even in this world of change, there are roles and
responsibilities that will continue to be the primary focus of the CISO; these
include definition and execution of incident response policies. Even as the role of the CISO changes in the
cloud first world and areas of focus evolve, the need for centralized incident
response will not be eliminated in an organization. The CISO will continue to be the focal point
for this responsibility.
As more and more organizations look to the cloud to enable
rapid deployment of new capabilities and technologies for enabling business
users, the organizational dynamic around security will evolve as well. The CISO will lead this change through
focusing on enablement and education across the organization through sharing of
best practices, policies and knowledge on how to securely leverage
cloud-resources. The CISO will continue
to play a primary role in policy creation, incident response and incident
management, while leveraging staff for new roles like education and partnering
with business leaders on organizational priorities.
