Wednesday, March 4, 2015

The CISOs evolving role in a cloud-first world

As cloud-first becomes more dominant in organizations looking to balance risk, cost and agility, the role of the CISO will change dramatically.  The CISO and their team will have to evolve from policy and compliance (P&C) to a model of policy and enablement (P&E).

Many CISOs have organizations today focused on the identification of threats or organizational security and violations or corporate security policy. Activities can include application scanning, penetration testing, event monitoring and identification of vulnerabilities in homegrown applications. 

As organizations move more applications to cloud platforms, the role of the CISO and staff will evolve to support the business units that are driving the migration and new application deployments.  The CISO support for the business units will come in the way of education and enablement to allow the business to be successful when using cloud resources. The CISOs role will become about engagement with lines of business to provide enablement and advisement.  The role of the CISO, to effectively enable the organization, will be about establishing habits and education about securely managing the business, picking vendors and implementing new technology.

The key with this shift in focus will be for the CISO to be seen as an enabler and partner to the business.  The primary driver for most business organizations leveraging cloud resources is the ability to quickly deploy new capabilities to enable staff to be successful.  The CISO can partner with the business with this goal in mind, realizing that security enablement can be done in parallel to deployment and enable, rather then prevent, new capabilities from being deployed.

Even in this world of change, there are roles and responsibilities that will continue to be the primary focus of the CISO; these include definition and execution of incident response policies.   Even as the role of the CISO changes in the cloud first world and areas of focus evolve, the need for centralized incident response will not be eliminated in an organization.  The CISO will continue to be the focal point for this responsibility.

As more and more organizations look to the cloud to enable rapid deployment of new capabilities and technologies for enabling business users, the organizational dynamic around security will evolve as well.  The CISO will lead this change through focusing on enablement and education across the organization through sharing of best practices, policies and knowledge on how to securely leverage cloud-resources.  The CISO will continue to play a primary role in policy creation, incident response and incident management, while leveraging staff for new roles like education and partnering with business leaders on organizational priorities.