Language is important; words matter. Terminology may shape understanding, and affect the ways people approach not just abstract concepts or theoretical notions, but the way we end up living our lives. In the field of digital security this may be even more true, given the way that corporations, marketing executives and operational teams will all rush to coin a phrase or designate a threat or describe a technology.
Take the concept of the cloud: the word conjures images of something recognisable but nebulous, and the mental picture that appears in the mind of the person saying it is almost certainly going to differ from that conjured inside the head of the person listening. This is certainly the case when it comes to understanding the security implications of the cloud, as Sentinel One staff found out when hosting a spirited round-table RANT discussion with a high-level and diverse group of senior security leaders in Manchester.
“I remember cloud way back when, when we’d talk about it just being somebody else’s computer in somebody else’s data centre,” said John Pease, the company’s cloud strategic engineer for the Europe, Middle East and Asia region. “Now when you look at it, there’s service providers with amazing platforms that you can build stuff in – but how do you assess the risks with whatever you’re building in that environment?
“If we go back five years,” he continued, “people’s journeys to the cloud were all very strategic. There was a plan in place, in most cases. But then three years ago, suddenly we’ve got to work from home. What does work from home mean? It means working from anywhere on potentially any device at any time – and those attributes are probably the three things that cloud is really good at. So suddenly we were pushed into those journeys. And now we’re at the point where we’re talking about security.”
And we are also at the point – or so those gathered for the event would spend the next hour underlining – where the nebulous nature of the cloud concept is challenging pre-existing corporate cultures, operating concepts, risk-management protocols and compliance strategies. It also challenges every aspect of the modern business. Yet, participants seemed to agree, the questions raised when businesses move into cloud environments are usually the same as the questions that should be being asked and answered already.
Where Do You Draw The Line?
A question was raised early in the discussion about accountability and responsibility. Essentially, when operations are hosted in a third-party computing environment, how will the business know where to draw the lines over who owns data security? The issue may appear to arise in a new form in response to the newly outsourced nature of data storage, but the question itself should, one respondent argued, be one the business has already asked and answered.
“That goes back to any project,” they argued. “It’s the same principle for anything you do, any system. Security have a set of requirements and minimum standard for any work that you’ve got to meet in your organization. You tell the cloud team what your requirements are for their cloud implementation, and there might be different implementations, different models. You tell them what the requirements are, you get them to build it, you test it, and you go back and you check they’re doing it. That’s the same principle as anything else. You tell them what you want, you check they’ve done it, and you keep on checking.”
“I’ve been banging the drum about this with security teams,” said Jonathan Mattey, head of cybersecurity at Sykes Cottages. “We need to understand this at the same level as the architects and the developers. You need to understand the entire data flow. If we’re not understanding that and we don’t understand the entire environment, then we’re behind the pace and we’re not going to be able to appropriately secure that environment or advise on it.”
Shifting Sands
There are other lines that cloud implementations demand be drawn, too. Often, security managers will be hired by companies not just because the firm wishes to bolster the experience of its leadership team, but because recent incidents imply the need for a change of approach. Yet an outsider being brought in to a company with its own established culture and security ideology may not find it easy to effect the change they have been hired to bring about.
“When you go into a place and you’re trying to take people on that journey with you, you’ve got to be the mechanical rabbit on the greyhound track,” Mattey said. “You’ve got to be whizzing around, but you’ve got to be sure the greyhounds are chasing you. If they greyhounds aren’t chasing you then you’re useless, but if the greyhounds are chasing you then you’re leading the charge.”
For leaders coming into companies where the existing systems have failed, the task of getting staff on side – of ensuring those greyhounds are going to want to chase that rabbit – may involve some straight talking at the outset.
“I just turned around and said, ‘Right: line in the sand. Yesterday you were allowed to make these decisions – from today, you can’t make them worse’,” one attendee recalled. “It’s like, you were making poor decisions today – don’t make the same poor decisions tomorrow. It’s not going to be perfect, but work with me and not against me, and we’ll be fine.”
“I agree, you’ve got to be firm,” another security manager said. “Especially if you’ve inherited somebody else’s pile of poo! You’ve got to make that clear and visible to people so that they know things were not done optimally in the past.”
Speaking Truth To Power
Whether it’s cloud or on-premises computing resources that have been found lacking in a security incident, often the ultimate fault lies not with technology or its implementation but in the failure of corporate leaders to inculcate an appropriate philosophy and mindset within the organisation. Inevitably, it will fall to security leaders to point this out to the board – a conversation nobody wants to have, but which everyone ought to be confident in starting, many attendees felt.
“Nobody likes to give bad news to the board – yet oftentimes it’s the CISO who’s the one left carrying the can of giving them the bad news,” said one attendee. “If the CISO is reporting to the CIO or the CTO, the bad news isn’t ever going to get there.”
This sparked a forthright exchange, with one senior staffer at a company in a regulated sector pointing out that there are legal requirements for public company boards to be informed of bad news from the security teams – with prison a possible consequence for executives who fail to report appropriately. The argument came back, though, that the existence of a legal requirement would not necessarily make it any easier for the lower-level security team member to flag up a failure to a senior manager.
“Then that’s poor leadership,” the regulated industry specialist replied. “You’re conflating security problems with poor leadership – and that’s going to happen wherever there’s poor leadership. Actually, I think, as senior leaders in the company, if we want to be taken seriously, part of our job is to shine a light on that bad behaviour. If senior leaders are not being transparent, that’s poor leadership. Transparency leads to more honesty, and better investment. If you’re in a company that is genuinely hiding some of these problems, why are you there?”
A Risky Business
Those conversations with the board need to not just be honest and pragmatic – they need to articulate the problems the security team are seeing in a way that will resonate with the company’s senior leadership. This will usually mean talking not just about risk, but attempting to give a reasonable estimate of its dimensions.
“As a security professional, risk quantification is one of the best things that you can do to get leverage from the board,” Mattey said. “Sitting down with the board and saying, ‘I think, based on my subject matter expertise, of the members of my team, the vulnerabilities that we’ve got, and the average cost of a data breach, there is a 10% chance of a cybersecurity incident that’s going to cost the business more than £10m over the course of the next 12 months’. That is the language that they understand and the language that will get them to respond.”
Of course, many of these difficulties can be minimised, if not necessarily entirely mitigated, if adequate security is designed in from the start. This will not be an option for security leaders joining long-established, large, complicatedly structured businesses – but it has to be high on the agenda if and when such an organisation undertakes a comprehensive digital transformation programme; or, indeed, if a legacy business is mapping out a move to a cloud-based infrastructure.
“The key thing I’ll take away from this discussion is around building security in,” Pease said while summing up. “The cloud is very agile, and contractually, your risks change all the time. But if you build security in from the start, you’ve got that framework, and you know that at least it’s secure at that point.”