Public cloud adoption is now the rule instead of the exception. In fact, Gartner has found that 94% of organizations agree that public cloud is a crucial part of their digital business initiatives. Though this trend toward cloud migration has many benefits, it also presents a significant disruption to cybersecurity functions.

Almost every aspect of cybersecurity, including common domains and security capability clusters, must be delivered in the cloud. However, current cybersecurity operating models and skillsets are designed primarily for on-premises, not cloud.

Cybersecurity leaders cannot ignore the inevitability of cloud adoption and the changes it requires. They must adapt their operating models, including team structures, communications paths and skills, to support a world where cloud is a part of every business.

A dedicated cloud security team is not necessary

Effective cloud security requires both adopting cloud-native skills and tools as well as partnering with business technologists to support the democratized nature of cloud usage without compromising security. Gartner has found that two-thirds of organizations have a dedicated cloud security team. Chief information security officers should determine the right approach for their own organization based on both the complexity of their environment and the need for transformation of their security approach.

Embedding the cloud security function into existing security clusters is effective once the security approach has been aligned with a cloud-native approach. Organizations that start from on-premises controls and embed these functions into on-premises-focused security clusters struggle to transform their approach, ending up with less effective and potentially more expensive security as a result.

The importance of organizing cloud operating models via a CCOE

Organizational models for cloud security will need to be tailored to the organization’s particular cloud operating model. As more organizations shift more business processes to the cloud, it is important to ensure that their cloud security posture is being supported by the right combination of teams and skills, and that it is aligned to the cloud operating model.

A key element of organizing for cloud is the creation of a cloud center of excellence. A CCOE provides a consultative central point that can corral chaos, help establish governance and eventually work itself out of a job as the knowledge is disseminated to and absorbed by the distributed organization. Cloud governance is a key element in reducing the risk of cloud adoption.

A CCOE is typically sponsored by executive leadership, since its responsibility extends well beyond cloud governance. It is typically staffed by cloud enterprise architects and is a consultative enterprise architecture function. The organization’s cloud computing council or CCAC typically provides strategy and policy feedback to the CCOE. Security and risk management or SRM typically has at least one representative in the CCAC, and therefore has some formal ability to influence the CCOE. There should be a direct working relationship between the CCOE and the SRM team.

What to avoid when organizing for cloud security

There is a wide range of approaches to organizing for cloud security that can be successful. However, there are some clear strategies that will inhibit cloud adoption and always result in poor outcomes. Cybersecurity leaders should avoid the following approaches when organizing their teams:

• The cybersecurity team is totally absent from cloud initiatives: There must be cybersecurity involvement in a cloud deployment and in cloud operations. Without any involvement from the cybersecurity team, operational priorities and objectives are established without sufficient (or any) thought to security outcomes. This leads to inappropriately secured applications, insecure applications, and often leads to later involvement and challenges when the cybersecurity team is involved and is in “catch-up mode.”
• The cybersecurity team dictates everything without collaboration with the business or operations: Equally bad is the primacy of security over operations. This approach usually leads to an inability to utilize the flexibility of the cloud and a slowdown of innovation and operations — as well as an overwhelmed security team as they try and manage the environment.
• Lack of collaboration between security, cloud engineering and CCOE: Just as adopting a cloud provider dictates that there is shared responsibility with that cloud service provider, so there must be collaboration inside an organization’s team. This strategy leads to struggles over reporting structures and team alignment. Established silos and structures that cause conflict over ownership will prevent good security decisioning and deployment practices.

Cybersecurity leaders should increase their awareness of known organizational approaches that have failed to achieve effective security in cloud deployments, and avoid falling into the trap of operating within them. Align cloud security approaches closely with the cloud operating model, and assign appropriate responsibility based on this operating model.

Charlie Winckless is a VP analyst on Gartner’s Cloud Security team, focusing on the evolution of cloud and network security. Gartner analysts will provide additional analysis on cloud security at the Gartner Security & Risk Management Summit, taking place June 3-5 in National Harbor, Maryland.

Image: SiliconANGLE/Ideogram