We recently hosted a virtual roundtable in partnership with Check Point on 'Cybersecurity - Your Cloud Transformation Journey' which looked at the shift to Cloud and the way in which organisations are navigating this transformation.
The conversation was insightful and engaging with a variety of opinions and experiences around an organisation's Cloud transformation.
By way of introduction, our hosts and attendees looked at how they defined Cloud, emphasising that for the last 25 years or so, we have been building networks based on ethernet, whereas Cloud is an introduction of a software-defined model on which your networking and data sits, that isn't necessarily in any physical location.
Given the current situation (the COVID-19 pandemic), many organisations are accelerating their Cloud transformation journey to successfully accommodate a remote workforce. We're living and working in an era where we don't have time anymore to wait, which means that there are an inordinate amount of Cloud deployments that are running with shadow IT forcing us to recognise that not all the data is visible in a way that we need it to be. As a result of this, we are in the process of building and updating practices, with no perfect answer, and a drive for more compliance. The key takeaways from the conversation appear below.
It is really important to remember that the move to Cloud isn't "an IT decision", it's a business decision.
It was recognised that it is important that organisations have a clear policy on Cloud computing before moving, with planned out processes in place, as the move to Cloud brings with it a whole new category of risk that need to be considered on a wider business level, not just on the level of IT and technology.
Many attendees agreed that there needed to be a business driver analysis for justifying and (more importantly) understanding why we need to move to Cloud as, if we lack visibility, then we cannot properly assess or recognise where we are on this journey (which is A through to Z, not simply, A to B) and how we move and progress based on this. In most cases, the main drive appeared to be the need to move from On-Premise, which required a modernisation in systems, technology and applications. For this to happen, the options varied from a one by one "lift and shift" approach to a more agile redevelopment of applications with a new framework and orchestration.
COVID-19 has accelerated most organisations' Cloud transformation.
Of course COVID-19 and it's drive to remote working encouraged an enormous acceleration in the move to Cloud. For those without, there was a rush to be able to cater to remote working which led to a 'get it done' attitude, which focused on just making it work and ensuring connectivity. It is key to recognise that everyone's Cloud journey is different and unique, and if you are still asking what Cloud you should use, then you are not on a Cloud journey at all, as you haven't fully understood or thought about what you need and why.
Although most organisations have experienced an acceleration in the Cloud journey as a result of COVID-19, that's not always the case. Some people already working in a Hybrid Cloud model did not have their Cloud journey sped up or changed by the swift move to remote working that COVID-19 created. By having the infrastructure already in place, you can improve the accessibility and connectivity of a team globally, without actually changing too much.
Often, the typical assumption for Cloud transformation maturity is that everything moves to Cloud, which is highly unlikely to be the case.
The main driver for moving on with your Cloud transformation isn't the technology itself, it's the organisation. Organisations need to make decisions on when and where they change to Cloud, or further their Cloud transformation journey, with their emerging business needs in mind. When you look at Cloud transformation, it isn't a strategy that should be taken into account aside from everything else. The move to remote working has created a need for certain software that can accommodate mass video calls that weren't as important before. All organisations, no matter what, expect more with less. Their ecosystems are increasing, so, therefore, is their data, but the budget is rarely increased to reflect this, so it becomes a matter of protecting our critical assets more efficiently as a starting point.
Often in an organisational environment, the issue isn't the technology itself, but how it integrates with your organisation and all the attendees agreed that this is where security problems are based or stem from. The attendees made a strong argument that in terms of transformation, all organisations are facing the same problem: Before, security was about building walls around us and the business to keep it secure, but as the way we work changes and Cloud become more commonplace, these walls need to be opened up, which provides a new set of threats. We have to think further than our premises now, and consider an entire ecosystem to highlight all the potential threats.
The technology is there, but trust isn't.
Considering a move to Cloud isn't a question anymore (particularly during the time within which we are currently living - a global pandemic) the question is actually around how we make the move, which spurred the conversation onto the pressure to move, and how this could possess a threat to security and compliance. As mentioned at the beginning of the conversation, the move to Cloud should be a group-led business decision which needs to include buy-in from senior leaders as the risks it creates are different to the normal risk that business and it's leaders deal with and consider.
A lot of the time, organisations work on a reactionary process and cybersecurity should be included in their Cloud development from the beginning, not as a follow on. As it is such a big transformation, you have to be able to ensure there is no disruption when moving to Cloud from On-Premise, particularly from a security and compliance level, and you have to be ready for it if a disruption occurs. The best way to ensure you have full visibility of the security and compliance associated with Cloud transformation is by collaborating with the right partner and service provider who will help you ensure you have the correct infrastructure in place, and then support you in demonstrating that you have control of the cloud through the partner, to help you in the long-term.
People think there is a 'silver bullet' in Cyber Security that will protect them from everything, but in reality, we need to go back to basics on how we define security controls and train your people from here on how to keep your organisation and data secure. You need to build a strong foundation for your strategy, particularly when it comes to your Cloud journey, and the main issue is the same for everyone: There is a shortage of both skills and resources.
We have to rethink our resourcing model to match the shortage of skills.
It's not only a question of sheer headcount at this point, but we also need to rethink our resourcing model to attract and retain the people that can fill our skills shortage. AI and automation are being said to be able to come in and automate processes to free up our people to focus on other things, however, this isn't truly the case. More often than not, you are trying to mitigate the risk of one single person, whilst housing a team of external experts, which isn't the answer. We need to mix people's competencies and allow them to train each other and themselves, to then pass their knowledge on to the wider team.
There were many varying approaches for this but the general consensus was that the main challenge wasn't the attraction and retention of the right talent but the integration of new talent with the existing talent to create an interlocked structure of innovation and process.
Although, when it comes to attraction, it goes further than the people, you have to be able to attract the right resources too. If not you end up with the right people trying to fix problems with the wrong resources, which in the longer-term will increase attrition.
Shared responsibility models don't really exist.
Cloud service provides often claim a 'shared responsibility model', however by this they mean that they take care of their part, and you take care of yours. This is split responsibility, not shared responsibility, as the word shared implies that the other party cares, which they don't. There needs to be a process which incorporates security by design, within which there is a blueprint which is linked to the control and defined and documented per service to ensure encryption at all levels. This creates a wider security problem for many organisations. One security initiative will not solve all your problems (and potential problems) and security needs to be recognised as business accountability, not an IT accountability.
The practices are changing as circumstances are changing, which means that organisations need to change and update their security in real-time. The question isn't if an accident will happen. It's when. Organisations need processes in place that cover them further than their 'shared responsibility model'.
The discussion concluded with attendees agreeing that it is an interesting adventure to embark on, changing our landscape in a way that it hasn't in 20 years which is bringing security into a more prominent position in the forefront of business decisions and changes, meanwhile machine learning and automation opens a plethora of opportunities for us in the future.
Check Point Software Technologies Ltd. is a leading provider of cybersecurity solutions to governments and corporate enterprises globally. Its solutions protect customers from 5th generation cyber-attacks with an industry-leading catch rate of malware, ransomware and other types of attacks. Check Point offers its multilevel security architecture, Infinity Total Protection with Gen V advanced threat prevention, which defends enterprises’ cloud, network and mobile device held information. Check Point provides the most comprehensive and intuitive one point of control security management system. Check Point protects over 100,000 organizations of all sizes.