October 18, 2016 By Kevin Beaver 2 min read

This is the third installment in a four-part series about CISOs. Be sure to read Part 1 and Part 2 for more information.

How do chief information security officers (CISOs) fit in at cloud service providers (CSPs)? Do CSPs need CISOs? What is the role of the CISO of a CSP? Is the CISO a true a security executive, or simply a manager of uptime and resiliency for the CSP’s network and application environments?

CSPs are unique in that they provide IT and security services across multiple industries. However, they may not fall under the umbrella of stringent security requirements — but you can bet that many of their customers do. It depends on the nature of the cloud business, of course, but most such providers store, process or otherwise handle sensitive information that needs to be protected. This could be personally identifiable information (PII) in the case of health care and financial services industries, intellectual property for manufacturers and government agencies, or even sensitive security data that makes up the information security infrastructure of any business.

Spotty Security in the Cloud

It would be easy to assume that most CSPs have security under control with everything buttoned up to the nth degree. Unfortunately, that’s not always the case.

Many of my clients in this space and the CSPs they deal with aren’t (or weren’t) on top of security as much as they should have been. Some just have an IT manager in charge of security among numerous other tasks. Most have someone in the chief technology officer (CTO) role, but this person is not necessarily a security specialist. Only the largest CSPs, it seems, have an actual CISO with a seat at the executive table.

Sadly, much of security in the cloud space revolves around SSAE-16 SOC audit reports. These reports are great for outlining the operational security posture of a data center. They say little, however, about basic technical vulnerabilities that are actually getting these businesses into trouble.

Vulnerabilities such as weak passwords, missing patches, SQL injection and the like are often overlooked without the proper testing and oversight. Odds are you’re not going to make headlines over some gaps in data backups, access control procedures or physical security, but you most certainly will attract negative attention if all aspects of an effective information security program, including the technical flaws mentioned above, are not properly managed.

The Role of the CISO of a CSP

This is where a full- or even part-time CISO could provide tremendous value. CSPs are often very lean in terms of resources — heavy in the areas of software development, customer support and sales, but not necessarily for information security. Given the complexities of the typical cloud environment, such as attack surfaces, software-related flaws and cross-border data protection requirements, not to mention the flood of security questionnaires that come in, I can’t imagine getting the job done without a leader dedicated to information security initiatives.

Maybe that leader is a CISO, or maybe it’s an information security manager with CISO-like responsibilities. Whoever it is, the role is absolutely essential to the health and security of the provider and its partners.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today