This is the third installment in a four-part series about CISOs. Be sure to read Part 1 and Part 2 for more information.
How do chief information security officers (CISOs) fit in at cloud service providers (CSPs)? Do CSPs need CISOs? What is the role of the CISO of a CSP? Is the CISO a true a security executive, or simply a manager of uptime and resiliency for the CSP’s network and application environments?
CSPs are unique in that they provide IT and security services across multiple industries. However, they may not fall under the umbrella of stringent security requirements — but you can bet that many of their customers do. It depends on the nature of the cloud business, of course, but most such providers store, process or otherwise handle sensitive information that needs to be protected. This could be personally identifiable information (PII) in the case of health care and financial services industries, intellectual property for manufacturers and government agencies, or even sensitive security data that makes up the information security infrastructure of any business.
Spotty Security in the Cloud
It would be easy to assume that most CSPs have security under control with everything buttoned up to the nth degree. Unfortunately, that’s not always the case.
Many of my clients in this space and the CSPs they deal with aren’t (or weren’t) on top of security as much as they should have been. Some just have an IT manager in charge of security among numerous other tasks. Most have someone in the chief technology officer (CTO) role, but this person is not necessarily a security specialist. Only the largest CSPs, it seems, have an actual CISO with a seat at the executive table.
Sadly, much of security in the cloud space revolves around SSAE-16 SOC audit reports. These reports are great for outlining the operational security posture of a data center. They say little, however, about basic technical vulnerabilities that are actually getting these businesses into trouble.
Vulnerabilities such as weak passwords, missing patches, SQL injection and the like are often overlooked without the proper testing and oversight. Odds are you’re not going to make headlines over some gaps in data backups, access control procedures or physical security, but you most certainly will attract negative attention if all aspects of an effective information security program, including the technical flaws mentioned above, are not properly managed.
The Role of the CISO of a CSP
This is where a full- or even part-time CISO could provide tremendous value. CSPs are often very lean in terms of resources — heavy in the areas of software development, customer support and sales, but not necessarily for information security. Given the complexities of the typical cloud environment, such as attack surfaces, software-related flaws and cross-border data protection requirements, not to mention the flood of security questionnaires that come in, I can’t imagine getting the job done without a leader dedicated to information security initiatives.
Maybe that leader is a CISO, or maybe it’s an information security manager with CISO-like responsibilities. Whoever it is, the role is absolutely essential to the health and security of the provider and its partners.