An organization’s chief information security officer may be the strategic leader of how cloud computing is deployed and managed securely throughout the organization. But the CISO’s entire team plays essential and critical roles in ensuring that cloud-centric workloads are secure and meet stringent requirements for compliance, governance and risk management.
CISOs and their teams must also act as missionaries, coaches and trusted colleagues with business stakeholders throughout the organization to ensure that security is everyone’s responsibility. Consider a recent quote from Ngozi Eze, CISO at Levi Strauss & Co.: “It’s … critical that we promote cybersecurity and defense as a team sport, not just for the information security team but for all employees at Levi Strauss.”
Creating a security-aware organizational culture, of course, does not rest only with the CISO. It starts with the CEO and the board of directors, and must filter down to every employee and business partner and even customers. Research conducted by KPMG and Oracle, in partnership with ESG, found that 53% of organizations are employing a business information security officer to help bridge the gap between the CISO and lines of business and to drive this culture of security.1
This is particularly important as all organizations not only accept cloud computing, but also actively embrace cloud computing as an essential business practice. This trend has gained strength in recent years but exploded in importance during the COVID-19 pandemic, when remote work became the norm and cloud became a lifeline between remote workers and centralized digital assets.
Best Practices for Today’s CISO in the Cloud Era
One of the most attractive—and most challenging, from a cybersecurity perspective—aspects of cloud computing is how easy it is for an employee to stand up a cloud service. It’s inexpensive, offers a familiar interface and easily scales as workloads demand. Not only that, but it travels with employees—all they need is a high-speed connection and a web browser.
However, this approach adds to complexity and risk, something CISOs fight hard to prevent. Forward-thinking, proactive CISOs need to understand what drives employees to use shadow IT cloud services and instead provide a sanctioned, secure and robust offering that the business can support.
Of course, it is inevitable that breaches will occur in cloud environments. Practices such as the shared responsibility model for cloud security help to mitigate risk of data exposures by making it clear where the responsibility lies for the cloud provider and subscriber.
Unfortunately, even when these details are made available to the subscriber, there is still tremendous misunderstanding: According to KPMG and Oracle’s research, 54% of organizations find the SaaS shared responsibility model to be confusing.2 This is one of the major contributors for gaps and inadequate levels of preparedness as organizations move to the cloud: While three quarters of organizations said the cloud provides a more secure location for their workloads, 92% of those customers also reported that they themselves are struggling with a cloud security readiness gap.
Successful CISOs also understand how critical it is to partner with cloud vendors that not only share the responsibility for securing business-critical data and services, but that also natively build security into their cloud stack to decrease risk and exposure to threats.
Mission of the Cloud-centric CISO
Research shows that the level of preparedness businesses have with regards to their cloud security programs is lacking. This paper explores the cloud security readiness gap as it relates to business executives and CISOs.
Download NowHow Oracle Helps CISOs Secure Their Cloud Environments
As a leading provider of cloud platforms, Oracle has a unique position as both a leading technology apps and infrastructure supplier and as an experienced, accomplished cloud platform provider. For instance, Oracle’s Cloud Infrastructure (OCI) services—based on third-generation Intel® Xeon® processors—and its market-leading databases and applications are at the heart of numerous innovative enterprise solutions.
OCI is designed with a security-first architecture and operational processes to secure the enterprise cloud services. OCI offers advanced cloud security technology and operational processes to secure its cloud services. Oracle’s methodical view on mitigating risks of data compromise, fraud and emerging threats while still working to enable the customer toward their regulatory compliance goals is central to the OCI platform and services.
For more information on how CISOs can provide effective cybersecurity leadership in a cloud-centric organization, please click here.
1 “Mission of the Cloud-centric CISO,” Oracle and KPMG Cloud Threat Report series, 2021
2 Ibid.
