Since I announced via LinkedIn that I have moved roles and taken somewhat of a different path in my career, I have been sent many kind words of encouragement but also a number of questions about my motivations, the role and the organisation I have moved to. It’s not that I don’t enjoy the sound of my own voice but given that blogging is now a core part of my job (more on that later), I thought I’d kick-off with answers to these questions in my own way.
The move and my two cents on cloud…
Up until very recently, I had plied my trade as a security professional in ‘end-user’ organisations. If the ‘end-user’ colloquialism isn’t immediately obvious to you, you probably work in an end-user organisation. By this, I mean in a non-vendor role. Working for an organisation and being responsible for the protection of their information assets in some way, shape or form. I must have been doing something right because I have been fortunate enough to work for market-leading organisations across most industry sectors. I have also covered the InfoSec spectrum working in roles from engineer, designer, architect, manager and head of function. ‘Great Chris, a decent CV – so why the move at this stage of your career into the vendor world?’
I saw an opportunity to use my client-side experience in driving what the security solutions we use look like moving forward. I am very proud of my achievements to date, be those global Active Directory deployments in the early days through-to organisational security strategies and reference capability architectures but now was the time to immerse myself within a company which has Cyber Security as its core business.
I wanted to be part of an organisation which is designing solutions for the cloud-first, mobile workforce. As those who know me will attest, I firmly believe that cloud services allow organisations of all sizes to benefit from cost savings, increased flexibility and a significant reduction in capex-based expenditure. What’s not to like? Well, some will have you believe that cloud is bad – it’s insecure apparently.
Some people are of the opinion this ‘cloud’ is an onmi-present nemesis to those in the InfoSec community, a technological Lord Voldemort if you will (I am aware how sad I am); no wizards in Hogwarts dared utter his unmentionable name and our profession has historically adopted a similar stance for all things cloud. I have heard everything from ‘cloud is insecure’ to ‘we don’t have a problem with shadow IT and cloud applications’. The conversation is never this binary.
Of course there are insecure cloud configurations, there are platforms which are inherently inappropriate for critical business applications but these setups are not reserved for the world of cloud – they often exist behind the trusted firewalls of the organisational perimeter.
What is important is the deployment of security controls commensurate with the classification of the information being stored, transmitted or processed. Cloud reticence is understandable – we (I’m speaking broadly about the information security community here) have been indoctrinated into thinking that the only way to protect our data is to lock it down.
I would agree that the most effective route to total security is to remove access and ring-fence our data repositories but this approach is diametrically-opposite to the strategic direction our businesses are taking through big-data initiatives and always-on, ubiquitous mobile application access. We must strike a balance between protecting information assets and allowing our businesses to flourish through the weird, wonderful and innovative ways they can engage with customers and clients.
The way we do business has evolved. The tools we use to carry out our daily lives have changed dramatically over the 18 years I’ve been employed. I remember being a teenager and thinking my Philips Savvy mobile phone was the denouement in a quest for engineering perfection; it made phone calls and with a day’s worth of perseverance, you could send an SMS! We fast-forward 18 years and making calls are almost an auxiliary function for these computers in our pockets. We use computers on the move and outside of the data centre. We need security solutions which support our business goals and can be applied on any device, in any location on any network.
Organisations in all industry sectors are embracing cloud – Regulators are on record as saying cloud can be securely adopted and our end users are demanding a seamless, mobile experience in the workplace.
” … no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with our rules” Financial Conduct Authority: Guidance Consultation 15/6
And to finish…
I’ll leave you with a sporting analogy which is clearly mandatory in any Information Security post:
If ten years ago I would have stated that in 2016 Leicester City would win the Premier League, I would have been greeted with puzzled looks and laughing from all in polite society. The same incredulous views were the norm for all things ‘off-prem’ and cloud – it was an out of control ecosystem reserved for Shadow IT. It was to be eradicated where possible . Well the football season is over and Leicester are champions (by ten points no less) and on the other side of my comparison recent cloud surveys suggest that cloud adoption in the enterprise is continuing to grow at a rapid rate and it is here to stay. We have to embrace the move to cloud but with the due diligence we would apply to any environment.
Lord Voldemort was ultimately rendered mortal and subsequently defeated (sorry for the spoiler) – Similarly, I hope I can do my bit for the legacy perceptions of secure cloud computing.
Thanks for reading