TRENDING
Ricardo Ferreira , Principal Cloud Security
Architect , Fortinet
Big Data and AI to predict things before they happen . This creates a predictive paradigm , instead of reactive . That ' s important because one thing that the CIO and wider team is concerned about is making sure that the organisation is also self-service .
This means they can actually use APIs to interact and have a shared single source of truth . So that generates a new API economy .
CIOs have been forced to adapt under pressure to innovate and improve agility while at the same time taking security into account . I think this will redefine the relationship between CIOs and CISOs because security is paramount and can also be brought in during this transformational event .
JVH : On the one hand , there is reduced risk and improved security because of some of the building blocks that are secure by default . But we shouldn ' t think that everything is secure by default – there are still things that you need to investigate and processes you need to put in place .
That ’ s sometimes forgotten . More and more customers have security top of mind , but we can still do better and need to continue to advocate for security to be built in early on .
What are the internal transitions that organisations need to go through in order to seize this opportunity and improve their security posture ?
JVH : We have those building blocks and different public clouds that may look the same from the outside , but each of them works differently with its own unique advantages .
I think the CIO will be the broker here and assess which cloud will be best for a particular project . It depends on a number of different factors , whether it be costs , ease of operation within a specific cloud or whether the service and technology is better in one versus the other .
Done right , cloud can be an opportunity to improve security . Do you agree ?
RF : I think it represents an opportunity to build in security from inception as organisations go through this massive disruption . While security has historically been on the back burner , this major transformation enables security to be seen as a first-class citizen .
CIOs have been forced to adapt under pressure to innovate and improve agility while at the same time taking security into account .
That ’ s super important because our report highlighted that misconfiguration and other issues can be a very damaging risk . With the cloud , you use ‘ tokens ’ which we should think about as the keys to the kingdom .
If a bad actor gets access to those tokens , they access your environment and then they can horizontally scan and see what ’ s around .
Bringing in security by design and making a shift to proactive security will be a major change and will bring about a new relationship between the CIO and CISO .
JVH : If customers or partners come to me and say they want to deploy a shiny new application or piece of technology , I always start by asking what the purpose of it is . Does it need to run 24 / 7 , for example , and what are the criteria ? You need to start with the people . This also applies to training .
First , people , then processes and technology will definitely follow .
RF : I normally use this phrase from Peter Drucker : ‘ Culture eats strategy for breakfast ’. And that could not be truer . We can have the best strategy but if we don ' t have the culture and people to support that , it will all crumble to pieces .
The cloud security report indicates that the majority of organisations are actually using two or more cloud providers . Is that something that you see and what impact is it having on security ?
RF : From my perspective , highly regulated industries have something called ‘ risk concentration ’ which essentially means that they shouldn ’ t put all their eggs in one basket . They actually need to use two or more cloud providers in order to share risk across them . That ' s something that I see very often with my customers .
JVH : What we see more and more is a multi-cloud approach where organisations pick and choose based on the unique capabilities of the different cloud providers . For example , if a company is using AWS to host their website and their business application and they ' re using Microsoft 365 , they are already multicloud . They have two different attack surfaces that they need to defend against .
The question is , how do you get these clouds to talk to each other and then ensure visibility across all of them ?
26 INTELLIGENTCIO EUROPE www . intelligentcio . com