Intelligent CISO Issue 40 | Page 68

decrypting myths
JVH : We have those building blocks and different public clouds that may look the same from the outside , but each of them works differently with its own unique advantages .
I think the CIO will be the broker here and assess which cloud will be best for a particular project . It depends on a number of different factors , whether it be costs , ease of operation within a specific cloud or whether the service and technology is better in one versus the other .
Done right , cloud can be an opportunity to improve security . Do you agree ?
RF : I think it represents an opportunity to build in security from inception as organisations go through this massive disruption . While security has historically been on the back burner , this major transformation enables security to be seen as a first-class citizen .
That ’ s super important because our report highlighted that misconfiguration and other issues can be a very damaging
Ricardo Ferreira , Principal Cloud Security Architect , Fortinet
risk . With the cloud , you use ‘ tokens ’ which we should think about as the keys to the kingdom . If a bad actor gets access to those tokens , they access your environment and then they can horizontally scan and see what ’ s around .
Bringing in security by design and making a shift to proactive security will be a major change and will bring about a new relationship between the CIO and CISO .
JVH : On the one hand , there is reduced risk and improved security because of some of the building blocks that are secure by default . But we shouldn ’ t think that everything is secure by default – there are still things that you need to investigate and processes you need to put in place . That ’ s sometimes forgotten . More and more customers have security top of mind , but we can still do better and need to continue to advocate for security to be built in early on .
What are the internal transitions that organisations need to go through in order to seize this opportunity and improve their security posture ?
JVH : If customers or partners come to me and say they want to deploy a shiny new application or piece of technology , I always start by asking what the purpose of it is . Does it need to run 24 / 7 , for example , and what are the criteria ? You need to start with the people . This also applies to training .
First , people , then processes and technology will definitely follow .
68 www . intelligentciso . com