CISO Survival Guide: How financial services organizations can more securely move to the cloud
David Stone
Solutions Consultant, Office of the CISO, Google Cloud
Anton Chuvakin
Security Advisor, Office of the CISO
Try Google Cloud
Start building on Google Cloud with $300 in free credits and 20+ always free products.
Free trialIt’s not just children and adults who face excitement and nervousness on the first day of school. The first day in the cloud can be daunting for financial services organizations, too.
Chief Information Security Officers must lead the cloud security component of their organization’s digital transformation, a complicated task beset by many questions that the members of our Google Cybersecurity Action Team can help answer. We want to help you move into the brave new world of digital transformation and build engaged, robust cybersecurity teams as you go because there is no “one size fits all” approach to cloud security.
We’ve worked with many financial services organizations in the middle of their transformations. Some want to revolutionize how their organizations achieve their cybersecurity goals. Others want to have minimal viable security controls for Day 1 launches. Each organization has its own operational and technological needs, its own funding sources, and its own risk appetites, all of which can fundamentally influence security strategy.
We’re here to offer our real-world knowledge and experiences from Google’s Office of the Cloud CISO to help you move boldly – and more securely – to the cloud. We do this as part of our commitment to operate in a shared fate model that helps our customers achieve the best possible security outcomes. We strongly believe that secure organizations make for a more secure world.
First come the questions, so many questions
Many times, we go into customer organizations as they are on the cusp of moving to the cloud and hear questions such as:
I’ve never done this before, what do I need to worry about first?
How do we make sure we don’t move our technical and cyber debt to the cloud?
What are the key threats that I need to pay attention to?
What on-premises baggage am I going to be left with?
How do I organize my team to best address the things that we need to focus on?
What becomes apparent from these conversations is that technology and security leaders use moving to the cloud as an opportunity to transform their businesses. This is an excellent plan. However, just because technical and cyber debt were not created intentionally does not mean that they can be wished away. It takes a concerted effort to reduce risk by building on solid fundamentals and leveraging the advantages of the cloud to pay down that debt.
These areas of concern and the strategies for addressing them can be categorized around your organization and its operations, technology, and people – and your CISO leadership.
Teach your organization to think cloud
Recently, security teams have been organizing around security compliance models such as the NIST cybersecurity framework. While this provides a foundation to discuss security disciplines and general security posture, it doesn’t necessarily provide the best way to organize your security team for optimal impact.
In addition, most of these frameworks were developed before cloud was widely adopted in regulated industries. We now have more specialized knowledge and tools to more effectively serve specialized cases and verticals.
As use of the cloud becomes more prevalent, frameworks need to evolve and adapt to new threats and a new operating environment with rapid business changes and agile IT . Fundamentally, digital transformation is about organizational change management. A key component of preparing for digital transformation is guiding the people in your organization to evolve beyond on-premises mindsets to adopt new ones.
In our discussion on how CISOs need to adapt their mental models for cloud security, we noted that security during and after a digital transformation should focus on how network and endpoint security, detection and response, data security, and identity and access management (IAM) function in the cloud — and how taking advantage of those differences can help you build a more resilient security posture.
The right questions can drive security changes
One key question to ask yourself when making strategic and tactical decisions is: Why am I implementing this security control?
Digital transformation provides an excellent opportunity to re-examine your team (because culture comes first in cloud transformation) and lead the way to changes that address your organization’s go-forward strategies when it comes to firewalls, antivirus software, applications, data protection, your overall security and risk postures, and your backup plans. Changing technical controls first rarely leads to success.
Your organization needs to have a clear vision and set objectives to determine how to most effectively achieve its security goals. Most of the time this means that CISOs and their teams have to reach outside their comfort zone and work with technology, business, and other partners to achieve success. If your organization goes down the path of “it’s always been done this way on-premises,” your cloud transformation is more apt to be inefficient and ultimately block the business from achieving agility and security.
At the September conference Measuring Cyber Risk in the Financial Services Sector hosted by MIT and the Federal Reserve Board, an audience member posed an important question to the panel: Why do cyber insurers ask if I have file integrity monitoring installed?
This kind of question from cyber insurers is indicative of the mindset that should evolve with the digital transformation process. We want to be open to new opportunities to rethink practices and architecture. File integrity in a vacuum means very little to the overall risk reduction of your organization. Depending on their objective, cyber insurers could have asked a different set of questions, such as: How do you ensure that critical payment data is not altered in the transaction flow? And how do you ensure that software running in production is authorized and not altered?
Both questions could be answered with file integrity monitoring. However, answering a question on a cyber insurer’s questionnaire provides little to no value. It’s a check-the-box exercise that doesn’t provide a measurable security benefit. Cloud provides the same opportunities to rethink standard controls and generate better security and business outcomes.
As you begin implementing security in the cloud, keep in mind what your organization’s ideal security posture should be and come to an agreement with stakeholders (including business and IT leaders) about how you can set and achieve your goals. The first steps offer an invaluable “pressure test” for your organization – and take comfort in the fact that very few CISOs get it right on the first try. That’s why you should be adaptable, be open to change, and work to minimize organizational strife as much as possible.
We will continue this discussion in the next blog focused on the realities of starting the operational transformation.
To learn more now, check out our podcast on CISO frustrations, successes, and lessons learned, and our guidance report on cloud security transformations as well as our white paper on building operational resilience in financial services. Review Google Cybersecurity Action Team site for additional papers and other guidance.