Is your digital transformation secure? How to tell if your team is on the right path
Solutions Consultant, Office of the CISO, Google Cloud
Security Solution Strategy, Google Cloud
In our Security Leaders Survival Guide, we answer the tough questions about how to weave security throughout your digital transformation
Digital transformations can be a difficult exercise, with concerns or requirements for data compatibility, sovereignty, resiliency, and of course security all playing a role.
To help make these connections and manage these risks, organizations will regularly engage Google Cloud’s Cybersecurity Action Team. In strongly regulated sectors such as financial services, transformation can be vital for establishing a resilient, secure organization, but also can be fraught with unexpected challenges.
We outlined in our previous blog several often-uncomfortable questions that CISOs and boardrooms should be asking of each other and their security teams. Today, we’ll tackle basic answers to some of those questions, and show how to help shift thinking to take advantage of cloud-first technologies — while also meeting security objectives.
Tough answers to hard questions
Start with the “why” of your business
Always tie your transformation’s security objectives back to business goals and rank them by how relevant they are to the organization. For example, if you are building a banking app, consider whether it has to have several enumerated, specific security controls because you have to be able to transfer money in order to process customers’ payments.
Keep it simple
Concentrate on straightforward, high-volume scenarios from the beginning, and ask frequent questions along the way. For example, determine how you will deploy code to the new cloud environment, and how you will grant access to users and the business.
Security objectives, not security requirements
How do you shift your security mindset from relying on old technology that wasn’t all that successful in the first place, to emphasizing how the organization can prevent malicious code from running in production.
Identify the right metrics
Decide how you’ll monitor your progress to gauge how well you’re doing. In a recent blog, Phil Venables, vice-president and chief information security officer for Google Cloud, discussed the need for a smaller number of fundamental security metrics that can drive bigger outcomes, and offers 10 metrics to consider focusing on.
Focus on observability with purpose
One of the key security steps that organizations can take when using the cloud is to monitor more information than has typically been available on-premises. From infrastructure telemetry to full-packet captures, these controls are almost always cost and operationally prohibitive for on-premises deployments. In the cloud, they deliver useful transparency to security processes, without the burden of hardware and storage systems to manage.
Maintain momentum, stay the course
Once the decision is made to move to the cloud, every faction of the business, including your security team, will suddenly clamor for all the benefits of the cloud — and want them yesterday. While it’s tempting to give your people what they want, to ensure a successful transformation you must stick to your priorities.
Part of the CISO’s job is to inform the business of the trade-offs between speed-to-market and planned, reasonable technology adoption. The challenge is to make sure that your technology choices align with your risk appetite. We’ve found that organizations that choose speed first without implementing controls for their risk appetite typically have to refactor their platform to meet the organizational goals. It is a false economy that ultimately results in losing time instead of achieving speed goals. We’ve found that the key to greater success is sustained velocity.
Make sure your technology choices align with your risk appetite. Organizations that choose speed first without implementing controls for their risk appetite typically have to refactor their platform to meet the organizational goals.
Automate whenever and wherever you can
GCAT recently worked with a large customer whose security team struggled to concentrate on addressing new problems because their time was spent manually deploying solutions. Once you have identified the most common operational use cases and stakeholders, look to automate as much as possible. Automation ensures consistency and reduces friction in the system. We recommend guiding your cloud engineering team to focus the majority of its time on automation and less than half on manual tasks.
Keep in mind that running any part of the operations process around building or maintaining a workload through a human review provides an excellent opportunity to automate. For example, if you build an automation pipeline that generates “approved Terraform,” but then relies on a developer to deploy it correctly, you’re missing out on the full benefit of the infrastructure-as-code pipeline afforded by the cloud.
When deployment steps are manual, you’ll also probably have to spend more remediation cycles to maintain whatever is being deployed, which in turn requires additional operational overhead. This may also mean additional controls have to be implemented around the people, process, and technology to ensure the risk is managed. It’s really a trade-off between upfront automation and remediation and control effectiveness. Relying on automation means that your developers can devote far less time to manual deployment processes, and can spend far more of their energy developing functionality. Automation also can help you redeploy an environment quickly for greater operational resiliency.
Connect and communicate with your partners
Remember to involve your partners early and often. Start with the business driver for the transformation and continuously work to pull in partners like operational risk and audit teams. They play a vital role, along with your business stakeholders, in ensuring security controls are operating effectively and their efficacy can be proven to internal and external partners, including your board and regulators.
Can you truly digitally transform if you don't incorporate security from the start?
Repeatability is optimal
We’ve learned that tightening your technology focus in the key areas of automation and observability sets you on a path for greater success in your transformation. Keep “rinsing and repeating” until you have effectively solved 80% to 90% of your workload requirements, then tackle the edge cases. You’ll want to continually re-evaluate whether what you’re doing is good enough and always look for other opportunities to redeploy your resources to make a business impact.
We also recommend carefully choosing your first workload to go to the cloud. Consider moving less sensitive workloads first, then using that to test your organization, operations, and technology products. When building a pipeline with automation, leverage the lessons you’ve learned from the first workload to have an easier time with the second, third, and fourth workloads — no matter the security requirements. By taking time to set the guardrails with the first workload, you can develop a repeatable model to use when implementing additional workloads. You’ve also laid a technology foundation built with a thoughtful approach that is often easily expandable and reusable.
Right people + right leadership = transformation success
Part of the enormous employment gap facing IT today is that there will never be enough people trained in legacy cybersecurity techniques to defend on-premises environments. Those who cling to outdated security practices put the organization at risk, increase the operational cost of cybersecurity, and ultimately can force the business to invest disproportionately in security, rather than help the business achieve its broader goals.
Cloud transformation is fundamentally about organizational change management. Your goal should be to position security as a business enabler — and use efficiencies to build better defenses, while helping the business produce innovative products.
For your security teams and the business as a whole to accept you as a leader, you must establish a strong, clear vision. Show them where they’re going and what their future role is. Most teams are willing to pick up new and marketable skills to help secure the organization, but they need to know why they should follow you.
For example, consider a vulnerability management specialist whose job is to manage people all day to fix and patch systems. If you deploy infrastructure-as-code and deploy secure, hardened workloads every week, this specialist can be trained to do a number of roles in the new, cloud-focused world, such as threat hunter, infrastructure-as-code engineer, or security data analyst/engineer.
The important thing is that your security teams get paid to do what they enjoy. The toil generated by a legacy security mindset can make you less secure and also isn’t enjoyable for anyone. Your organization can modernize your team’s security responsibilities and give them the opportunity to tackle today’s problems with the latest technology.
For more best practices from security leaders, check out:
Security Leaders Survival Guide: Vital questions to help guide transformation success
Security Leaders Survival Guide: How financial services organizations can more securely move to the cloud
Google Cloud Security Podcast: Cloud challenges for executive leaders: Frustrations, Successes, Lessons ...and Does the Risk Change?