Deutsche Börse’s cloud transformation: 10 key considerations for a security runbook

Digital transformation and the large migration of data and processes to the cloud requires a security transformation to enhance security, compliance, and risk management. While the challenges facing a transformation can be significant, overcoming those challenges can be used to develop a more mature security, compliance, and risk management approach.

One company that’s seen success in the maturation of its security and risk approach is Deutsche Börse Group, an international exchange organization and innovative market infrastructure provider. Based in Frankfurt, the company covers the entire financial market transaction process chain. The Group has seen great success on their journey — but it required equal measures of patience and planning.

Deutsche Börse developed a long-term security transformation plan, a vital step considering that hundreds of its critical applications, many with significant volume, would be using Google Cloud services in the following years.

The Group developed its plan, also known as a security runbook, before it began any technical work. A runbook is less of a recipe for a single dish, and more of a holistic approach to creating a unified security menu that considers multiple inputs, high-level concerns, and overall goals. It’s like a prix-fixe menu that security departments and related stakeholders agree to follow in order to define the best approaches.

This narrative approach is critical since many organizations often rush into technical work and forget about the fundamentals, which can lead to unsatisfactory long-term results — such as a migration with an unsuccessful security transformation. Operating in the cloud as if it were the same on-premises systems, without questioning if there is a more strategic approach, is detrimental to security.

Here are the top 10 considerations from Deutsche Börse Group’s transformation journey that are now part of the organization’s security runbook:

1. Vision and strategy: Define your transformation strategy. Google Cloud’s survival guide can help security and business leaders ask important questions that can lead to transformation success.
2. Cultural and security principles: Identify leading principles when making decisions. A few examples of these include secure by default, a shift-left approach, and security as enabler rather than a blocker.
3. Fundamental strategic decisions: Make fundamental decisions that have great impact on the architecture. Some of these decisions include choosing a governance framework; determining your overall threat model; and aligning with a data security strategy.
4. Cloud security operating model: Decide how your organization will operate the new cloud-based security services, and who will be accountable and responsible for each service.
5. Service catalog and capabilities: Emphasize the services and capabilities of your security teams, instead of your security tools. Security teams can be assigned focus areas such as threat detection, security consultation, and pen-testing. Center the customer and define outcome-based service from the customer perspective.
6. Success criteria and metrics: Assign clear metrics and goals for security teams. Use SMART security goals: Simple, Measurable, Achievable, Relevant, and Time-bound. Structure metrics with a simple pattern, like coverage, risks, velocity, business value, or user experience.
7. Security workstream organization and governance: Plan for multiple security workstreams early in areas such as engineering and architecture, security operation, and governance.
8. Rollout phases: Set clear objectives for the primary rollout phases: The tactical phase should focus on minimal changes to existing governance and tools to achieve easy wins and enable a secure migration; the strategic phase moves into the realm of cloud governance, workflow, and processes; and the transformational phase emphasizes achieving a consistent, automated, and unified approach for all applications (including multicloud concerns).
9. High-level roadmap: Create a long-term security roadmap synchronized with your overall transformation program. Aim to map out the next two years to core capabilities to encourage better planning.
10. Cross-functional core security team: Set up cross-functional cloud security teams. Large security organizations have teams with specific areas of focus, aka domains. For cloud security, a cross-functional core team can be more effective at avoiding silos, participating in inter-domain work, and reduce the need for lengthy synchronization and administrative efforts known as toil.

Deutsche Börse Group’s robust plan for a successful security transformation spanned several years to support migrating hundreds of applications in Google Cloud. These are our top 10 key lessons for large financial services institutions on a similar journey. You can learn more at CISO’s Guide to Cloud Security Transformation.