Leading through change: 5 steps for executives on the cloud transformation path

Getting cloud security right is a complex undertaking, likened to tuning the precision machinery used to engineer cutting-edge race cars. Taking steps to safeguard data and configure your application security controls, among others, can add an extra edge to your organization’s competitiveness by enhancing its security posture.

At Google Cloud’s Office of the CISO, we often hear business leaders voice reluctance to host their sensitive applications in the cloud. When their initial security migration concerns are successfully addressed, cloud security remains an ongoing area of focus, specifically on how to programmatically scale and manage overseeing cloud service providers, securely deploy workloads, and navigate workforce constraints.

These challenges can be overcome, often by focusing on a combination of technical and operational processes, said Nick Godfrey, senior director, Google Cloud’s Office of the CISO, in a recent article.

“Cybersecurity can often seem like a reactive defensive scramble, hustling to respond to the latest zero-day vulnerability, treading water to stay above a churning sea of alerts, diving fast and deep into research, or madly dashing to keep business leaders and boards of directors appraised of security needs. However, proactive readiness is a key part of cybersecurity for an organization’s leaders,” he said.

We have discovered through our conversations with customers that successful organizations have made cybersecurity everyone’s responsibility. They have encouraged leaders across their organizations to build a collaborative environment and break down silos. Broadly speaking, we see leaders succeed when they take the following five steps.

1. Navigate organizational complexity

Despite frequently being viewed as an “IT initiative,” an organization’s cloud transformation is a more involved and intricate endeavor, requiring buy-in and engagement from across the organization. Successfully navigating and leading through such foundational change requires leaders to:

• Define key roles, empower team members, identify opportunities for upskilling and cross-training, and guard against key person risk, while simultaneously building a supportive culture that encourages innovation and opportunities for growth;
• Seek out opportunities for peer collaboration and rapport-building to create and promote a security-oriented culture, particularly with high-touchpoint teams such as product, data governance, risk, compliance and legal; and,
• Ensure visibility and transparency into the organization’s cybersecurity initiatives and their impact on its risk posture to enable effective risk-based discussion by executives and the board of directors.

2. Play a key role in cloud governance

Leading through change is its own challenge and requires an in-depth understanding of your organization’s overall structure and key players. An effective cloud governance program is more than committee meetings, policies, and procedures. It’s about crafting a vision for your organization that melds cloud-based empowerment with its strategic direction, risk appetite, technology stack, and operations.

One way of looking at cybersecurity’s role is to create strong guardrails which can support sustainable and scalable innovation. CIOs, CTOs, CISOs and business leaders should closely partner to ensure that digital transformation initiatives are executed securely. Where possible, as we wrote in a column last year, security best practices should be integrated into new systems and workflows from the start.

It also takes a continued commitment to communicating (even over-communicating) key messages related to the evolving cybersecurity risks that your organization is likely to face. This helps drive the tone from the top and bring everyone along in cultivating a risk-mitigating mindset when it comes to security and data protection.

3. Upskill the team on cybersecurity

Helping your teams level up their cybersecurity skills is crucial, particularly in the current environment where the shortage of cybersecurity skilled labor is exacerbated by an evolving threat landscape where we’re seeing threats continue to grow on a global scale. Upskilling can enhance your team’s ability to identify and mitigate potential threats, empower employees by fostering a culture of shared responsibility and accountability, and contribute to professional development, which can enhance job satisfaction and support employee retention.

There are several ways for staff to upskill on cybersecurity:

• Online courses and certifications can provide a foundation in cybersecurity concepts and best practices, and some offer hands-on labs and exercises to reinforce learning. (Here are some that Google Cloud provides, which can pave the way for obtaining professional certifications.
• Industry conferences enable opportunities to learn about the latest trends in cybersecurity and network with other professionals.
• Reading up on cybersecurity can help you stay up-to-date on the latest threats and best practices. Podcasts are also a great source of information.

Ultimately, there’s no substitute for hands-on experience.

4. Securely deploy to the cloud

Securely deploying workloads to the cloud can help organizations safeguard data, maintain compliance, protect against cyber threats, and support business continuity. By adopting recommended security practices and using cloud-first security features, organizations stand a better chance of reaping cloud benefits while mitigating risks.

At times, customers approach security controls for cloud deployment by taking their existing control requirements, which were often based on on-premises implementations or the assessment of third party vendors more generally, and trying to apply them to the cloud. Mapping bespoke controls to cloud can eat up precious development time, sometimes taking months.

Rather than trying to fit these controls to the cloud, we recommend using the controls that are already tailored to the cloud like NIST 800-53 or CSA CCM. These frameworks present an easier way to assess your controls posture to ensure comprehensive security coverage. Along with our best practices implementation guidance in cloud architecture and security foundation blueprints, we can help set you up for cloud success.

5. Evaluate and continuously oversee the cloud provider’s controls posture

Performing due diligence on your cloud provider is often a requirement, particularly for organizations in highly regulated industries like financial services. We encourage our customers to use a two-pronged review that evaluates cloud platform controls separately from application-specific controls. That way, you can make use of the assessment performed on the platform-wide baseline, and then evaluate individual app requirements on a per-app basis.

This approach can help cybersecurity teams focus their efforts on assessing the risks to the particular application being deployed, or the sensitivity of the data to be stored on the cloud, by reviewing only those controls that are relevant to the particular workload and as applicable to the relevant regulatory requirements.

When operating in the cloud, making use of cloud-first control capabilities can help support security operations and ongoing risk management monitoring in a scalable, automated manner. Tools such as our Security Command Center can evaluate your security and data attack surface, providing asset inventory and discovery, identify misconfigurations, vulnerabilities, and threats, and help you identify and remediate risks.

So what does it take to succeed?

Just like there’s no single best way to build a race car, a successful cloud transformation can often come down to how effectively your teams work together on identifying and implementing security controls for your cloud environment. Next week, we’ll share practical tips on how to strengthen enterprise governance.

For more guidance, take a look at our blogs on how to scale security, why CISOs need to adapt their mental models for cloud security and key questions to ask during a cloud migration.