The Inner Circle

Expand all | Collapse all

Key C-Level Challenges in Cloud

  • 1.  Key C-Level Challenges in Cloud

    Posted Oct 22, 2020 12:44:00 PM
    This is a teaser for what I believe will be a new CSA working group to focus on C-Level challenges, appreciate your thoughts as always. We recently engaged with a newly retired CISO to get better insights into C Level pain points and how we can help. The person in question came up with an initial list of Key C-Level Challenges in Cloud:

    • Explaining Cloud Strategy to the Board of Directors
    • Reducing IT Footprint and Drive Efficiencies Moving to the Cloud
    • Managing Risk from 3rd Party Cloud Providers
    • Developing a Secure, Enterprise Cloud Operating Model
    • Cultivating Skills to Support Cloud Environments
    • Impact of Digital Transformation on Security Strategy
    • Top 5 Critical Security Considerations for Cloud Migration
    • Top Cloud Specific Compliance Requirements
    • Business Value of Cloud Security
    • Taking Advantage of Cloud Automation
    • How does digital transformation change my approach to security?
    • Manage a hybrid cloud/legacy IT technology stack
    I think what we want to do to start is perform vetting of this list, create a regular "Key C-Level Challenges in Cloud" report like our Top Threats. We will link it to relevant solutions we have already built and start building tools for the areas we have not addressed yet. Some good slide decks for the board of directors would be an example. Let me know what you think!

    Jim Reavis CCSK
    Cloud Security Alliance
    Bellingham WA

  • 2.  RE: Key C-Level Challenges in Cloud

    Posted Oct 22, 2020 07:23:00 PM
    I would put a suggestion that these elements be grouped into thematical elements which would guide an organization at each phase of their cloud journey:  (Cloud Neophyte to Cloud Native/Cloud First)

    Some of these elements will borrow from ITIL methodologies (V3/V4) and some are details of working with teams in the banking industry from a audit and risk perspective.

    For example:
    1. Establishing governance of delivery of IT/IS services within an organization while mitigating risks to business operations and delivery of services to customers, can be disrupted by the ease of delivery of cloud services thus elements which should be considered:
      • Who owns the cloud strategy for the organization? (Governance)
      • Why are we looking for move to the cloud? (Business drivers)
      • How many cloud services is my organization/business utilizing that there is no knowledge or visibility of and where are these services being provided from (Shadow IT/Cross board jurisdiction/data flow/legal/compliance concerns)
        • The business cost model needs to focus in both the costs of migration but also the supporting security costs, training and operational state costs and costs of compliance and risk mitigation within the cloud. 
      • How do we manage the costs of the migration to the cloud and on-going operational expenses of cloud service utilization by the business and how does this affect our migration strategies below?
        • Application Migration strategy
          • Migration to new cloud based (SaaS, PaaS)
          • Refactoring of existing applications to capitalize on restful nature of cloud services.
          • Lift-Shift of existing brick and mortar applications (if possible)
          • API management
          • Containers
          • Establishment/Transition of Devops to Cloud services environment. 
        • Infrastructure dependencies and Migration Strategy. 
          • Database management systems
          • Middleware
          • Storage
          • Currency considerations. 
        • Recovery/Resiliency Strategy.
          • How do we ensure that what we transition to the cloud will still meet our business recovery and resiliency needs as defined in business continuity plans and supporting business impact assessments and disaster recovery plans? 
          • Can I test with my 3rd party cloud service provider to validate our business continuity/disaster recovery plans to ensure that the CSP is not a single point of failure to recovery of critical business functions/processing which rely on cloud service delivery? 
        • Data Governance/Protection Strategy. 
          • Who owns data governance in the cloud?
          • What classification of data-sets will be allowed to be transitioned to the cloud? 
          • How will your business/organization identify and control data flow within the cloud and between partners/suppliers which may interact with or/access your cloud systems?
          • How will you maintain compliance with privacy mandates (CCPA/GDPR, etc) when transitioning and/or operating in the cloud? 
            • Have you assessed impacts to privacy for potential applications, infrastructure and/or business processes your organizations/business are looking to outsource to the cloud? 
        • Security Infrastructure/operations overlay to the applications/infrastructure migrated to the cloud.
          • Identity and Access Management. 
          • Incident Response and Forensics.
          • Logging and Monitoring. 
          • Vulnerability management/Penetration testing 
          • E-Discovery and Records Retention. 
          • Threat Modeling/Abuse cases.
        • Infrastructure Capacity and Performance monitoring: 
        • Patch management (Applications, infrastructure, imaging) 
        • Compliance, Regulatory, Legal mandates adherence within the cloud. 
        • Internal Audit/Regulatory considerations in demonstration of cloud computing controls-set sustainability. (How do I audit and/or provide assurance of controls sustainability within cloud?)
          • Have you adopted a cloud audit program, if so what does it consist of, how is it executed and how are the results presented to the audit committee and board of directors?
          • Do you have a cloud controls framework which is required to be implemented for cloud services (IE CCM V3/V4 would be a good start) 
          • Is your cloud controls framework aligned/mapped to Regional/international standards ( NIST/ISO 27001 etc?) 
      • How do we identify, treat and mitigate risk's posed of cloud services at the point of entry and along with cloud journey? (Cradle to grave)
        • How do we identify impacts to established risk tolerance's, do we need focus on new risk metrics which will guide the business risk appetite to migrate to the cloud and to continue to consume cloud services? 
        • How do we ensure that contracts with cloud services providers have defined roles and responsibilities between the cloud tenant and cloud service provide clearly spelled out with associated SLA's tied to service delivery?
        • How do we identify and mitigate concentration risks of multiple cloud services being provided by one cloud service provider? 
      • Automation will speed the adoption of cloud services but there are risks. 
        • Provisioning: How do I ensure that cloud assets/services are provisioned in a securable state in a consistent manner and evaluated against the defined hardened state through the assets lifecycle?
        • Deprovisioning: How do we ensure that cloud assets are de-provisioned when no-longer in use? 
        • How do we tie cloud assets to business line processes to support resiliency and recovery needs? (BCP/BIA alignment, and overall business recovery execution) 
    Edward Ziots

    Vendor Risk Analyst

  • 3.  RE: Key C-Level Challenges in Cloud

    Posted Oct 23, 2020 10:01:00 AM
    Very thoughtful, these are the types of insights we hope to catalyze from the community. We are going to try to hyperlink/align with existing CSA research where we see it as fitting in.

    Jim Reavis CCSK
    Cloud Security Alliance
    Bellingham WA

  • 4.  RE: Key C-Level Challenges in Cloud

    Posted Oct 23, 2020 09:54:00 AM
    Thats a great idea and initiative and that list is very comprehensive.

    Geoffrey Taylor
    Head of IT Security
    GEA Group AG

  • 5.  RE: Key C-Level Challenges in Cloud

    Posted Oct 24, 2020 01:39:00 PM

    The ongoing incident at London's Hackney Council has been repeated many times elsewhere, but the Mayor's quote might be handy for slides in managing a hybrid cloud/Legacy approach.

    "What we know so far is that the attack has impacted our 'legacy' and non-cloud-based systems – including many systems that are needed for essential services that residents depend on, whether that's taking or making payments, logging repairs for our tenants, or approving applications ─ from licensing to planning."

    I made an analogy when discussing this between transferring capital cost to operating expense with Cloud, and similarly the risks of centralised collapse should be mitigated (although might want to know where providers are operating from for SAAS), although you may get issues with individual providers.

    Been busy writing reports with organisations starting on migration to Cloud services, and there is a definite need for clear leadership, and just understanding the basic changes and advantages that should be sought in a cloud environment. I see old habits moved into the virtualisation world, where the cost model has completely changed, I see lack of knowledge of the ideas of Zero Trust (which whatever your views, I think CTO type roles should be at least familiar). I see a lot of following the herd, when I'm not confident the herd know what they are doing, and I know for a fact that even modest changes in the service configurations, and levels of service, they are buying make large differences to the security that they will achieve.

    Ditto reading multiple Pen Test reports about problematic local infrastructure being mismanaged in very similar ways across multiple organisations who could do so much better if they just stopped doing that stuff and migrated those tasks to services which specialise.

    So is there a need for a primer at this level covering self education, and how Cloud should impact the IT strategy still? Business value of Cloud, before business value of cloud security? These are senior IT folk who haven't heard of OKTA, Duo, don't know their Auth0 from their Oauth, but who do understand business value, planning, project & people management.

    Simon Waters
    Insufficient Entropy

  • 6.  RE: Key C-Level Challenges in Cloud

    CSA Instructor
    Posted Oct 25, 2020 12:46:00 AM
    Good Idea Jim, would love to jump in and help.
    The list above is great, I would add also focus on the where the senior management and board can benefit the security strategy. For example:

    • Senior management and board can promote the security strategy of the company:  senior management can promote the security strategy. They play important role in governance, in shaping the risk appetite approach, by helping to choose the right cloud partners and many more examples.
    • In some sectors - an investment in infosec can become a business advantage. I think that currently board members look at infosec budget as an expense and liability, while for many companies, security investments can be used for creating differentiators with competition and market advantage. 


    Moshe Ferber

  • 7.  RE: Key C-Level Challenges in Cloud

    Posted Oct 27, 2020 07:04:00 AM
    Edited by Madhav Chablani Oct 27, 2020 11:07:29 AM
    Hi Jim ,

    This is equally exciting and challenging in present unprecedented times , to understand what keeps c level sleepless .

    In my experience and interactions with c level , What is most challenging , is to justify business value , among past and presently needed investments , strategy in cloud adoption and identifying appropriate use cases  , and same for securing data / information and privacy in cloud.

    Second , is to sustain , continuously optimize and build resilience , in delivery , value creation , and business processes

    Look forward to be part of team in discussions for this topic .

    Madhav Chablani

    Madhav Chablani
    Consulting CIO

  • 8.  RE: Key C-Level Challenges in Cloud

    Posted 24 days ago
    Dear Jim,

    The Issues brought out with regards to challenge faced by C-Level executives is appropriate and timely. One Idea would be to include and associate some form of Cost Calculation linked with each of the Challenge and the Business Impact if the same is not adequately addressed. While I understand, that it will be specific and unique for each of the organization, however, there could be some pointers and representative ranges based on medium and large corporation sizes.


    Surendra Sharma
    SSM, Cybersecurity