Completely agree with:
"The CIO is no longer an operational executive but an orchestration executive, as nowadays, there is
no business strategy in organizations that does not involve technology"
I would describe the ideal future CIO as an MBA'd experienced (business or tech) operations executive, ideally with Board Level sponsorship, with a strong technical background as a necessary, but secondary, requirement.
For the CISO:
"Security is becoming more of a shared business responsibility and many aspects of IT management
now reside outside the CIO's and CISO's reporting structure."
I have a more pragmatic observation, that this function is going away completely. The CISO function is today being absorbed into the Dev(sec)Ops stack and automation is the key deliverable. Having someone to design and advise on policy and control implementation and manage SecOps can/should be an SRE Lead with more security training. For nuanced and cross-functional security expertise - outsource this to specialist *teams* (internal or external). eg things like red teaming, regulatory compliance, threat modeling, zero trust architecting, etc.
Neither of these are serverless specific of course. Just overall shift left. But both are here today and will only accelerate.
For the serverless specific stuff - a CIO should be able to present a cogent business plan for why and how to migrate to or green field a serverless initiative. With an ROI defined including all the things you mention in the paper considered. A CISO role/team/function should be adding specific control guidance and evaluating tools and automation for covering Day 2 secops and operationalizing this for the explosion of data flows and app attack points that serverless introduces and is alien to many DevOps teams today.
------------------------------
Robert Ficcaglia
CTO
SunStone Secure, LLC
------------------------------
Original Message:
Sent: May 20, 2022 06:13:08 AM
From: Orbert .
Subject: C-Level Guidance to Securing Serverless Architectures
CSA and the Serverless Working Group are excited to announce C-Level Guidance to Securing Serverless Architectures. This paper provides CISOs, CIOs, and others involved in administering and managing systems with an overview of serverless computing and risks and security concerns that come with implementing a secure serverless computing solution.
Serverless platforms provide a more stream-lined and effective way to move to cloud-native services. The business benefits of serverless architectures are wide-reaching; they offer agility, accessible cost, and speed to market. Download and read the publication to explore ways to guide the C-Suite towards secure serverless architectures: C-Level Guidance to Securing Serverless Architectures | CSA
#cloudsecurity #serverless #riskmanagement
Cloudsecurityalliance | remove preview |
| C-Level Guidance to Securing Serverless Architectures | CSA | The purpose of this document is to provide a high-level business overview of Serverless architectures, along with the risks and the security concerns when implementing a secure serverless solution. | View this on Cloudsecurityalliance > |
|
|
------------------------------
Orbert .
------------------------------