As we wind down National Cybersecurity Awareness Month, I wanted to share some thoughts based on recent discussions with a few other cybersecurity professionals and some small business owners about the accelerated migration to the cloud. This article attempts to capture my observations, looking down over the landscape at a 10000-foot view. Security professionals are familiar with VUCA, an acronym for Volatility, Uncertainty, Complexity, and Ambiguity. In the age of COVID-19, this is even more prevalent as businesses have moved to the cloud to accommodate the nature of remote work. As we have moved through the past several months’ organizations have encountered volatility in the form of unexpected challenges of remote work needs. This has presented both financial and technical challenges for organizations of all sizes, along with the broader societal unrest. We continue to encounter uncertainty as to what the actual impact of this rapid acceleration to the cloud will look like long term. Many security professionals are concerned with the security ramifications of this move. Before this move, we saw massive issues with cloud misconfigurations and misunderstanding of the shared responsibility model when it comes to the cloud. These issues are potentially exacerbated due to the speed at which businesses were forced to move.
With the cloud comes an added layer of complexity. The nature of the cloud remains a mystery to many technology professionals. A limited number of professionals possess the skills that are needed to implement and secure cloud technology. Throughout these past few months, I have seen technology professionals begin developing the needed skills to understand the complexity and to support businesses as they move forward. However, simply acquiring the knowledge and actually being able to securely implement these solutions in a way that supports the business and allows them to continue innovating and growing while maintaining a clear view of the business risk profile is a huge undertaking.
All of the Unknown unknowns introduce the ambiguity we see. Any good security professional will tell you it’s not what they don’t know that scares them, rather it’s what they don’t know that they don’t know which keeps them up at night. Cybercriminals of all shapes and sizes are seizing on the chaos that has been introduced in recent months. It has always been a challenge for security professionals to keep pace with attackers, but even more so now. The business attack surface has grown from the corporate office or data center to every home now is a potential vector into a corporate network. Once inside these networks, ’ attackers can release all types of cyber mischief. Attackers are utilizing malware, phishing, and social engineering in new and unique ways. These attacks on the private and public sectors can potentially be catastrophic. The result can include a complete loss of business and the loss of life, as recently seen in Dusseldorf, Germany.
With all this in mind, I want to talk about a few things organizations should be thinking about as they attempt to address VUCA in the cloud.
Overcoming VUCA with VUCA
Cybercriminals and nation-state actors attempting to steal intellectual property, commit economic espionage, achieve financial windfalls, or spread disinformation. With so much cyber mischief being perpetrated, the move to the cloud has provided even more opportunity to execute this activity at scale. With a much larger attack surface due to remote work, adversaries endeavor to overwhelm an already small and overworked global security workforce. What can be done to help businesses observe, orient, decide, and act in a way that lowers the risk of their organization becoming a target? As my friend and colleague, Tara Hunter, say, ” Attackers follow the data. As companies migrate to the cloud, so are the attacks. We have to stay even more vigilant in this environment, and leveraging automation can be a big help with all the moving parts of cloud computing.” Just as VUCA cane be used to describe our challenge it can also help us describe a way to overcome them. If organizations can develop Vision, Understanding, Clarity, and Agility they will be better positioned to succeed as we continue forward.
Vision
Asset identification and management were challenging before this global move to the cloud; it has become even more paramount. It has been said by many, ” You can’t protect what you don’t know you have.” Understanding your critical assets and where they are located can allow the organization to observe what is going on within their environments. Having this level of vision will help a business to anticipate changes, observe, and respond. When new systems are added to the cloud environment, they can be properly tagged based on business criticality, and appropriate security controls can be applied. The ability to have a clear vision of your assets and observe the actions being taken against them is critical. Cyber adversaries can lurk in every area of the cloud, and with the distributed nature of cloud computing, knowing where your assets are at any given point is an even more daunting task.
This should be the goal of all organizations as they navigate this new terrain. I believe this will help provide clear intent and direction and inform the actions businesses will take.
Understanding
When cloud professionals have a clear understanding of an organization’s business objectives, they can begin to orient the cloud implementation in that direction. To do this, cloud professionals must listen to the business stakeholder as the migration’s business requirements are being defined. This will ensure that the cloud solution being designed meets the critical business objectives while doing so securely. With the rush to move to the cloud during the pandemic, I believe this step was overlooked and will need to be redressed as we move forward. By taking the approach to orient your organization properly, cloud professionals can help reduce unintentional risk. I will quote my friend Tara Hunter once again, “Understand the roles and responsibilities of the enterprise vs. the CSP (Cloud Service Provider). I often hear people state that something is not their problem since they are on a cloud providers’ platform. That’s not true, and so often, the enterprise gets burned when they later find out they are always ultimately the responsible party for their data.” When cloud security professionals provide this level of understanding to the business, they can begin to orient security strategies such as vulnerability management, incident response, audits, and BCP/DR with business stakeholders’ backing outside of technology.
Clarity
Once we have a clear vision and understand the business objectives, we can provide the organization with additional clarity as cloud security professionals. This clarity will help the business make sense of the complexity and chaos in which we live and work. This will also help generate confidence in the cloud professional. We start to demonstrate a liberated thought process away from only the technical but toward the business aspects. Cloud security professionals impart this clarity by being able to cut through the noise. Cybersecurity is now a front of mind issue for many organizations, so calling upon professionals who grasp this space and can relay this information to the business leaders is invaluable. Instead of organizations panicking at the latest news article they read, cloud security professionals can assess the business’s actual exposure and potential impact.
Now more than ever, it is important for technology, especially security, to be seen as a collaborator within a larger business framework. This collaborative relationship can allow businesses to evaluate options better and decide on the appropriate course of action. This could be decisions related to M&A, make versus buy, or whether to pursue a high-risk, high-reward venture.
Agility
With increased clarity, the team can now be more responsive to changes on many fronts. This new level of agility can create new business value, and allow companies to act quickly. The scalability, elasticity, and on-demand nature of cloud computing is designed to support this type of agility we have all been made to embrace so rapidly. By looking at this new paradigm through VUCA and OODA’s lens, I believe technology professionals can play a pivotal role in their organizations’ success in the future.
This by no means an easy task. It will take time, and for many of us, some adjustments to how we approach problem-solving. I believe it is a worthy endeavor for those of us involved in supporting businesses of all sizes through this historical time, in which we all find ourselves.
Just because it feels like a cloud is hovering over your head does not mean the sun is not still shining! Go forth and conquer cloud pros!