The COVID-19 pandemic thrust a significant number of organizations into the cloud. They embraced software-as-a-service (SaaS) in a way they never had before. Organizations of all types and sizes (even some as large as Microsoft) experienced the rapid shift.
Since then, cloud service adoption appears only to be increasing. This shift has reshaped traditional IT, as well as how cybersecurity supports and enables it. Chief information security officers (CISOs) have had to evolve their strategies and toolsets in this cloud-forward ecosystem.
This analysis will assess this trend and look specifically at some of the unique risks that it introduces.
Balancing Risk and Opportunity
One of cloud adoption’s most profound changes is the decentralization of IT control. In many cloud service delivery models, anybody with a credit card can establish a cloud account. Some freemium models require even less commitment. To sum up, anybody in an organization can sign up for a new service and begin to use it. Centralized IT is no longer required to provision new resources and enable access to data.
This autonomy creates enormous opportunities for productivity and collaboration as people can move faster and don’t have to navigate procurement cycles measured in months. They can rapidly try things out and dismiss them if they don’t work. Yet this change also introduces the risk of data sprawl, where data becomes scattered, unclassified, and managed in unauthorized services, devices, and outside compliance boundaries.
The decentralization of IT control challenges the traditional approach to security, where policy creation and enforcement were both centralized. Now, CISOs must pivot to a strategy where policies are still centrally created but enforcement is decentralized. In the case of SaaS consumption, the security team may have no awareness of the tools in use or the data being used within them.
To effectively handle the multitude of SaaS applications, organizations need new tools and strategies like secure access service edge (SASE), cloud access security broker (CASB), and SaaS security posture management (SSPM). These tools address challenges related to visibility, control, inventory management, policy enforcement, and threat detection and response.
Which companies are the most important vendors in cybersecurity? Check out
the Acceleration Economy Cybersecurity
Top 10 Shortlist.
Evolving Threats
Ransomware as a threat vector has continued to rise in popularity, in part due to the ease of carrying out attacks and also to its more favorable risk-to-opportunity calculus for adversaries.
As it has become increasingly popular, ransomware has evolved on many fronts, from business models supporting threat groups in carrying out attacks to deploying packaged exploit kits to adopting cloud-based infrastructure. There was also a recent example of a successful ransomware attack carried out against an organization’s SaaS deployment due to a weak configuration.
These examples underscore the need for cybersecurity to keep moving, evolving, and innovating. If CISOs let compliance standards set the bar for where security programs go, or they it lets what is considered resilient today be good enough for tomorrow, they will be behind the curve. The increase of SaaS and cloud-native technologies comes with an incredible opportunity to do security differently and rethink security postures that have been in place for years.
The CISO’s Role
As digital transformation continues to unfold, the CISO’s role is changing. It is shifting from one with a compliance and operations-heavy focus to one that is data-driven and incorporates engineering practices into its teams and strategies. SaaS tools, like many cloud services, expose application programming interfaces (APIs) that enable them to programmatically interface and connect with other services.
As CISOs rebalance their teams to introduce more engineering skills, there is an opportunity to build capabilities that go beyond merely purchasing and deploying tools. Tools become part of the bigger capability. Tools interface with other tools, which creates data. That data is incorporated into analytics and used to make better decisions, engage others on risk, and create adaptive security measures.
Adaptive security introduces an innovative approach to threat management. The CISO’s role is inextricably linked to technology evolution. Making cloud services accessible programmatically opens opportunities for CISOs and their teams to apply age-old concepts like access control and segmentation dynamically, based on what’s happening in near-real time.
However, it appears the industry is still in the early stages of implementing this concept. Today, adaptive risk management is largely about risk assessment based on changing inputs. As more data is collected and more systems are connected, the process of adaptive management, involving inputs, decision-making, and taking action, can become more automated and broadly applied.
Concluding Thoughts
As we look toward the future, chief information officers (CIOs) and CISOs will have to balance business-aligned risk management and the constant push for innovation. Misalignment can reduce productivity by causing exceptions and manual workarounds. Not innovating can lead to being surprised or caught completely unprepared for an emerging threat.
The evolution of SaaS security and adoption alongside the CISO’s changing role presents a mixed bag of challenges and opportunities. As a CISO, I’m excited about this shift: the push towards data-driven organizations is precisely where we need to be headed — not only to keep pace but also to protect our organizations.
