Now that the cloud is becoming secure enough for sensitive data, are cloud customers ready to hold up their end of a shared liability model?
Fear characterized the early days of cloud adoption – some of it justified and some purely sensational. The concept of sending data off the corporate network and thus outside of existing security technology spooked IT security professionals. But now that cloud has matured, one of the greatest barriers to adoption has become a people problem.
Times have changed and even former hold-outs in regulated industries have warmed to cloud technology. Last year, US Chief Information Officer Tony Scott called for organizations to “get to the cloud as fast as [they] can” for better security, and a recent survey (registration required) from the Cloud Security Alliance confirmed this attitude among rank and file IT professionals, with 64.9% of respondents describing cloud software as a service as secure or more secure than on-premises software.
This growing confidence in the security capabilities of cloud providers reinforces Gartner’s prediction that in 2016, 95% of cloud security incidents will be the customer’s fault. Enterprise cloud providers’ entire business model depends on preventing breaches, and they have more resources and top talent to dedicate to security. But now that the cloud is secure enough for sensitive data, can cloud customers hold up their end of the shared liability model?
The Cloud Security Skill Gap
Anyone who has tried to fill open IT security headcount is familiar with the shortage of skilled professionals. There are currently more than 209,000 unfilled cybersecurity jobs in the US alone, and job postings have increased 74% over the past five years. Retaining talent has become just as difficult. As one might expect, salaries have kept pace with budgets, giving rise to anecdotes of security engineers moving to jobs for double their previous salary.
Nowhere is the security skill shortage more severe than in emerging technology areas like cloud. CSA survey respondents specified a lack of expertise as the biggest barrier to effectively detecting and stopping data loss in the cloud. This finding represents a huge pain point for companies; attitudes and technology have advanced to the point that more companies than ever are willing to take advantage of the benefits of cloud, yet the lack of human expertise is still holding back progress.
Given the lag for education to catch up in the workforce, companies struggling with this challenge can turn to stopgaps for the immediate future. Companies can pursue a combination of solutions to compensate for a lack of internal expertise. Third-party experts can help fill the knowledge gaps. Consulting firms have made moves at ramp up their cloud business over the past year, and cloud vendors often serve an expanded role as trusted partners helping to inform organizations’ security practices. Conferences and knowledge-sharing organizations like the CSA can also play an important role in diffusing knowledge through educational programming and sharing war stories.
Enforcing cloud security with a shortage of expertise can also pressure IT security staff to run a tight, efficient ship. Upfront investments in processes and technology can streamline operations. Organizations can automate security through cloud APIs and other vectors for extending existing security infrastructure. Staff should also rely on crowd-sourced information about high risk services whenever possible. The majority of companies (71.2%) have implemented a formal process for requesting and evaluating new cloud services, reducing IT’s workload and increasing user satisfaction and productivity, according to the CSA survey.
Seizing the Opportunity to Make the Rules
Companies who address the cloud security skill gap head on will see other positive side effects in addition to the intended reduction in risk from cloud use. In efforts to retain talent, companies are going out of their way to keep employees engaged with rotating roles, exposure to new technologies, and educational programs.
Experience with cloud technologies is also desirable for security professionals looking to stay on the cutting edge of the industry. CISOs, for example, are under pressure to align security with business objectives, and the tools in demand are frequently cloud services. Like with any area of emerging technology, many of the best practices of cloud security have yet to be defined and are constantly evolving. Progressive IT security departments have the opportunity to become leaders and innovators in this booming space.
Expect cloud security to rise as a prominent area of investment for IT staff’s professional development and education. And for IT professionals, gaining exposure to cloud security initiatives may be one of the best career moves they can make.
Kaushik Narayan is a Co-Founder and CTO at Skyhigh Networks, a cloud security company, where he is responsible for Skyhigh’s technology vision and software architecture. He brings over 18 years of experience driving technology and architecture strategy for enterprise-class … View Full Bio