Marco Bravo
If you don’t know, ask – if you know, share! ~ opensource mindset 
➠ "We may not have control over our circumstances, but we do have control over our minds"
➠ What do I want to do next?
Cloud journey starts with Security Team
by Marco Bravo
The most important issues in life are solved with questions, not answers. ~ Andrew Sobel
Organizations that have moved successfully to the cloud while keeping their cyber risk in check typically follow similar patterns. Cloud isn’t just another project. It is understood from the c-suite down to be the driving force behind all digital business hype (for good reason). Leadership reinforces this message by dedicating resources to what’s become commonly known as the Cloud Business Office (CBO).
Just like other revolutionary technologies before it, the public cloud will eventually become commoditized and not require a dedicated security (or IT) function. Organizations that have reached this point of maturity call it by another name: DevSecOps. The cloud security strategy document then becomes the organizational North Star. Taking the time upfront to get extremely clear on vision and strategy makes for easier decisions down the road.
Remember, APIs and shared responsibility are the main differentiators in public cloud. If someone is a solid performer on your existing team and loves to learn, you just might be looking at your future cloud lead. When it comes to cloud security architecture, design, standards and implementation, there is a role for consultants and contractors. The most successful security organizations let their internal resources set the strategy and lead the execution. External resources are then utilized for a short period of time to supplement and fill gaps as internal teams learn and mature. If you choose to go this route, be sure to include metrics-driven knowledge transfer as a key deliverable in the statement of work.
Things to Remember
Do…
- Create a cloud-focused team within your security organization.
- Make it clear from the outset that the team will eventually merge into the broader security team when organizational maturity meets your pre-defined metrics.
- Create a mission statement that clearly outlines what success looks like as well as key milestones.
Don’t…
- Task existing team members with figuring out cloud security while still expecting them to continue with their regular day jobs.
- Let the cloud security group work in isolation from development, IT, finance, legal or compliance.
Assume you have to hire someone new to lead the cloud team.
tags: devops - cloud - security