ra2 studio - stock.adobe.com

Manage Learn to apply best practices and optimize your operations.

A cloud provider ruminates on the role of a CISO

Sonian, a recently acquired cloud application provider, discusses the role of a CISO, emerging cloud security positions and changes on the horizon.

Like other businesses, cloud providers worry about the onslaught of data breaches and ransomware attacks hitting them. They put an IT security executive, a CISO, in place -- or they distribute the role of a CISO across several employees -- to ensure they're protected. And as the popularity of software as a service (SaaS) applications skyrockets, they're putting more effort into ensuring their customers are protected, too.

Sonian is one of them. The Waltham, Mass., company -- this month acquired by computer security vendor Barracuda Networks Inc., which itself will be bought by private equity company Thoma Bravo for $1.6 billion -- provides a cloud-based platform that allows companies to archive and analyze email for legal and regulatory purposes. Safeguarding customer data, said Greg Arnette, Sonian's co-founder and CTO and now director of data protection platform strategy at Barracuda, is paramount.

"Our customers and partners trust us with their most valuable communications data," Arnette said. "So, we have to have security as a top-level design principle, a top-level testing principle and also a top-level operational stance."

One way Sonian is helping keep customers' data safe is by adopting the IT security guidelines used by the big cloud providers -- Amazon Web Services (AWS), Microsoft Azure and IBM SoftLayer -- whose infrastructure services Sonian uses.

Another way is by developing security tools that allow companies, which are increasingly relying on cloud applications, to compile and correlate data and "look at patterns across usage of these different SaaS apps" for more sophisticated cybersecurity insights, Arnette said.

SearchCIO spoke to Arnette before the Barracuda acquisition about the CISO role at Sonian -- the job was shared among a small team -- the company's evolving cybersecurity posture and the changing demands of SaaS customers. His thoughts offer CIOs a snapshot of how a SaaS provider -- one successful enough to be snatched up -- is thinking about cybersecurity in the cloud. Here are excerpts of that conversation.

Tell me about your cloud security team. Do you have a CISO?

Greg ArnetteGreg Arnette

Greg Arnette: We have a function for CISO. It's not worn by a specific individual, but it flows up under our VP of service and ops, who's in charge of the overall operational stance, and he has different team members who contribute to the office of CISO, the role of CISO. It's a combination of people, process and technology that represents our approach to the CISO role within our company. We have tools that we've created ourselves that we also subscribe to and [architecture-and-design-review] checklists and [quality assurance] processes to ensure security is always being thought about.

As cybersecurity breaches have been occurring regularly, there's been a lot of discussion about where the CISO -- or the distributed role of a CISO, in Sonian's case -- fits into the reporting structure. How do you think about reporting structure, and how does it affect your cybersecurity posture?

Arnette: This is a common pattern I see around cloud-based startups (you could consider Sonian a startup even though we're an established company): Typically, there's a person who owns the operational stance, and security is a part of that. There's an overlap into architecture, which is owned by a different person. Typically, they're a VP of engineering and a chief product officer, and they collaborate together. Then there's that hybrid CISO role which crosses over a couple of silos. That's the typical team architecture you see in companies that are offering SaaS powered by cloud.

We're also inheriting all the controls and best practices from the cloud providers that we sit on top of, like an Amazon or an Azure or SoftLayer. So, our security stance has to include those, and we spend a lot of time working with partners like AWS to map that out. We were one of the first to have to go down this path a long time ago, as we were starting to explore selling to federal government. We were pioneering alongside of Amazon, figuring this out -- like, how do you describe a cloud architecture to a government CISO who has to evaluate the integrity of the service before they can subscribe to it? They weren't familiar with the designs. But now, I think everyone's gotten their mind wrapped around how this works.

Cloud computing has led to new cloud and cloud security roles at companies -- cloud providers included. One is a chief cloud security officer, a type of CISO who's in charge of building security into the services they offer. Are aspects of that role covered at Sonian?

Arnette: Yeah, for sure. A couple of perspectives: We're also noticing these new titles that are starting to show up. If you were to look through our CRM system at people and titles, I'm starting to see a lot of director of cloud security, director of cloud apps, director of SaaS apps. Those titles didn't exist just a few years ago. So, it is a shift in recognition within the midmarket enterprise IT and above that the world is changing, and they need people who are well-versed in the new world to be successful.

As roles change, a new set of tools start to emerge to address those roles. In the enterprise IT world, the pendulum is always swinging from left to right to left to right.
Greg Arnettedirector of data protection platform strategy, Barracuda Networks Inc.

Our mandate is to operate a highly secure service because our customers and partners trust us with their most valuable communications data, which is rich in content, to manage it for them in an archive and data preservation fashion. So, we have to have security as a top-level design principle, a top-level testing principle and also a top-level operational stance.

From time to time, we'll use add-on consultants to help us analyze the situation and make recommendations, and our own internal team is being trained [in IT security] -- that's their prime directive, alongside reliability. Because our customers are also having people with those titles start to appear on management teams and in employee directories; we need people well-versed to communicate with them in the same kind of language.

What changes in cybersecurity do you see on the horizon, and how are you responding to them?

Arnette: There's going to be more of a demand for getting [data-centric] metrics around what's happening in an organization. That's an area that we're striving to do more in. So, you're going to see more of that coming from companies like us and others that are going to get involved in the correlation of data.

There are a couple thousand B2B enterprise SaaS apps out there that all have very rich APIs that allow correlation to happen that was impossible before, when we had all these on-prem, siloed systems. The IT role is going to evolve to be the chief data officer, the chief analytics officer, the chief security officer. And they're going to be looking for tools that can help you correlate and look at patterns across usage of these different SaaS apps.

As roles change, a new set of tools start to emerge to address those roles. In the enterprise IT world, the pendulum is always swinging from left to right to left to right. So, we're starting to see the tools respond to the change in attitude around security.

[For example], giving a CISO who might be in charge of the security posture for a 1,000-person company a view into how collaboration is being used but from a security perspective. Is data leaking out? That kind of stuff.

So, you're adopting news tools and also offering them to customers?

Arnette: Yeah. We need the tools to operate our business, but what we create as an output is a set of tools and security insights that can be used by [enterprise] CISOs to get a view into the organization that was impossible before.

Beyond the uptick in breaches, what's behind the shift in attitudes toward security? Is it companies' steady push into the cloud?

Arnette: Exactly. For many companies, especially new ones, all their data is in the cloud. And more and more, midsize and larger, are moving their data. But they need to catch up on how they think about the security angle.

To learn about the skills and experience Sonian co-founder Greg Arnette says are important to the role of a CISO, read part two of this two-part interview.

Dig Deeper on Enterprise information security management