chombosan - stock.adobe.com
The cybersecurity challenges that organizations face today are prodigious, giving the role of CISO more prominence and weight than it ever had before. But what makes a suitable CISO in the digital age? For the answer, SearchCIO turned to a purveyor of cloud computing, which more and more companies are relying on to maintain and grow business.
Cloud service providers have a lot to worry about when it comes to cybersecurity. They have to keep their own data safe, no small task as cybercriminals innovate and sharpen their attacks. And, to ensure they stay in business, cloud providers have to keep their customers' data safe. That makes their perspective on the experience and skills needed to fill a CISO position today that much more critical.
Greg Arnette, co-founder of Sonian, a provider of cloud-based email archiving and analytics services acquired this month by Barracuda Networks Inc., said IT security today centers on the cloud, which companies are looking to for part of or even all their IT operations. For that reason, cloud expertise should also figure heavily in a CISO's skills and experience.
"You have to be good at reading contracts and reading license agreements, and it's less of nuts and bolts -- plugging in cables," said Arnette, CTO at Sonian and now director of data protection platform strategy at Barracuda. "It's enforcing contracts, watching for vulnerabilities that could be reported in the press, and it's thinking about security from a different angle."
Arnette spoke to SearchCIO about the right stuff for a CISO position -- including the need to assess the safety of new technologies such as serverless computing platform Amazon Web Services (AWS) Lambda and whether an IT security executive should be business-minded, tech-minded or both. Following are excerpts of that conversation.
What skills, experience and characteristics are important for the CISO position today?
Greg Arnette: It's all around the embracing of software as a service [SaaS] and cloud as the primary platform that accompanies data processing and back-office functions -- and less about on-prem servers and physical data center rooms and keycards and that kind of stuff. Security is moving from the physical software aspect of protecting the data and thinking about the firewall and the rack to, 'Our company is now subscribing to three or four major SaaS apps, and that's where all the systems of truth live,' -- [for example], Salesforce and ZenDesk and Workday and Intact for accounting and Concur for travel.
That's the new back office, and it's all external to you. It's being able to assess each of those vendors to make sure that they're implementing best practices, so you have to have an analytical mind. You have to be good at reading contracts and reading license agreements, and it's less of nuts and bolts -- plugging in cables. It's more of a higher-value-add thinking around security in a holistic way. It's enforcing contracts, watching for vulnerabilities that could be reported in the press, and it's thinking about security from a different angle. That tends to tap into what we see as more of a younger mindset as opposed to a legacy mindset, without getting into issues of ageism within IT. It's someone who has to be more open-minded than we've seen in the past around how they think about security. It's less around the physical; it's all virtual.
And then secondarily, really understanding how the top cloud platforms -- like Amazon, Google, [Microsoft] Azure and [IBM] SoftLayer -- how they implement security. They all give us the basic raw tools, but each of them has different ways to develop a highly secure environment. That's a whole specialty to itself -- just securing Amazon is a whole specialty, just securing Google, just securing Azure is a whole specialty.
How necessary is it for someone in the CISO position to evaluate how an emerging technology could affect a company's overall cybersecurity?
Arnette: I think that's a key thing. Even putting a system and technology in place to get alerted when something new shows up. Serverless [AWS] Lambda is a good example. Everyone wants to be using Lambda these days because it's faster to get something in front of your customer. But Lambda as a way of just running your app is not well understood enough because it's new, [and we don't know] what the security issues could be with a Lambda-centric architecture. The CISO needs to be able to be alerted that Lambda is a new service, the value vetted out -- especially sanction it for approval as a way of running the code. And [the CISO needs to stay] abreast of all the new offerings because there are so many new offerings coming on the market these days, whether it's a service like Lambda or an open source piece of software that's getting very popular very quickly. Like Docker, for example. Everyone wants to be doing containers, and who knows the security issues around Docker? You've got to really dive into it.
Should a CISO be technical, business-minded or both?
Arnette: They are equally important, and I think it's unique to find a single individual who can cover both those areas well. Sometimes a highly technical person who's into the deep code who's looking for security vulnerabilities may not be the best communicator of technology to a nontechnical person. So, you see at least two people servicing that. For example, our chief architect is an internal kind of person who's very security-minded, but you probably wouldn't put him in front of a customer. And vice versa -- you wouldn't ask a customer-facing person to get involved in the code, because they are focused on process and reading agreements -- the business side of things. You'll see more of that bifurcate in a positive way. But a team like us or others needs both those skills.
To learn how Sonian uses the CISO role to safeguard customer data, read part one of this two-part interview with co-founder Greg Arnette.