BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
What do you call a cybersecurity executive who works for a cloud provider, builds security into the commercial service and works with security folks on the customer side to keep their systems safe from intruders, insidious ransomware and other threats?
Ask Scott Weller, and the answer is a chief cloud security officer -- a new breed of CISO. The co-founder and CTO of mobile-marketing startup SessionM is busy writing the description for the yet unfilled cloud security job.
"A lot of CISOs for a long time would have been very much about the physical environment," said Weller, whose company runs a cloud-based platform that lets businesses personalize marketing messages for their customers. "We're filling that position around security in relation to cloud, because that's where we are."
Cloud providers -- from cloud infrastructure giants Amazon and Microsoft to smaller, software-as-a-service vendors -- are doing more to enhance the security of their services. As cloud adoption accelerates, regulators are demanding it. So are customers, said former CISO and independent consultant Candy Alexander.
"More and more clients and customers are pushing back on the cloud providers and saying, 'You need to provide us that as a service,'" she said.
And some providers, like SessionM, are posting openings for a chief cloud security officer position -- or something like it in substance if not exactly in name -- adding to the already high demand for cloud security skills.
The makings of a cloud security job
To Weller, the skills needed for this "unicorn-type" position are wide-ranging. He's calling for someone who has "lived in that traditional world of metal and wires," has gone through the process of moving to the cloud and has operated there for some time.
He wants an IT security professional who understands concepts such as cloud bursting -- when applications running in an internal private cloud get more traffic than they can handle and direct the overflow to the public cloud -- and has hands-on experience with different cloud tools.
Weller gave an example involving Amazon Simple Storage Service, or S3.
"How can individual S3 buckets be encrypted? Can they be replicated between different Amazon regions?" he said, referring to the geographic areas that Amazon data centers serve. Companies putting information in more than one region may avoid slowdowns on their websites in case servers in one region go down, as happened in the Amazon outage in February that brought down large sectors of the internet.
"Those types of scenarios that have only emerged in cloud when it comes to concepts of not just security but also redundancy and failover," Weller said. "I know that's a big ask to find all those skill sets in one individual, but those people are out there."
The role is similar to that of a CISO, Alexander said, in that the main duty is to forge a plan to ensure that IT assets are protected as the business moves forward. But a traditional CISO is concerned with his or her own IT operations -- applying security safeguards, managing relationships with technology vendors and working with other parts of the business to make sure checks and balances on security are in place.
The new cloud security job's prime directive, in contrast, is to first ensure that security is built into the cloud provider's service. Then there's the blueprinting of contracts -- ideally, codifying who's in charge of what -- and maintaining customer relationships, Alexander said.
"In the old days that would have been a product manager -- or would have been a member of the product delivery team, a security person," she said.
But cybersecurity today is such a critical component of business -- and cloud is becoming such a big part of enterprise IT operations -- that the role is getting a CISO-level upgrade "to make customers feel they're getting top-notch service," Alexander said.
Technical or business?
Finding someone to fill the new position could be a challenge. CISO skills are hard to come by and by no means narrow in scope. Many businesses today are figuring out they need an IT security officer with not just technical skills but also business skills so he or she can communicate the importance of investing in cybersecurity to other C-level execs and members of the board, Alexander said.
"We've seen a turnover rate of about 18 months for a traditional CISO," she said. That's because many companies hiring CISOs "are not in the technology business, and they thought they needed a technical CISO -- and it's not working. So both sides are unhappy."
Cloud provider-specific CISOs do need to be more technical because the product itself is technology, and they'll be working on the cloud service architecture, she said. And right now there are more jargon-uttering IT security folks out there than Renaissance techies. That's good news for cloud providers like SessionM.
"I don't think you'll see the turnover in that, because that's where the majority of the technical CISOs need to go anyway," Alexander said.
To learn more about the position of chief cloud security officer, read this SearchCIO report.
Danger ahead: A lack of cybersecurity skills
Tech know-how or business polish: What makes a great CISO?
Cybersecurity trends in 2017