BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
When Brian Lillie is hiring for his security team, the right skills get candidates in the door; the right cultural fit gets one of them the job.
"If you hire the wrong information security leader, they can put security above all else and work can grind to a halt," said Lillie, CIO at Equinix Inc., a Redwood City, Calif., provider of data center space. "They can become the productivity prevention unit, the PPU."
Security is at the forefront at Equinix, which operates 145 data centers on five continents, Lillie said. But in an "innovate or die" business climate, so is helping business users move the company forward -- and for Equinix and many other organizations today, that means giving them access to the power, capacity and flexibility of cloud computing. Cloud innovation thrives, Lillie said, if security is folded into everything the company does.
"I think where you get into trouble is where you make security an afterthought and you make it second to user experience," Lillie said. "There's always a balance between user experience that you get from a beautifully written cloud application and security."
It's a line more and more organizations today have to walk, as business units clamor for cheap, easy-to-install, easy-to-use cloud applications and IT is forced to act as gatekeeper. According to a new report by nonprofit Cloud Security Alliance and cloud security vendor Skyhigh Networks, a "culture of security," often with support from a chief information security officer, or CISO, is needed to ensure a company has vision and vigilance in equal measure.
The making of a cloud security culture
Jim Reavis, co-founder and CEO of Cloud Security Alliance, explained: Procurement of IT, once highly controlled by corporate bosses, now can happen at the individual-employee level. Anybody can order up a cloud service or access a business application on a mobile device -- and that increases the risk of a poorly encrypted app or unsecure mobile device making an organization vulnerable to a data breach.
To mitigate that risk, security practices need to be communicated throughout an organization and embedded into the organizational structure -- from top-down leadership to the orientations human resources organizes for new hires.
"An analogy you might think of is a neighborhood block watch," Reavis said. "If you have everybody aware what's going on in the neighborhood, it can be a real strength and really augment the overall security posture of an organization."
Lillie has a multilayered approach for cultivating a security culture. Part of it involves a "fleet of tools" -- cloud access security brokers, software that protects cloud services; identity management tools; mobile device management; and laptop system protection, to name a few. But just as important as technology is bringing on security team leaders who can communicate the value of crafting and executing a security strategy, and can build relationships across the teams they're going to work with -- from applications to infrastructure to business departments.
Self-service IT increases need for CISO
A relationship Lillie said is "critical" to Equinix's security is the one between him, the CIO, and his direct report, the CISO.
"There are arguments saying that the CISO should be separate from the CIO because they're auditing them," Lillie said. "I would never try and hide something. I want him to audit. I want him to find whatever he is going to find, which is good for everybody."
The organizational structure notwithstanding, the report suggested that organizations with a CISO are in a better position to protect data as it moves to the cloud, often in systems of record, such as customer relationship management and human resource management. According to responses by the 209 professionals surveyed -- from organizations worldwide -- 61% of organizations have a CISO, and 54% of those have a complete incident response plan, which details how to respond to a data breach on multiple fronts, including security remediation, public relations and customer relations.
Just 19% of organizations without a CISO have such a plan. And the top security challenge for organizations that don't have a C-level information security officer? The lack of a strategy to make use of threat intelligence data.
The report said that organizations with a cloud security culture -- or ones that are at least concerned about data loss -- are more likely to have a CISO. Sixty-seven percent of organizations worried about data loss -- the destruction of information due to failure or neglect in data management -- have a CISO, compared with just 50% of organizations for which data loss is not a concern.
Kamal Shah, senior vice president for products and marketing at Skyhigh, said the CISO role is more important in an era when IT is enabling business units to make use of cloud and mobile applications.
"And so now, today, the role of the CISO, while it's important to protect your network and protect your devices," Shah said, "it's becoming even more and more important to protect your data as it moves to the cloud."
Wanted: Cloud security professionals
It's a big job few can do alone, but some might have to -- at least for now. According to the report, the biggest challenge facing CISOs today is finding the people with the right skills to analyze data coming from a multiplicity of security software systems. In fact, the report said, as organizations invest heavily in information security, "there are more jobs available than qualified applicants to fill them."
Reavis said it's a supply-and-demand problem. The U.S. educational system just isn't producing enough information security professionals. As a member of an advisory board at his alma mater, Western Washington University, he saw the creation of an information security course of study in the computer science department. The first graduates of the program will come out in 2017. More of them are needed, he said. And salaries for the positions should rise, too.
"We have to hit it from both sides," Reavis said.
Salaries for certified information security folks vary widely, averaging $61,079 to $116,445 for an analyst to $100,308 to $202,407 for a CISO, according to the website Payscale.
Shah said the rapid rise of cloud computing has ratcheted up the need for information security skills -- and it caught everyone off guard. But there's no need to fret -- he's seen this happen before: about five years ago, when big data got huge in IT circles and there were few people who knew what to do with it.
"One thing that's great about this country is that when there is a supply-and-demand imbalance, there are more classes, and colleges and universities are now adding more security programs," he said. "I think we will see this shortage addressed over time."
Overhaul called for on cybersecurity defenses
How information security professionals promote a security culture
Witnessing the rise of the CISO