The CISO Perspective: How Chief Information Security Officers “Cross the River” to Cloud Adoption
In this guest post, Mignona Cote, the AWS Global Security Advisory lead, reports on her conversation with Jim Routh, Head of Enterprise Cybersecurity at MassMutual. Their discussion covers the challenges for CISOs who straddle the worlds of traditional information security and newer, digital. DevSecOps and cloud-based security paradigms. Ultimately, Routh says, CISOs must learn to move “at the speed of the business,” and align their security models with doing so.
Guest post by Mignona Cote
Senior Practice Manager, Security Advisory and Assurance, AWS
As the Sr. Practice Manager in the Security and Infrastructure GSP, Mignona leads Security Advisory and Assurance for protecting data and managing risk in the cloud. Mignona has over 25 years’ experience working in security, risk, compliance, and audit. She has held senior leadership CTO and CISO positions across large financial, healthcare and insurance institutions.
As companies adopt cloud technologies to achieve scale and quicker speed to market, migrating critical workloads with sensitive data (such as card data, account balances, and customer information) becomes a key focus in their cloud journey. This requires explicit buy-in from risk, privacy, compliance, security, and technology leaders. Many of the leaders may be new to the cloud and have a core depth of expertise with legacy on-premises environments. They seek assurance that the data will be protected in the cloud. As a result, they rely on the Chief Information Security Officer (CISO) as a strategic partner for guidance on protecting data and securing the cloud.
As the Amazon Web Services Global Lead for our Security Advisory practice, I interact with CISOs and executive leaders on a regular basis. In this blog post, I will summarize my recent discussion with Jim Routh, Head of Enterprise Cyber Security, at MassMutual. Jim was also formerly a CISO and Chief Security Officer (CSO) of several other large companies, including CVS, DTCC, JPMorgan Chase, and KPMG.
How do you think about a CISO’s role in the cloud journey?
Jim builds the analogy that a CISO plays the unique strategic role of helping companies “cross the river” from the traditional IT environment to a cloud-based DevSecOps model. On the traditional side of the river, IT teams offer powerful scalability for corporate applications. On the other side of the river, digital cloud teams drive innovation for the business. Transitioning from a legacy, IT-controlled environment requires CISOs to focus on the tools and mechanisms provided by AWS as they work to “cross over” to the digital world.
What challenges do CISOs face in an increasingly digital world?
In Jim’s experience, today’s CISOs are forced to straddle two worlds: CISOs either represent existing traditional IT hierarchy with conventional security controls or they are digital champions designing and implementing “guardrails” for the cloud with DevSecOps teams. This mindset is rapidly evolving, however, as CISOs in traditional IT also understand the allure of cloud computing and the ability to unfetter oneself from a legacy environment. Transitioning from traditional IT environments can be challenging—especially considering they are grounded on thirty to forty years of practices evolved from embedded controls and strong compute power. CISOs must strategically retool their teams to the advanced, faster design of DevSecOps. A deep commitment to moving at the speed of business helps CISOs recognize and embrace the potential of the cloud. The CISO must go “all in” with the business, focusing on the economics of the cloud and building a secure architecture.
What are some obstacles for the CISO to navigate around as IT teams cross the river?
As previously mentioned, the current on-premises infrastructure has been built over the last three to four decades, maintaining consistency in process and controls. This legacy culture believes that only on-premises IT teams have the experience needed for well-governed and secure operations as well as the ability to provide robust applications and enterprise scalability. These teams need nudging and guidance to cross the river.
Jim believes that CISOs must transition from legacy on-premises technology operations to embracing the digital world through a DevSecOps model. DevSecOps environments use tools and techniques to incorporate security practices throughout the development process. The CISO then becomes a strategic partner to the business by enabling growth through rapid innovation and adoption.
How can CISOs prepare their organizations for the cloud and how can AWS help?
Jim thinks CISOs should communicate the benefits of cloud technology and the advantages of a DevSecOps model to their teams—but first they must have the knowledge and tools to do so. Developing applications in a cloud-first model does not use the same techniques and methodologies of developing on-premises applications. AWS can help CISOs build their DevSecOps skillsets by focusing on the applied security controls; evolving processes toward automated controls within the code; and providing the tools to implement software security through code security review and quality mechanisms. For example, establishing a defect density on security code vulnerabilities and driving for lower defect ratios provides a measurement on code security. Streamlining the above processes and incorporating security throughout the development cycle ultimately allows for faster deployment in the cloud, without having to retroactively apply security best practices to fully developed products.
What can AWS do to help DevSecOps teams achieve quicker prototyping in a secured environment?
Jim has a few suggestions on how AWS can empower DevSecOps teams. AWS can work with DevSecOps teams to create patterns for scenario builds. By working directly with the digital team, independently of the CISO, AWS can provide them with the necessary tools to add quality controls into what they build. For enterprises who have fully embraced DevSecOps, AWS can equip the CISO with the knowledge and tools to persuade the digital team to take ownership of what they produce. The security team should have the tools and capabilities needed to support the DevSecOps team. For enterprises still not fully committed to the cloud, AWS can help equip the CISO with a DevSecOps toolset that enables progression to the cloud or alignment with the DevOps teams.
After speaking with Jim, it’s clear that CISOs are poised to play a strategic leadership role in helping organizations through their cloud journey. CISOs can spearhead the overall protection of critical data in the cloud by influencing the code quality with the DevSecOps team, creating mechanisms for automation to drive cloud security, and providing technological expertise. To learn more about how you can help your teams “cross the river,” learn about AWS Professional Services.
Introducing the First Video in Our New Series, Verified, Stephen Schmidt, VP and CISO, AWS
Traits of Highly Successful Security Organizations, Stephen Schmidt, VP and CISO, AWS