Embracing the cloud and meeting its security demands

If you want to build a career in information security, there’s no shortage of diverse roles you can aim for. Whether you’ll end up doing that or something else will depend on your specific abilities and preferences, which may ultimately steer you in an unexpected direction.

But that’s not the case for Marco Rottigni, who joined Qualys in 2018 as Chief Technical Security Officer EMEA. His past roles at FireEye, McAfee and Stonesoft were logical stepping stones, and he’s always enjoyed connecting with people and helping them crystallize their business-supporting technical vision.

“This involves understanding their experience around security, how they have worked around cloud and security and potentially with Qualys in the past. After this, I help them to develop their security roadmap, how this supports their business challenges and how to build security in from the start, rather than trying to bolt security on afterwards,” he explained to Help Net Security.

Untangling organizations’ security needs

Rottigni chose this particular career path because it offers a unique perspective on the security landscape: the combination of talking and networking at events with the reality check of conversations with companies provides him with the perfect blend of information on how security is currently perceived, how it is being designed and how it is operationalized across the EMEA region.

“It’s always fascinating to see how theoretical security principles and ‘best practices’ convert into reality,” he says.

“So much depends on the people involved: how mature the team is at running security operations, how individuals manage threat awareness campaigns, and what security awareness there is internally.”

You might expect that the largest companies are the most organized and mature when it comes to security but, he says, that’s not always the case – there is a wide range of security approaches and differences arise due to variations in internal organization, to mergers and acquisitions creating islands of technology, and to a lack of internal champions for security budgeting and planning.

Another source of problems is security practitioners going for convenient solutions to immediate problems without taking into consideration the big picture.

“Enterprises are inundated with a tsunami of data and events generated by an army of tools, each one providing its own version of the truth, making it difficult to get enough insight. If that’s your current situation, it’s time to go back to basics, harmonize security data with the needs of the IT and compliance teams, and make it understandable to business executives. Build processes grounded on a single and consistent source of truth and re-think information flows,” he advised.

Shifting to the (multi)cloud

Another reality many (if not all) organizations are currently dealing with is the move of assets and capabilities into the cloud. This also means that they have to alter their entire approach to security.

“When using the cloud, your whole risk surface changes quite significantly, together with what kinds of vulnerability you have to look for. Recent history has taught us that when cloud adoption starts to fragment a traditional application into its core components – storage, database, web frontend app, code, identity and access management, load balancing, access rules, etc. – issues such as misconfiguration or compliance becomes potentially more relevant than vulnerabilities weaponized into malware. Security practitioners must quickly get acquainted with these new challenges, understand the possible solutions and work on how to operationalize them within their security roadmap,” he noted.

And while regular vulnerability scanning, agents deployed into the cloud machine images, concentrating defenses at the cloud border and leveraging strong authentication might a good start, they are not nearly enough – security teams should also use the automation options for building instances that cloud providers provide.

“You need proper configuration of your resources, so that what has to run continuously can do so, while other services run when they are really needed. Similarly, you can leverage API-based communication as this can avoid some of the ‘fog’ that can get in the way of your visibility across your digital and multi-cloud landscape.”

Managing a multi-cloud environment in a dynamic way and securely depends on the right mix of automation, economics and KPIs, he says.

Choosing a security solution that reflects the same agility, velocity and scale traits that cloud services have is a must for coping with an environment that expands and contracts frantically in very small timeframes. It must also be accurate and help guide remediation without overwhelming the security team with data without any proper context.

Finally, security teams must also take IT and compliance into consideration when making the choice.

Advice for CIOs and CISOs pushing for cloud adoption

The best CIOs and CISOs know they are not working in a vacuum and are open to learning from others.

“Talk with your peers about their experiences and best practices – learn what worked for them and equally what they would do differently next time around,” he counsels.

“Leverage your vendors’ training offers and design partnerships around use cases. They have experience with other companies that operate in your market, so take advantage of it.”

Lastly, he urges sharing information on your own use cases, as discussing your objectives, and how these relate to real business processes will help you discover more approaches that can help you over time.