A veteran of the information security industry, Greg Jensen has spent the last six years at Oracle as the Senior Director of Oracle’s Cloud Security solutions. He’s also the Senior Editor of the Oracle and KPMG Cloud Threat Report, as well as Oracle’s annual CISO Report.
“The focus of these efforts is to understand the key challenges that hundreds of global organizations are struggling with as they lift and shift workloads to the cloud, and what practices concerning people, processes and technology have been successful, so that we can build on them. We also aim to raise awareness and visibility regarding shortcomings in policy and architectures,” he told Help Net Security.
Business have been making the switch from on-prem to the cloud for quite some time now, and most organizations are familiar with Gen1 cloud services where they could spool up an on-demand service for a non-business critical need with just a credit card.
The problem now is that they want to do the same for business-critical workloads and CISOs have to fight to change that mindset, Jensen noted.
“When it comes to business-critical services, there are fundamental challenges that only a Gen2 architecture can resolve: edge security such as WAF, integrated identity and behavior controls, event and alert analysis and response, and so on,” he explained.
“Organizations want the ease of use of a Gen1 service, but don’t know that they require the security and risk monitoring of a Gen2 platform. CISOs’ greatest challenge these days is how to collaborate more effectively with business leaders instead of working around the SecOp controls out of they fear they may be restricted.”
Being an effective security leader
To be an effective CISO, the person occupying the role must have a seat at the table where high-level decisions are made and to master the art of enablement.
“CISOs can be agents of positive change: instead of saying ‘no’ all the time, they must become the person that says ‘Yes, and let me show you how,'” he noted.
“The role of a CISO today is to work collaboratively with the line of business. They must ask questions like: ‘Why are you using this service? Because it’s easy? What if we can find a service that is just as easy to use, but decreases organizational risk, provides real-time audit controls and enables a faster onboarding of users? Is that something we could work together on?'”
Simultaneously, CISOs must keep their team satisfied or risk losing them.
Jensen believes that the thing that burns out IT security workers the most is the constant barrage of firefighting routines, which prevent them from showing their true talents in designing and building. Also, the constant overwork due to difficulties in hiring new qualified staff.
“The reality is that CISOs will continue to struggle hiring new security staff for the foreseeable future, as the labor market shows a severe shortage of security professionals,” he said.
CISOs should mitigate the effects of that unfortunate reality by focusing on giving their teams opportunities for growth.
“As hard as it is to lose the one person who knows how to run your vulnerability platform, you have to plan for that and allow them to grow inside your organization, or you will lose them to another organization,” he advised.
“You must cross train and give them time away from the front-line, as the ‘always on’ mentality of a SOC analyst can be highly stressful and taxing. Giving your teams the opportunity to rotate through different roles not only gives them time away from the front line but makes them capable of covering for their colleagues when they need to step away or make a career change. It’s important to understand everyone’s career plans and support their growth, even at the risk of losing them.”
Security is gaining in importance
The priorities of security leaders of different-sized businesses used to be dramatically different, Jensen says, but things have changed.
“Take dealing with supply chain risk as an example. A large financial business that serves thousands of other businesses around the globe needs suppliers, contractors and partners. In order to meet current regulatory and compliance obligations, that business is forced to require proof that the suppliers’ house is in order when it comes to cyber security. Those little guys are now forced to invest in achieving that – or risk loosing lucrative deals,” he explained.
“With each passing year, large company CISOs are going to see increased pressure to reduce the risk from supply chain partners that inadvertently or intentionally expose their organizations, and the little guys will be forced to keep the pace. Security is slowly becoming essential to doing business.”