Richard Starnes, Capgemini: The cloud presents a chance to rethink and reaffirm cyber readiness

11th February 2020

Richard Starnes
Chief Security Strategist, Capgemini

Securing systems and data isn’t getting easier.

CISOs routinely find themselves pulled between competing priorities set by internal teams, auditors, compliance officers and regulators – all the while dealing with extremely challenging technical situations for which the fixes are neither quick, easy or cheap.

As a reward, they get to report threats and recommend actions to board-level executives, delivering unwelcome news which may also be interpreted as a failing.

In such a pressurized environment, eliminating the headaches that come with keeping legacy systems secure has to be seen as an opportunity.

Moving to the cloud is not a silver bullet but can be a chance to start anew, making it easier to defend IT assets against a rising tide of exploits and attacks. It can also help CISOs alleviate some of the intense cyber stress that comes with the job.

Cloud migration means re-building IT infrastructure and re-thinking cyber readiness from the ground up. Security can be embedded holistically into services rather than endlessly patched onto disparate and out-of-date on-premise systems.

With the right tools in place, deploying to the cloud can also improve visibility of what’s happening on the network, and make it easier to spot adverse or unexpected traffic.

Cloud agreements also mean you gain partners in the battle to defend infrastructure and data. Altogether that’s a much better footing for strengthening cyber security; one that promises to release CISOs from some of the anxiety and long hours that currently come with the job.

When the CEO asks ‘are we secure?’

Cyber risk is really only a snapshot of what is happening right now, what’s happening today. When I was in a CISO role a few years ago, my CEO would ask me ‘are we secure?’, and my answer would be ‘ yes we are – today’. Tomorrow however, they may come up with a new way of breaking it. Staying ‘secure’ is a journey that never ends.

Taking the blame when a breach occurs

Under GDPR it’s very much a shared responsibility model; everybody that’s involved has a part to play. We have to be concerned about our own company, the companies we work for, all of our shareholders and customers, and all of our employees. Those groups represent real people. We have to be concerned about everyone within that ecosystem.

The complexities of legacy IT need to be addressed

Systems have become more complex. Legacy IT infrastructures comprised of systems built on top of systems, built on top of other systems, are still very common. That makes things a bit more difficult, and it’s one of the main reasons cloud is such a valuable business opportunity. It gives you the ability to rethink and restart cyber security, even go greenfield with your IT. That said, if you do take a combination approach where you have some legacy on-premise systems and others residing in the cloud, you should be sure to implement the right security controls for each environment, rather than a blanket approach.

Freeing CISOs to focus on strategy and future threats

Cloud is not a silver bullet. It’s not a case of ‘move to cloud and all your woes will be gone,’ because cloud deployments come with their own set of issues. What migration to the cloud can do for CISOs is make the scope of security more manageable. Partnering in a shared responsibility model with vendors can provide a level of comfort, but cloud should still be treated as an opportunity to take a greenfield approach to cyber. You cannot just assign risk to a third party.

View the full interview with Richard as part of our Security Begins Here series.