Cloud services have gone mainstream in today’s enterprise. It has reshaped the business technology landscape more than any other force in recent times. In fact, any next-generation solution that delivers digital business capabilities today, almost always delivers on cloud platforms. As more organizations race ahead with cloud technologies to meet their ever expanding business needs, the question of security still lags behind.
To be sure, cloud has been a boon for the digital age. Offering almost unlimited scalability, reliability, disaster recovery, redundancy, built-in security with cloud native services, and all at lower cost. Ultimately, at the boardroom, decision makers appreciate the flexibility that cloud technologies offer to navigate the ever-changing terrain of doing business.
However, incidents like the 2019 hack of Capital One data hosted on AWS cloud, resulting in stolen data of 106 million customers and a host of lawsuits, shows the vulnerable underbelly of cloud. Such incidents highlight the challenges in securing data and privacy, interoperability, and upholding regulations and restrictions that CISO’s face. A tightening data security environment across the world, as shown by the EU’s GDPR, leaves little wriggle room for enterprises to have such vulnerabilities.
Cloud security challenges
The list of challenges for CISOs don’t end there. Other cloud security challenges that give them sleepless nights include:
- Absence of multi-cloud visibility and control over a single dashboard pane for security, privacy issues and compliance violations
- Public Cloud native services integration issues
- Multi-cloud contradiction with the single cloud run architecture across cloud platforms, authentication framework, security monitoring and event correlation, etc.
Mind the (skill) gap
There is a common thread running through all these challenges – the talent factor. The market for skilled cybersecurity professionals is a tight, where demand is always ahead of the supply curve. This is even truer for cybersecurity professionals familiar with the changing security landscape that cloud technologies bring.
An ESG-ISSA survey of enterprises revealed that In 2018-2019, 53% of respondents reported a problematic shortage of cybersecurity skills at their organization – a statistic that has grown every year, over the past four years. The same survey also reveals that the cybersecurity skills shortage has impacted 74% of organizations significantly or somewhat. The crunch in trained personnel in the areas of cloud networking and development, DevOps and container administration, underpin the issue of finding security professionals with relevant cloud skills. Skills that is capable of managing converged infrastructures that blend traditional and cloud networks into a coherent networked environment.
Consequently, this talent crunch exacts a high price on corporations. For existing cloud security professionals, the lack of adequate talent in the market translates to increased workload, putting additional pressure on the limited pool of experts. In turn, this increases the likelihood of human error, misalignment of tasks to skills, and burnout. CISOs are also forced to recruit and train junior employees to fill the talent gap, rather than hire experienced cybersecurity professionals.
High workload also means that existing members are unable to take a step back to fully learn or utilize security technologies at their disposal, to their full potential. At a strategic level, it also limits the cybersecurity’s time to work with the business to align with imperatives and processes. This isolation of the cybersecurity unit translates into isolated security protocols running on the cloud network, as if on physical networks.
Winning the talent war
Organizations should address the talent crunch for this crucial function by employing a multi-pronged strategy that works over the short-, medium- and long-term. Cyber security, especially in new-age technologies like cloud, places a premium on specialist, niche talent with a background in DevOps. Some of this talent is found with cloud specialists and managed cloud service providers. Choosing to work alongside these firms can give enterprises access to much sought after expertise, which in turn, can promote in-house development of talent. This strategy gives existing employees the time and guidance to acquire the right skills on the fly, without compromising security posture or a drop in productivity. During this process, taking a DevSecOps approach that is constantly iterating, ensures bugs are caught and fixed as they occur, so that security exists throughout the process, not just at the endpoints.
Over the medium term, nothing will quite be able to replace training in-house talent with the relevant skill sets. This approach has multiple inherent benefits - existing employees maintain and pass along institutional knowledge that outsiders take time to master, both cost and time are saved compared to new recruitment. Besides, productivity that might be lost in training a new employee on internal systems and processes, is saved.
Motivating employees to step outside their comfort zones is key to this. By developing a culture of continuous learning within the workforce that teaches employees the benefits of up-skilling and helping them to work on their strengths. This will enable them to rethink their role and growth in the enterprise to gain skills and learning through certifications.
For the long term, the industry needs to work together to engage with educational institutions to keep their cybersecurity courses current to the constantly changing threat perception. The cybersecurity unemployment rate has stood at zero percent for the past eight years according to Cybersecurity Ventures and the skills shortage is expected to result in 3.5 million unfilled positions by 2021. Of all IT jobs, cybersecurity engineers were the highest paid and most recruited in 2019. This opportunity is bound to attract the next generation coming into colleges, to be interested in cybersecurity as a career. The future surely looks cloud-focused with no let-up in adoption but the cloud’s immense potential will only be realized if its existential crisis is addressed quickly.
- Umashankar Lakshmipathy, Senior Vice President and Regional Head - EMEA Cloud, Infrastructure and Security Services, Infosys Limited.
- We've featured the best cloud storage.