Security is Job zero – Merritt Baer (AWS Office of the CISO) and I spent an hour talking about how fundamental information security (infosec) is to business functions in today’s world. It’s everyone’s job to ensure they are working to help secure the organization – from the frontline workers to the back-of-the-shop employees – being mindful and active in the infosec program can make or break a company.
Anecdotally, the TSA does a good job of advertising “see something, say something” to all its passengers. Effectively creating a large network of (human) sensors. The same mentality needs to be applied to the enterprise, but more so specific to their daily work and interaction. Our conversation started with what exactly infosec teams should do, are doing, and want to get done. We were able to define some needed roles across organizations, identifying that security needs to be a core function, across all lines of service within an organization, and the people leading it need to have teeth.
Beyond this, we defined security as an on-going process – it’s never perfect but as Merritt said: “embrace the imperfections to create and improve.” Take an evolutionary view of the way your organization will weave infosec into the daily operations of its employees. It takes time and a program to make infosec the forefront of your workforce, and the program will need to adapt.
How does your organization go about implementing this though? The good news is AWS and other cloud providers have frameworks and standards for you to follow. Shared Responsibility models, and Well-Architected frameworks can help you build the technology component of this plan. Assuredly you’ll have to build the non-technical “program” – but each business will want unique controls surrounding their operations. Either way, best to start now in order to weave infosec into your daily operations.
Inevitably, our discussion centered around cloud migrations, because as companies modernize, or undergo a digital transformation, cloud becomes a mandatory component. Here’s where the discussion with Merritt’s foundation from her customer portfolio came into view – all of the discussions she’s having with companies today involve a migration, or cloud-native strategy. With this being the case, how does an enterprise migrate?
Carefully. Not slowly, but rather with planning and a mindful approach – AND with information security in mind. One of the pillars of AWS’ Well -Architected Frameworks is, in fact, “Security” – demonstrating its pivotal role in digital transformations. Growing up in the era of cloud (which, by the way, started in 2006) is something your organization must embrace. The maturation which is happening, at a global scale, is proving to be efficient, and cost effective. Your organization’s partners as well as your competition is using the cloud, and your journey out of the traditional datacenter is not as scary as it was a decade ago (read another way: It’s no longer “if”, but “when”).
Cloud adoption, cloud migration, cloud services and workloads – integrate these into your vocabulary, learn about them, get some free certifications from cloud providers or your partners. Merritt has conversations both internal to AWS and with their customer base and is seeing all sorts of high-tech implementations of services made easy for you to adopt. Not ready for AI yet? No problem, let an AWS service for your identity management embed and de-mystify the AI for you, with a pretty front-end and business-common language.
Our conversation was a delight, and reinforced what Trend is seeing: It’s time to migrate, update and get your organization into the cloud.