The Cloud, The CISO Office, Lord Voldemort and Leicester City

Read By 11 Members

No, this isn’t the most eclectic set of guests ever assembled for an episode of Come Dine with Me, it is my initial foray into the world the CIO Water Cooler.

Since I announced via LinkedIn that I have moved roles and taken somewhat of a different path in my career, I have been sent many kind words of encouragement but also a number of questions about my motivations, the role and the organisation I have moved to.  It’s not that I don’t enjoy the sound of my own voice but given that blogging is now a core part of my job (more on that later), I thought I’d kick-off with answers to these questions in my own way.

The move and my two cents on cloud…

Up until very recently, I had plied my trade as a security professional in ‘end-user’ organisations.  If the ‘end-user’ colloquialism isn’t immediately obvious to you, you probably work in an end-user organisation.  By this, I mean in a non-vendor role.  Working for an organisation and being responsible for the protection of their information assets in some way, shape or form.  I must have been doing something right because I have been fortunate enough to work for market-leading organisations across most industry sectors.  I have also covered the InfoSec spectrum working in roles from engineer, designer, architect, manager and head of function.  ‘Great Chris, a decent CV – so why the move at this stage of your career into the vendor world?’

I saw an opportunity to use my client-side experience in driving what the security solutions we use look like moving forward.  I am very proud of my achievements to date, be those global Active Directory deployments in the early days through-to organisational security strategies and reference capability architectures but now was the time to immerse myself within a company which has Cyber Security as its core business.

I wanted to be part of an organisation which is designing solutions for the cloud-first, mobile workforce.  As those who know me will attest, I firmly believe that cloud services allow organisations of all sizes to benefit from cost savings, increased flexibility and a significant reduction in capex-based expenditure.  What’s not to like?  Well, some will have you believe that cloud is bad –  it’s insecure apparently.

Some people are of the opinion this ‘cloud’ is an onmi-present nemesis to those in the InfoSec community,  a technological Lord Voldemort if you will (I am aware how sad I am); no wizards in Hogwarts dared utter his unmentionable name and our profession has historically adopted a similar stance for all things cloud.  I have heard everything from ‘cloud is insecure’ to ‘we don’t have a problem with shadow IT and cloud applications’.  The conversation is never this binary.

Of course there are insecure cloud configurations, there are platforms which are inherently inappropriate for critical business applications but these setups are not reserved for the world of cloud – they often exist behind the trusted firewalls of the organisational perimeter.

What is important is the deployment of security controls commensurate with the classification of the information being stored, transmitted or processed.  Cloud reticence is understandable – we (I’m speaking broadly about the information security community here) have been indoctrinated into thinking that the only way to protect our data is to lock it down.

I would agree that the most effective route to total security is to remove access and ring-fence our data repositories but this approach is diametrically-opposite to the strategic direction our businesses are taking through big-data initiatives and always-on, ubiquitous mobile application access.  We must strike a balance between protecting information assets and allowing our businesses to flourish through the weird, wonderful and innovative ways they can engage with customers and clients.

The way we do business has evolved.  The tools we use to carry out our daily lives have changed dramatically over the 18 years I’ve been employed.  I remember being a teenager and thinking my Philips Savvy mobile phone was the denouement in a quest for engineering perfection; it made phone calls and with a day’s worth of perseverance, you could send an SMS!  We fast-forward 18 years and making calls are almost an auxiliary function for these computers in our pockets.  We use computers on the move and outside of the data centre.  We need security solutions which support our business goals and can be applied on any device, in any location on any network.

Organisations in all industry sectors are embracing cloud – Regulators are on record as saying cloud can be securely adopted and our end users are demanding a seamless, mobile experience in the workplace.

This blurring of ‘work’ and ‘home’ is rendering traditional approaches to cyber security ineffective and cost-prohibitive.  Enter Zscaler to provide end-user protection and put a perimeter around this dangerous Internet and the clouds contained therein.

The Office of the CISO 

The Zscaler Office of the CISO is a global team engaging security executives at a peer level to drive best practices and facilitate industry wide collaboration on emerging security topics. Our office also provides subject matter expertise through speaking engagements, blogging and media collaboration.

I look after our EMEA region and took the role on because I passionately believe that security controls for the mobile-enabled user belong in the cloud.  I couldn’t evangelise about something I didn’t believe in.  The traditional web security rhetoric outlines that URL Filtering and Signature-Based AV are a potent defence against the bad guys.  Used in isolation, they are not any more.

The threat landscape has changed and whilst traditional controls have their place, so do Behavioral Analysis / Sandboxing, TLS Inspection, DLP, Machine Footprinting and Next-Generation Firewall.  The appliances we have racked and stacked in our data centres were not scaled to handle these contemporary requirements.  On-premise appliances are also without visibility of our remote / satellite user traffic unless we consider expensive MPLS backhauling to a hub site or break the bank for appliances in all locations.  Cloud computing needs cloud security.  Simple.

The CISO office is here to offer a strategic lens to the cloud security conversation.  If you see a LinkedIn request or an email from me – don’t panic!  It’s generally because I feel conversation would be mutually beneficial.  I have spent an entire career on your side of the fence and would welcome the opportunity to discuss all things cyber security and where I believe Zscaler’s unique offering could better protect your business.

And to finish…

I’ll leave you with a sporting analogy which is clearly mandatory in any Information Security post:

If ten years ago I would have stated that in 2016 Leicester City would win the Premier League, I would have been greeted with puzzled looks and laughing from all in polite society.  The same incredulous views were the norm for all things ‘off-prem’ and cloud – it was an out of control ecosystem reserved for Shadow IT.  It was to be eradicated where possible .  Well the football season is over and Leicester are champions (by ten points no less) and on the other side of my comparison recent cloud surveys suggest that cloud adoption in the enterprise is continuing to grow at a rapid rate and it is here to stay.  We have to embrace the move to cloud but with the due diligence we would apply to any environment.

Lord Voldemort was ultimately rendered mortal and subsequently defeated (sorry for the spoiler) – Similarly, I hope I can do my bit for the legacy perceptions of secure cloud computing.

Thanks for reading

@ChrisHInfosec

Christopher J Hodson M.Inst.ISP

My journey to CISO was initially more luck than judgement. I started out in the world of technology around 18 years ago within an IT position which ignited a professional enthusiasm for something which had always interested me when growing up: the inner workings of computers and the networks which support them. As experience grew and the professional certifications stacked up, I moved through the engineering, design, architecture and manager roles to where I am today. I am fortunate enough to have seen first hand how our personal and professional reliance on technology has dramatically changed. Ten years ago, we as the IT department controlled what a user had access to and how they connected; now the user demands access to applications of their choosing at a time they specify and on a device and platform they stipulate - oh how the tides have turned. How do we keep up? In most cases, it’s a challenge but not an insurmountable one. The external perception of information security has also changed dramatically throughout my career. Historically, as a function, we were seen at the expensive retrospective checkbox; now we’re a critically important business unit adding strategic value. Our boards demand that we make their organisations ‘secure’ but don’t want esoteric technobabble in the way of business-justification. The CISO these days is must now have a professional toolkit of astute business leader, technical guru and possess a PhD in Powerpoint. Consensus suggests that staying technical and having senior management responsibility are in some way mutually exclusive; I buck that trend. I believe the over-arching requirement of hands-on security leadership is to convey information security risks to board-level executives in terms which resonate with them and allow for balanced and considered risk management; a skill I have developed through engagement with a diverse range of stakeholders across market-leading organisations.

Have Your Say: