Securing the Cloud: What Can We Learn from Some of the World’s Best CISOs

Enterprises looking to accelerate their cloud journeys need to ensure the CISOs are part of the process of creating foundational building blocks because cybersecurity risks are at an all-time high

As enterprises accelerate their digital transformation in the cloud and apply deep data science for turning reams of data into actionable insights, they face unprecedented threats to securing their precious datasets.

Sometimes, the pace of innovation offered by the cloud takes the attention away from the need to involve the CISOs right from the start. “I think getting cloud security by design, whether it was there before the cloud era or now post cloud era, is a big significant challenge, huge challenge. There is a need for widespread awareness and to establish accountability on all the stakeholders,” said Vishal Salvi, CISO & Head of Cyber Practice at Infosys.

It’s not just the valuable data that is at risk from internal and external threats. According to a joint cybersecurity and brand value impact report by Infosys and Interbrand, the potential danger in brand value of a data breach to the world’s 100 most valuable brands could amount to as much as $223 billion.

Data Breaches: the Brand Impact

“Most studies on data breaches tend to focus on the immediate costs to businesses – drop in profits or loss in revenues. However, the real impact on businesses could run much deeper as breaches can affect the long-term relationship between the customers and the brand,” the report said.

For its part, Infosys brings together a group of some of the world’s best CISOs as part of the company’s mission to enable businesses to share the best practices. Curated by Vishal Salvi, a group of over a dozen CISOs from across the verticals of manufacturing, energy, healthcare, and financial services are continuously deliberating ways to navigate the existing challenges.

Here are the biggest challenges faced by enterprises globally and the best practices in navigating the risks, as the Infosys CISO Council articulated.

Zero Trust is a good starting point.

Ever since John Kindervag at Forrester Research defined Zero Trust in 2010, enterprise security researchers have been pushing the concept, sometimes oversimplifying the narrative about why enterprises should trust no one. But in a world without boundaries, especially, when it comes to customers, employees and partners spread globally, it’s not an easy policy to embrace. Zero Trust needs a more nuanced, more sophisticated execution strategy.

Contextual control prevents leaks by blocking unauthorized attempts to transmit data

An excellent way to practice Zero Trust is to start assuming that an enterprise is continuously under attack. ¬The lack of physical control in the cloud for the enterprises and application programming interface or API-driven cloud platform has dislodged traditional perimeter-based security aside and has enabled “user identities” to be as new perimeters. Therefore, strengthening the identity life cycle with next-gen solutions like conditional access will be a key tenant of zero trust. As many of the analysts have suggested “insider threat” has become more prominent than external threats. Ensuring the insider networks and traffic generated therein is not by default “trusted”, as the next step of zero trust to ensure protection against cyber threats traversing through east-west traffic. The good news is that such solutions thrive in cloud environments.

WFH doesn’t make it easy

Digital transformation has only accelerated over the past year, increasing the demand for cloud computing, which has taken center stage for innovation. However, this has also resulted in newer cloud security challenges, especially with more employees working from their homes. Add to that an increasing pool of consultants and freelancers hired by the companies for faster deployments.

“With the adoption of cloud, especially when we talk about software-as-a-service, you know a lot of those traditional books are no longer applicable because business teams can bypass and directly go and consume the services,” said Vishal Salvi, CISO & Head of Cyber Practice at Infosys.

Automating cloud security at scale

One of the most significant advantages of cloud computing is how it empowers decision-makers across the departments and increases the sheer pace of innovation. This also means an on-demand environment with the near-real-time crunching of data into actionable insights. For the CISOs, this means ensuring that the speed of decision-making and innovation is not affected.

At scale, the traditional models of implementing security controls fail spectacularly, according to the CISOs, because they curtail the speed of decision-making and innovation. Instead, cloud security needs to move from just operating the security controls to engineering the solutions. Auto-scaling capabilities and the programable security within cloud platforms can ensure security of the cloud and keep pace with digitization and cloud adoption.

How do you democratize security?

If you take Zero Trust literally, it can challenge businesses’ very existence; they cannot operate without a level of trust. So how can companies go beyond putting faith in their own engineered cloud security solutions to a world where some of the best security minds aren’t even on their payroll?

There are enterprise security lessons offered by the playbooks of some of the world’s biggest consumer internet companies such as Facebook, Google, and Apple. They run bounty programs for ethical hackers to find security loopholes in their systems.

“We have to secure the internet to secure yourself, which looks like a stupendous task because you're securing something which is beyond you. But, more importantly, if you want to democratize security because the surface area of what you want to cover is so high, you have to take a very different paradigm to security,” said Ravi Kumar S., president at Infosys.

Security as code

According to McKinsey, traditional security architectures “break down as companies adopt public cloud platforms.” While infrastructure as code brings automation and mitigates the risks of manual configuration, security as code enhances it further programmatically.

The most critical aspect of security as code is that it aligns CISOs even more tightly with the business functions and positions them as enablers, not the stumbling blocks that slow the transformation. Additionally, it helps to achieve “Security as a design” from day zero of cloud transformation programs and embed “built-in security“ rather than bolt-in “