This is the third and final blog in our series drawing on the wit and wisdom of the CISOs attending the recent ClubCISO Cyber Celebration. In our previous blogs, we covered the state of the nation in cyber and best practice in how to influence the opinions and behaviours of boards and end users from the CISO’s perspective. Here, we wrap up our exploration of the CISO’s psyche with a focused look at their thoughts on surviving and thriving in the modern workplace.
And that’s a good starting point. What actually is a “modern” workplace? According to one CISO, “It doesn’t mean moving to the cloud.” That’s because we’ve already done it – by and large. What small remnants of on-site and in-office working there might have been were blown away by the pandemic. CISOs have had to change their security plans, just as we have all had to change our working patterns.
But there is a difference. Whereas cloud strategies were once defined and then delivered in a planned way, a CISO summed up the modern organisation superbly: “Cloud is now just done.” This is all good for supporters of digital transformation and agile working, but perhaps not so good for those who like to stay in control of risk. But it is the reality.
The debate at the Cyber Celebration was very healthy (and perhaps fuelled by a cocktail or two). As an aside, I also can’t wait for the follow-up discussion in the ClubCISO annual survey meeting and analysis session in March. But, in the meantime, here are some of the best nuggets of advice from the Celebration debate to ponder over.
- You are in the cloud whether you like it or not. If you don’t think your organisation is fully cloud, then you probably have a shadow IT problem without knowing it.
- Cloud is not a revolution or even an evolution. The risk has always existed in data centres. After all, the cloud is just someone else’s computer.
- If you are writing application-specific policies, then you are missing the point. It’s all about people, culture and innovation. Your policies should be high-level enough to cover changes in the tech stack.
- Enjoy the innovation we are experiencing at the moment. This is an opportunity, not a problem to be solved. As one CISO said: “It’s now more about guardrails to manage its (cloud’s) growth and evolution, whilst still enjoying the innovation.”
- Don’t pull the brake lever, but have one hand on it just in case.
- Finally, don’t overly worry about development teams and cloud strategists “winging it”. CISOs agreed that everyone is winging it at the moment. And that’s probably a very good thing.
If you’re an information security leader and interested in benchmarking your organisation’s security maturity against your peers anonymously, join our ClubCISO community to take part in the upcoming Information Security Maturity Survey 2021.