Home Security Rethink cloud security attitudes, says CISO

Security professionals should educate themselves more about cloud security, REA Group chief information security officer Craig Templeton has told iTWire.

Templeton thinks there is a "fear and loathing" of the cloud among security professionals. This is partly because many of them have an infrastructure-centric view of the world, and so they get hung up on "who is turning the knobs".

Security professionals in regulated industries took a while to come to terms with compliance issues in the context of the cloud, but the regulators have nothing against the cloud, he said.

"At the end of the day, they [security professionals] are managing risk," he said, so they should be thinking in terms of improving resilience.

Templeton suggested the migration to the cloud is following the same trajectory as outsourcing did. There are the early adopters, the sceptics (usually the result of a lack of education), and the holdouts (particularly those in regulated industries, although they will eventually move if no problems are apparent).

We are probably in the middle of the second wave, he said, as even the Australian Government has adopted a "cloud first" policy. (See also NAB goes AWS – the bank is in the midst of a three-year cloud-first transformation.)

There are "some really cool Aussie start-ups in the security space" that REA has been using, said Templeton. There's a risk that they will be acquired by "stupid" companies, but he plans to keep using them while he can. Security start-ups need to be "wired" the right way to be effective, and the imposition of other corporate cultures can counteract that.

Furthermore, Australian start-ups tend to move to the US as customers there are prepared to accept the slightly higher level of risk associated with a new business, providing the product addresses a problem they are experiencing.

Another consideration stems from the way cloud security products are usually delivered from the cloud. This means an organisation can subscribe for a period, and then quickly switch to a different product when the threat changes. This is in contrast with on-premises security products, which generally require an upfront investment and therefore have to be "sweated" before their replacement can be financially justified.

Attackers are using the cloud, so defenders should be following suit, Templeton said. Just as cyber crime has been commoditised thanks in part to the cloud, the cloud also enables lower cost and faster paced protection.

Attackers are using various types of automation, including bots, so rules-based defences are inadequate because it is impossible to write new rules fast enough. New approaches that can automate responses are required instead, and REA (the company behind realestate.com.au and related Web sites) is focusing a lot of its security efforts in this area.

Being a pure digital business with one million visitors per week, REA is an attractive target, he said.

While it's hard to do security better than a specialist provider (the large cloud providers have more and better security professionals on staff than most of their customers could afford), there is a risk that the "blast radius" of a successful attack on another of your cloud provider's customers could also include part of your operation, so that should be taken into consideration when making plans.

Another potential trap is "one size fits all" thinking. Even if two companies are in the same industry, a given set of security measures might not suit them equally well. Relevant regulations may impose the same baseline measures on them both, but some of the specified measures may do nothing to improve the security at one of them. A better way of looking at the issue could be to follow the example of increasingly personalised cancer treatments, he suggested.

Drawing another analogy, Templeton said cyber risk is like climate change. You can't see it, but the signs are around you. And while some people feel they can't do anything that will make a real difference, they need to be persuaded to adopt strategies that will will keep themselves — and their organisations — safe.

"Everybody has to contribute" in some way, he said.

The writer attended AWS re:Invent as a guest of AWS, and interviewed Craig Templeton during the event.


With 50+ Speakers, 300+ senior data and analytics executives, over 3 exciting days you will indulge in all things data and analytics before leaving with strategic takeaways that will catapult you ahead on your journey

· CDAO Sydney is designed to bring together senior executives in data and analytics from progressive organisations
· Improve operations and services
· Future proof your organisation in this rapidly changing technological landscape
· CDAO Sydney 2-4 April 2019
· Don’t miss out! Register Today!
· Want to find out more? Download the Agenda



Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips


Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.


Popular News




Guest Opinion


Sponsored News