Having silos of IT "doesn't work when you go to the cloud," he observed. Developers don't do everything securely, and the relative newness of concepts such as infrastructure as code and rap[id software development mean "the security aspects aren't well understood.
At the same time, IT security teams don't always have visibility of what developers are doing.
But cloud security is "not necessarily harder than normal security, just different," he said.
Compliance is important, and those involved need to understand risks and what's required in terms of reporting and auditability.
It's also important to understand the shared responsibility model. For example, a cloud provider will ensure the physical security of its data centres, but it's up to the clients to control access to their systems.
Getting that wrong comes at a cost. Even some telco-class organisations and companies that were born in the cloud have been known to make mistakes. One of the most common types of error is misconfigurations such as leaving an S3 bucket open to the world, said McCluney.
There are (at least) three ways of dealing with this. You can create your own security tools or adopt open source tools, but either way some degree of ongoing maintenance is required, and that's probably not part of your core business.
The other two approaches are to outsource cloud security, or to buy a suitable tool and use it yourself.
Either way, there is a cost. And can you trust a third party, and can they do everything you need, he asks. The answers aren't obvious, so some organisations turn to the big four consultancies for advice.
While cloud providers do offer plenty of advice, eg in the form of very detailed best-practice guides, tooling is required to put it into practice.
Trend Micro can provide that, with tools that embody hundreds of rules to check you are compliant.
Even then, some organisations will need help with implementation. McCluney suggests looking for a service provider that is certified by both the relevant cloud provider and the security tool vendor.
"Competent cloud partners tend to be competent cloud security partners," he observed.
McCluney suggested that Trend Micro Cloud One (which covers network inspection, IPS and more) can be an important part of securely combining cloud and on-premises capabilities, along with XDR ("like the security cameras at the airport") to combine telemetry from multiple sources in order to detect suspicious activity.
Combining the data gives " a joined-up story" in circumstances where any single event would be unremarkable, but their occurrence in a particular sequence indicates something is amiss.