Security Market Segment LS
Monday, 10 December 2018 16:30

Rethink cloud security attitudes, says CISO


Security professionals should educate themselves more about cloud security, REA Group chief information security officer Craig Templeton has told iTWire.

Templeton thinks there is a "fear and loathing" of the cloud among security professionals. This is partly because many of them have an infrastructure-centric view of the world, and so they get hung up on "who is turning the knobs".

Security professionals in regulated industries took a while to come to terms with compliance issues in the context of the cloud, but the regulators have nothing against the cloud, he said.

"At the end of the day, they [security professionals] are managing risk," he said, so they should be thinking in terms of improving resilience.

Templeton suggested the migration to the cloud is following the same trajectory as outsourcing did. There are the early adopters, the sceptics (usually the result of a lack of education), and the holdouts (particularly those in regulated industries, although they will eventually move if no problems are apparent).

We are probably in the middle of the second wave, he said, as even the Australian Government has adopted a "cloud first" policy. (See also NAB goes AWS – the bank is in the midst of a three-year cloud-first transformation.)

There are "some really cool Aussie start-ups in the security space" that REA has been using, said Templeton. There's a risk that they will be acquired by "stupid" companies, but he plans to keep using them while he can. Security start-ups need to be "wired" the right way to be effective, and the imposition of other corporate cultures can counteract that.

Furthermore, Australian start-ups tend to move to the US as customers there are prepared to accept the slightly higher level of risk associated with a new business, providing the product addresses a problem they are experiencing.

Another consideration stems from the way cloud security products are usually delivered from the cloud. This means an organisation can subscribe for a period, and then quickly switch to a different product when the threat changes. This is in contrast with on-premises security products, which generally require an upfront investment and therefore have to be "sweated" before their replacement can be financially justified.

Attackers are using the cloud, so defenders should be following suit, Templeton said. Just as cyber crime has been commoditised thanks in part to the cloud, the cloud also enables lower cost and faster paced protection.

Attackers are using various types of automation, including bots, so rules-based defences are inadequate because it is impossible to write new rules fast enough. New approaches that can automate responses are required instead, and REA (the company behind and related Web sites) is focusing a lot of its security efforts in this area.

Being a pure digital business with one million visitors per week, REA is an attractive target, he said.

While it's hard to do security better than a specialist provider (the large cloud providers have more and better security professionals on staff than most of their customers could afford), there is a risk that the "blast radius" of a successful attack on another of your cloud provider's customers could also include part of your operation, so that should be taken into consideration when making plans.

Another potential trap is "one size fits all" thinking. Even if two companies are in the same industry, a given set of security measures might not suit them equally well. Relevant regulations may impose the same baseline measures on them both, but some of the specified measures may do nothing to improve the security at one of them. A better way of looking at the issue could be to follow the example of increasingly personalised cancer treatments, he suggested.

Drawing another analogy, Templeton said cyber risk is like climate change. You can't see it, but the signs are around you. And while some people feel they can't do anything that will make a real difference, they need to be persuaded to adopt strategies that will will keep themselves — and their organisations — safe.

"Everybody has to contribute" in some way, he said.

The writer attended AWS re:Invent as a guest of AWS, and interviewed Craig Templeton during the event.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.



Recent Comments