Security Market Segment LS
Monday, 10 December 2018 16:30

Rethink cloud security attitudes, says CISO


Security professionals should educate themselves more about cloud security, REA Group chief information security officer Craig Templeton has told iTWire.

Templeton thinks there is a "fear and loathing" of the cloud among security professionals. This is partly because many of them have an infrastructure-centric view of the world, and so they get hung up on "who is turning the knobs".

Security professionals in regulated industries took a while to come to terms with compliance issues in the context of the cloud, but the regulators have nothing against the cloud, he said.

"At the end of the day, they [security professionals] are managing risk," he said, so they should be thinking in terms of improving resilience.

Templeton suggested the migration to the cloud is following the same trajectory as outsourcing did. There are the early adopters, the sceptics (usually the result of a lack of education), and the holdouts (particularly those in regulated industries, although they will eventually move if no problems are apparent).

We are probably in the middle of the second wave, he said, as even the Australian Government has adopted a "cloud first" policy. (See also NAB goes AWS – the bank is in the midst of a three-year cloud-first transformation.)

There are "some really cool Aussie start-ups in the security space" that REA has been using, said Templeton. There's a risk that they will be acquired by "stupid" companies, but he plans to keep using them while he can. Security start-ups need to be "wired" the right way to be effective, and the imposition of other corporate cultures can counteract that.

Furthermore, Australian start-ups tend to move to the US as customers there are prepared to accept the slightly higher level of risk associated with a new business, providing the product addresses a problem they are experiencing.

Another consideration stems from the way cloud security products are usually delivered from the cloud. This means an organisation can subscribe for a period, and then quickly switch to a different product when the threat changes. This is in contrast with on-premises security products, which generally require an upfront investment and therefore have to be "sweated" before their replacement can be financially justified.

Attackers are using the cloud, so defenders should be following suit, Templeton said. Just as cyber crime has been commoditised thanks in part to the cloud, the cloud also enables lower cost and faster paced protection.

Attackers are using various types of automation, including bots, so rules-based defences are inadequate because it is impossible to write new rules fast enough. New approaches that can automate responses are required instead, and REA (the company behind and related Web sites) is focusing a lot of its security efforts in this area.

Being a pure digital business with one million visitors per week, REA is an attractive target, he said.

While it's hard to do security better than a specialist provider (the large cloud providers have more and better security professionals on staff than most of their customers could afford), there is a risk that the "blast radius" of a successful attack on another of your cloud provider's customers could also include part of your operation, so that should be taken into consideration when making plans.

Another potential trap is "one size fits all" thinking. Even if two companies are in the same industry, a given set of security measures might not suit them equally well. Relevant regulations may impose the same baseline measures on them both, but some of the specified measures may do nothing to improve the security at one of them. A better way of looking at the issue could be to follow the example of increasingly personalised cancer treatments, he suggested.

Drawing another analogy, Templeton said cyber risk is like climate change. You can't see it, but the signs are around you. And while some people feel they can't do anything that will make a real difference, they need to be persuaded to adopt strategies that will will keep themselves — and their organisations — safe.

"Everybody has to contribute" in some way, he said.

The writer attended AWS re:Invent as a guest of AWS, and interviewed Craig Templeton during the event.


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.



Recent Comments