Templeton thinks there is a "fear and loathing" of the cloud among security professionals. This is partly because many of them have an infrastructure-centric view of the world, and so they get hung up on "who is turning the knobs".
Security professionals in regulated industries took a while to come to terms with compliance issues in the context of the cloud, but the regulators have nothing against the cloud, he said.
"At the end of the day, they [security professionals] are managing risk," he said, so they should be thinking in terms of improving resilience.
We are probably in the middle of the second wave, he said, as even the Australian Government has adopted a "cloud first" policy. (See also NAB goes AWS – the bank is in the midst of a three-year cloud-first transformation.)
There are "some really cool Aussie start-ups in the security space" that REA has been using, said Templeton. There's a risk that they will be acquired by "stupid" companies, but he plans to keep using them while he can. Security start-ups need to be "wired" the right way to be effective, and the imposition of other corporate cultures can counteract that.
Furthermore, Australian start-ups tend to move to the US as customers there are prepared to accept the slightly higher level of risk associated with a new business, providing the product addresses a problem they are experiencing.
Another consideration stems from the way cloud security products are usually delivered from the cloud. This means an organisation can subscribe for a period, and then quickly switch to a different product when the threat changes. This is in contrast with on-premises security products, which generally require an upfront investment and therefore have to be "sweated" before their replacement can be financially justified.
Attackers are using the cloud, so defenders should be following suit, Templeton said. Just as cyber crime has been commoditised thanks in part to the cloud, the cloud also enables lower cost and faster paced protection.
Attackers are using various types of automation, including bots, so rules-based defences are inadequate because it is impossible to write new rules fast enough. New approaches that can automate responses are required instead, and REA (the company behind realestate.com.au and related Web sites) is focusing a lot of its security efforts in this area.
Being a pure digital business with one million visitors per week, REA is an attractive target, he said.
While it's hard to do security better than a specialist provider (the large cloud providers have more and better security professionals on staff than most of their customers could afford), there is a risk that the "blast radius" of a successful attack on another of your cloud provider's customers could also include part of your operation, so that should be taken into consideration when making plans.
Another potential trap is "one size fits all" thinking. Even if two companies are in the same industry, a given set of security measures might not suit them equally well. Relevant regulations may impose the same baseline measures on them both, but some of the specified measures may do nothing to improve the security at one of them. A better way of looking at the issue could be to follow the example of increasingly personalised cancer treatments, he suggested.
Drawing another analogy, Templeton said cyber risk is like climate change. You can't see it, but the signs are around you. And while some people feel they can't do anything that will make a real difference, they need to be persuaded to adopt strategies that will will keep themselves — and their organisations — safe.
"Everybody has to contribute" in some way, he said.
The writer attended AWS re:Invent as a guest of AWS, and interviewed Craig Templeton during the event.