Defining Organizational Cloud Security Responsibilities
Beyond the Shared Responsibility Model, it’s important to define individual responsibilities for cloud security within your organization and ensure everyone knows what is required. It’s not enough—and even a bit of a cliché—to simply say, “Security is everyone’s responsibility.”
Executive leadership teams must sponsor cloud security efforts. In today’s regulatory landscape, executive sponsorship is practically mandated. The potential financial impact to a business of regulatory noncompliance can be as devastating as (or worse than) a data breach itself. Beyond the financial penalties, many regulations carry criminal penalties for business executives and other fiduciaries of a business.
Executives must lead by example. If corporate policy requires corporate data on mobile devices to be encrypted and access to SaaS applications needs multi-factor authentication (MFA), then “one-off” exceptions shouldn’t be made for executives. Beyond leading by example, executives need to ensure that security and compliance initiatives have the appropriate support and resources, and that the impact of strategic business decisions on the overall security and compliance posture of the organization is always considered.
Security and compliance teams must define and enforce appropriate policies that securely enable the business. To be effective, security and compliance teams must understand and align with business goals and objectives, and they must not be a bottleneck to productivity and efficiency.
Line-of-business managers have a responsibility to ensure that the organization’s cloud security and compliance governance is understood and adhered to within their respective areas of the business. As business needs evolve, line-of-business managers should partner with security teams to evaluate the risk versus return of adopting new tools. Circumventing a security policy, such as a requirement to use only sanctioned SaaS applications, to achieve a short-term business objective or productivity goal should never be acceptable. Instead, the security tools should adapt to the business need and drive the desired user behavior.
Working with security and compliance teams also helps to ensure that individual lines of business are able to take advantage of any current relationships the organization may have with vendors or cloud providers to procure services more economically and get support quickly when it’s needed, instead of operating in a vacuum with siloed cloud technologies and products.
DevOps teams are under constant pressure to deliver software projects and updates quickly and reduce time to market. To meet these demands, security requirements must be defined and understood at the beginning of any project and, ideally, integrated into the application delivery workflow. In this way, development teams can continue moving forward without frequently having to stop and reset to address security vulnerabilities and compliance violations.
Individual end users have a responsibility to follow corporate governance with respect to cloud security and compliance. They must understand the inherent risks in the cloud and safeguard the data to which they have been entrusted as if it were their own personal data.