Don’t let the IT skills gap hold back cloud security

The years-long IT talent shortage isn’t a trend: it’s now the status quo. The World Economic Forum reports a shortfall of 3.4 million cybersecurity experts, a problem the industry won't soon solve.

Yes, the skills gap burdens understaffed IT security teams tremendously, but don’t let that become an excuse for lacking effective cloud security outcomes. While many companies can’t hire additional personnel, there are other ways to harden the organization’s cloud security posture. Building resilience while short-staffed will require recalibrating the company’s security strategies.

Today's strapped security teams must adapt as developers often build cloud infrastructure to meet business needs at a rapid pace, with each change posing potential misconfiguration risks. In this new threat landscape, the security team can no longer protect an organization’s cloud infrastructure alone. Cloud security and building resilience from the get-go must become everyone’s responsibility.

In a world where breaches are inevitable and security teams are spread thin, it’s also essential to implement a more proactive approach to securing cloud infrastructure than the model organizations have relied on for decades. Security teams can’t set up a network perimeter and monitor for attacks because there’s no perimeter around the cloud infrastructure. They have to verify the access and authentication with every call made. No matter how many security personnel the company employs or the technologies implemented, there’s no way to prevent 100% of all attackers from finding and exploiting a vulnerability—a breach will occur, if one hasn’t already. The enterprise must now focus on risk management and not trying to resolve every potential vulnerability and suspicious activity. Enterprise networks are dynamic and what was a top-of mind-issue last week can dramatically change this week because of evolving macro conditions, industry, or the company itself.

Companies can raise awareness by conducting tabletop exercises—discussion-based sessions on emergency scenarios like data breaches. If the organization never held a tabletop exercise, the National Institute of Standards and Technology (NIST) offers a comprehensive guide to get the team started.

Other proactive measures can also help ensure the organization is more agile when responding to potential breaches. I recommend regularly conducting penetration tests to simulate attacks and to identify vulnerabilities. These tests can discover weaknesses before malicious attackers do, thereby improving an organization's overall security posture. Additionally, hold regular employee education and training sessions, not just once during the new employee onboarding process. Make everyone in the organization an extension of the security team.

Implement zero-trust segmentation

While it’s important to educate the company and bring important stakeholders into the security process, it’s just as crucial to adopt security models that cater to the rapidly-evolving digital landscape. Again, teams need to make cloud security an enterprisewide responsibility because unlike traditional data centers where security teams hold all the control, the public cloud democratizes network security. This necessitates new strategies to establish security “guardrails” that protect the cloud, don’t interfere with developers’ work, and scale automatically. Defining these guardrails that work across the multi-cloud environment offers security teams the confidence and freedom to focus on their core responsibilities of supporting the businesses. A zero-trust segmentation (ZTS) approach checks all of those boxes because it's so efficient and doesn't require security personnel to undergo additional training.

As large enterprises focus on hybrid growth, they must adopt a new combination of approach and technology that applies the principles of a zero-trust framework—one that revolves around the idea of not automatically trusting anything, whether inside or outside the perimeter. Instead, they should verify everything trying to connect to their systems before granting access, assume a breach will occur, and change their focus from the unrealistic goal of preventing 100% of intrusions to minimizing the impact of inevitable breaches.

ZTS has become a crucial element in a defense strategy that epitomizes the principles of an effective zero-trust program. It lets organizations logically divide their data centers and cloud environments into smaller, more isolated zones to contain attacks automatically. The team wants to prevent potential threats from moving around and minimize the risk of unauthorized access to sensitive areas of an organization's environment. It’s also efficient and provides quick, meaningful wins for stretched security teams looking to reduce risk

I’ve described several changes impacting the effectiveness and efficiency of any organization’s cloud security posture. Unfortunately, what's still the same is that the CISO (and, by extension, the security team) shoulders the blame for a breach. We must stop this blame game: it’s counterproductive and does nothing to reduce risk. 

The persistent IT talent shortage should not dictate the outcomes of the organization’s cloud security efforts. Adopting advanced security models like ZTS, fostering an organizationwide sense of shared responsibility, and leveraging proactive strategies can help bridge the skills gap effectively. While the IT talent shortage has become the status quo, with the right strategies and shared efforts, organizations don’t have to live with poor cloud security outcomes.

Sudha Iyer, vice president, security product management, Illumio