People have traditionally focused on prevention. As the industry is starting to evolve, they know that cloud attackers are getting smarter and smarter. They know that eventually they are going to need to start focusing on prevention, but also detection as well.
When you talk to a lot of CIO's, there are tons and tons of challenges for them to start to move to the cloud or their organization to the cloud. Whether it starts with risk, compliance, PII, Sarbanes-Oxley, HIPO, whatever that may be, those compliance factors just generally end up being a bottleneck and don't let them move that part of the business forward. But they do realize that as CAPEX is starting to decrease and OPEX starting to increase, more CFO's not just CIO's, but more CFO's are looking for that operational expenditure.
So they're forcing CIO's to start going down the path, to start using cloud services so that they have a predictable spend, that they don't have this burst in $10 million of hardware and then they end up depreciating that out over 3 years. So more and more CIOs and CISOs are being pressured into going into the cloud, however security is still a major concern.
Now the other thing is as you start to talk to developers, one of the challenges that you end up getting as an IT professional or as someone that's doing the security program, is developers just want what they want when they want it. So when a developer is asking for PAS or they are asking for IAS, they're not necessarily worried about patching, security, vulnerabilities those kind of things. So the threat vectors in the cloud have started to evolve and change.
So as a developer now starts to provision a data base or they start to provision a website, what ends up happening is that those developers don't necessarily look at the back end and the security compliance that they have to adhere to. That's some of the challenges that IT pros face as well in the security program.
No comments: