Who should the CISO report to, and other CloudSec 2019 takeaways

Cloud computing has become widely accepted by Canadian businesses, but that doesn’t mean they’ve figured out how to use it effectively, or more importantly, how to secure their data floating around in someone else’s computer.

The second annual CloudSec event hosted by Trend Micro last week yielded valuable insight from industry leaders both on stage and during breakout sessions throughout the Fermenting Cellars in Toronto’s brewery district.

We’ve compiled some of the day’s biggest takeaways.

We still don’t really know who the chief information security officer is supposed to report to

When asked who CISOs should be reporting to and why, an expert group of panelists suggested that, to this day, the answer remains a moving target.

Michael Ball, a CISO and cybersecurity consultant, said CISOs need a direct line to the top, whether that’s through the chief information officer, or through an actual seat at the C-suite table. “Cybersecurity is not an IT issue, it’s a business issue,” said Ball.

But there is a surprising amount of complexities surrounding how the CISO is positioned within the organization. One of the biggest simply comes down to salary – many corporations don’t want to have another C-suite position, accompanied by a C-suite salary, added to the books. In this case they’ll bump the salary down and have them report directly to the CIO.

Randy Purse, director of cybersecurity standards for ITAC, said that’s why you’ll often see the CISO’s budget reports handed off to the CIO, who then passes on the information to the rest of the board.

“Sometimes the board won’t even know the existence of the CISO,” he said.

There’s no one-size-fits-all solution to this, indicated Lakshmi Hanspal, CISO for Box, but CISOs – or whatever the organization ultimately names the position – have to have a clear end-to-end view of the business.

“You don’t just want to hire a scapegoat for when things go wrong – it can’t just be a checklist hire,” she told IT World Canada.

Lakshmi Hanspal, CISO for Box, opens with her keynote Sept. 19. Photo by Paul Darrow.

Being a CISO is hard

While the CISO role has been around since the 90s, the responsibilities that go along with the title have changed.

Today, CISOs identify, develop, implement, oversee, and maintain a company’s information security program. This includes setting out procedures and policies that protect the company’s communications, systems, and assets from information technology risks and threats.

Balancing these responsibilities requires some of the finest juggling known to man, and this was perhaps no clearer than when audience members participated in a little choose-your-own-adventure-game about a recently-hired CISO doing everything he can to keep the hospital’s data secure.

As you will discover in this thread, the audience failed to protect the hospital.

Canada is maybe, sorta, probably, a little bit behind in public cloud

Canada is often described as a bit of a laggard when it comes to technology adoption, including cloud. But according to Mark Nunnikhoven, vice-president of cloud research at Trend Micro, there’s actually little concrete data that supports this.

“It really depends on who you ask,” he said. “There’s lots of global data on this. And another question that we need to ask ourselves even today is ‘what is cloud?’ Because depending on who you ask, you’ll hear different things.”

He threw some light shade at marketing teams who are known to overuse buzzwords in tech, making it difficult to quantify an organization’s cloud capabilities.

Mark Nunnikhoven, vice-president of cloud research at Trend Micro, says there’s actually little concrete data that support the theory that Canada is behind on cloud. Photo by Paul Darrow.

“DevOps is a big one nowadays,” he said, referring to the current buzzwords.

When asked to provide a personal estimation on Canada’s cloud posture, Nunnikhoven said he believed Canada was approximately five years behind in cloud adoption. Storage costs, the relatively new policies that companies are still trying to understand around reporting breaches (PIPEDA, for example), and of course, a lack of talent, all contribute to this estimation.

“Moving into the cloud means changing your processes. We’ve developed a bunch of bad habits over the years we’ve been deploying IT,” he said.

One of those bad habits, Nunnikhoven pointed out, is the way developers, not just in Canada but around the world, leave the door open for others to log into production applications. Unauthorized access to an application or server can lead to very serious security problems, such as data leaks.

“You do not want to log into production, but every organization I visit around the world, log into production regularly,” he said.

Organizations still struggle to understand how the cloud works and what data is best suited to migrate, indicated Craig McQueen, senior director of innovation at Softchoice.

“It’s safe to say that 100 per cent of customers that move to the cloud at some point say ‘woah, these costs are not what I expected.’ This happens for a couple of reasons,” he said. “Developers, who in the past, never had to pay for infrastructure, that was someone else’s job, are all of a sudden able to provision the infrastructure on their own. There’s an initial cultural spending shock because people are buying stuff who didn’t before, and in a sense, they’re not really buying it, they’re starting to use it and getting billed for it later.”

Niche cloud players have an opportunity to fill a gap in Canada

Google, AWS, and Azure have a firm grip of the public cloud market, but in Canada, there are a number of potential opportunities for niche cloud players to fill the gap, according to Nunnikhoven.

“Geography is a challenge,” he explained. “When you’re using your phone, LTE drops off quickly, and as soon as you’re at the cottage, you drop to 3G.”

With the Big 3’s Canadian data centres located in southern Ontario and Quebec, it means users in British Columbia, for example, undoubtedly experience some lag when tapping into that extra compute power.

Compared to the U.S., Canada’s market size is tiny, but our ICT spending is actually significant.

“We’re actually boxing above our weight class,” he said. “Canadian companies are investing more in technology than the U.S. on average. But is that enough to attract more investment from the Big 3 cloud providers? Or is this an opportunity for niche cloud players to provide geographical differentiation?”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Alex Coop
Alex Coophttp://www.itwc.ca
Former Editorial Director for IT World Canada and its sister publications.

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.