Your Enterprise Cloud Risk Management Cheat Sheet

Written by Fausto Lendeborg, Secberus

Picture this: It’s 2022, and cloud risk is no longer the elusive threat it once was. It is tamed through better understanding, faster mitigation and bold, policy-first strategy. Read on for three starter tips.

01

Understanding Comes First.

Understanding starts with asking yourself why. Why does there have to be a gap between our developers and the business? Why is what we’re currently doing not working? Why don’t other executives understand how security affects their roles?

But you also need to ask why not. Why not have one cohesive understanding of security that fosters a sense of collaboration and ownership at every level? Why not give developers the knowledge to mitigate risk? Why not practice the philosophy that security is business?

This all starts with context. Watch this one minute video on perspective to see what we mean.

02

Speed Isn’t A Choice.

You can have speed and security. This is not an either or conversation anymore.

When you match your security structure (people, process and tools) to enable delivery of the right context to the right person at the right time, you enable speed. You also enable the ability to understand, mitigate and account for risk at every stage of your security lifecycle. There are three pieces of the speed puzzle that you have to get right in order to do this.

The pieces are business-first policy statements, scalable, adaptable logic (security-as-code) and context-rich workflows. These will breed the right kind of speed in a complex, enterprise security practice. They also happen to the three pillars of cloud governance. You can read more about them in this brief blog post.

03

Rethink Your Strategy.

It’s 2022. And if how you are practicing security in your enterprise is not working as well as you’d like it, it’s time to get real and be honest with yourself. It’s not technically your fault. The system is broken, and it has been for awhile. Are you ready to flip your security practice around? Start practicing security from a business-first, policy approach; not a devops-approach. If you’re ready to make this change you will shift your culture from a DevOps culture to a DevSecOps culture, from a focus on the individual to a focus on the organization, from take your best guess problem solving to informed, confident problem solving. And the best part? You’ll speak everyone’s security language.

"A business will have good security if its corporate culture is correct. That depends on one thing: tone at the top. There will be no grassroots effort to overwhelm corporate neglect.”

- William Malik, VP and Research Area Director for Information Security at Gartner

This is how we change the culture of security.