Tip

Determining the CISO's cloud procurement and security responsibilities

The CISO has an important role to play in the cloud procurement process. After all, with several surveys continuing to show CIOs' biggest fears about the cloud revolve around security,

    Requires Free Membership to View

who better to provide input than the information security gatekeeper?

Edward Ferrara

Yet all too often, cloud procurement is already in the works before the CISO even knows it's happening. The relationship between the CIO and the CISO is not traditionally a close one, if it exists at all. As a result, the CISO being left out of the cloud procurement loop is not uncommon.

It doesn't have to be that way, and it's certainly not good for business, said Edward Ferrara, a principal analyst with Cambridge, Mass.-based Forrester Research Inc. How to change it? Ferrara believes it's absolutely essential that the CISO get involved in cloud procurement -- even if it means inviting themselves to the party.

Relationships are crucial

Historically, CISOs have been late invitees to the cloud procurement process, Ferrara noted. Oftentimes, contracts to engage a cloud provider are well underway before the security office is even consulted.

The CISO has an equal responsibility throughout the procurement and then the operation of the cloud environment.

Edward Ferrara,
principal analyst, Forrester Research

"In order for CISOs to be effective, they must have effective relationships with sourcing and vendor management full stop," Ferrara said.

When working with third parties, security evaluation should be implicit in the vendor management contracting process, Ferrara said. If it's not, then the effectiveness of any work the CISO might do once the contract is close to being signed is going to be questionable, he added.

Security officers, he said, have to work with the sourcing and vendor partners in their organization to make sure they're included early on in order to influence and actually implement security controls. This includes vendor selection, so that when an RFI or RFP goes out the correct security controls are already outlined clearly.

"Making sure those security controls are included is absolutely essential. The security officer needs to do that, it's really job one," Ferrara said.

Have a cloud procurement review process down pat

Once a short list of vendors is selected for the RFI or RFP process, it's vital that the CISO be ready with an effective and efficient evaluation process. This process is in place to review that list to ensure the security controls vendors claim to have are, in fact, in place.

Read more about cloud procurement and security

Managing cloud security risks means asking the right questions

Thorough preparation offsets cloud security risks

Product spotlight: New cloud security platforms from MetricStream, CipherCloud

"It could be as simple as a review of their SOC 2 report, or it could go up to and include an on-site assessment to audit their controls," Ferrara said. "It will depend on the size of the agreement, the sensitivity of the workloads from an intellectual property and/or process perspective, and the urgency of the business to get the agreement signed."

Without this ability, the cloud procurement process is slowed once it hits the security office. The CISO will then be seen as a business disabler rather than a business enabler, creating the potential for big problems down the road.

Continued vigilance necessary

The CISO's role in the cloud procurement process doesn't end once vendors are vetted. Once that relationship is established, the CISO should be prepared to be in it for the long haul. The review process used to select the vendor should be carried out periodically, at established intervals, to make sure the same security controls remain in place and are being executed effectively.

Further, if the organization's own unique IT security controls, policies, procedures and guidelines apply to the cloud service provider's services, it's also the CISO's responsibility to conduct periodic reviews that ensure continued compliance.

"The CISO has an equal responsibility throughout the procurement, and then the operation of the cloud environment," Ferrara said. "The reality is, with a credit card you can go out and buy some of these services and spin up a pretty substantial data center … so this is as much an internal governance issue in the sense of how IT is procured and used, as it is specifically a security problem."

Let us know what you think about the story; email Karen Goulart, features writer.

This was first published in July 2013

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Expert Discussion

When does your CISO get involved in cloud procurement?

Karen Goulart, Senior Features Writer
What's your opinion?
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.