The CISO has an important role to play in the cloud procurement process. After all, with several surveys continuing to show CIOs' biggest fears about the cloud revolve around security,
Yet all too often, cloud procurement is already in the works before the CISO even knows it's happening. The relationship between the CIO and the CISO is not traditionally a close one, if it exists at all. As a result, the CISO being left out of the cloud procurement loop is not uncommon.
It doesn't have to be that way, and it's certainly not good for business, said Edward Ferrara, a principal analyst with Cambridge, Mass.-based Forrester Research Inc. How to change it? Ferrara believes it's absolutely essential that the CISO get involved in cloud procurement -- even if it means inviting themselves to the party.
Relationships are crucial
Historically, CISOs have been late invitees to the cloud procurement process, Ferrara noted. Oftentimes, contracts to engage a cloud provider are well underway before the security office is even consulted.
The CISO has an equal responsibility throughout the procurement and then the operation of the cloud environment.
principal analyst, Forrester Research
"In order for CISOs to be effective, they must have effective relationships with sourcing and vendor management full stop," Ferrara said.
When working with third parties, security evaluation should be implicit in the vendor management contracting process, Ferrara said. If it's not, then the effectiveness of any work the CISO might do once the contract is close to being signed is going to be questionable, he added.
Security officers, he said, have to work with the sourcing and vendor partners in their organization to make sure they're included early on in order to influence and actually implement security controls. This includes vendor selection, so that when an RFI or RFP goes out the correct security controls are already outlined clearly.
"Making sure those security controls are included is absolutely essential. The security officer needs to do that, it's really job one," Ferrara said.
Have a cloud procurement review process down pat
Once a short list of vendors is selected for the RFI or RFP process, it's vital that the CISO be ready with an effective and efficient evaluation process. This process is in place to review that list to ensure the security controls vendors claim to have are, in fact, in place.
Read more about cloud procurement and security
Managing cloud security risks means asking the right questions
Thorough preparation offsets cloud security risks
Product spotlight: New cloud security platforms from MetricStream, CipherCloud
"It could be as simple as a review of their SOC 2 report, or it could go up to and include an on-site assessment to audit their controls," Ferrara said. "It will depend on the size of the agreement, the sensitivity of the workloads from an intellectual property and/or process perspective, and the urgency of the business to get the agreement signed."
Without this ability, the cloud procurement process is slowed once it hits the security office. The CISO will then be seen as a business disabler rather than a business enabler, creating the potential for big problems down the road.
Continued vigilance necessary
The CISO's role in the cloud procurement process doesn't end once vendors are vetted. Once that relationship is established, the CISO should be prepared to be in it for the long haul. The review process used to select the vendor should be carried out periodically, at established intervals, to make sure the same security controls remain in place and are being executed effectively.
Further, if the organization's own unique IT security controls, policies, procedures and guidelines apply to the cloud service provider's services, it's also the CISO's responsibility to conduct periodic reviews that ensure continued compliance.
"The CISO has an equal responsibility throughout the procurement, and then the operation of the cloud environment," Ferrara said. "The reality is, with a credit card you can go out and buy some of these services and spin up a pretty substantial data center … so this is as much an internal governance issue in the sense of how IT is procured and used, as it is specifically a security problem."
Let us know what you think about the story; email Karen Goulart, features writer.
This was first published in July 2013