I first became a Chief Information Security Officer (CISO) in late 2008. Almost immediately, I began to ruffle feathers and raise eyebrows because I was a strong advocate that the cloud was the direction in which we all needed to move. My reasoning was that security in the cloud was more advanced, reliable and resilient than anything we could do internally. The cloud, even at that time, offered the best way to collaborate safely.
Today, more than a decade later, in the midst of a global pandemic that has put enormous pressure on organizations of all types and sizes, I believe more than ever that the cloud is still the best way to go. In fact, I would argue that there are maybe 10 companies in the world that can secure and run their data centers as well as the large hyperscale cloud providers such as Amazon Web Services, Google and Microsoft.
In many organizations, the skills and resources necessary to empower digital transformation and run IT and security on-premises are not aligned with targeted business outcomes.
For example, in the pharmaceutical industry, we are building new channels for direct engagement with healthcare professionals, yet must operate within rapidly changing data privacy and regulatory parameters. Companies that try this with a do-it-yourself approaches at scale are hard-pressed to match the capabilities of the cloud providers. A classic example is encryption-at-rest, which is a constant data center frustration. Yet, cloud providers have shown that they have the scale, platform and resources to do it, and do it well.
The cloud is no longer a choice—it’s a destination we have to get to. The question is not whether to embrace the cloud; but how can business and technology leaders choose the right path and timeline for their organizations.
Security Is About Trust
The most important advice I can share with my fellow CISOs is that we must all challenge ourselves to do a better job of thinking about the business impact of our decisions. For a long time, we’ve been lobbying for a seat in the boardroom and in the C-suite. Now that we have it, we have to start thinking and acting like business leaders.
Our job is not about just protecting against breaches; it is about making our organizations more successful, responsive and resilient. The cloud journey provides a perfect opportunity to do this. I remember listening to a keynote speaker at a conference a couple of years ago, and her main message resonated strongly with me: “Security used to be about protection,” she said. “Now it is about trust.”
I take this to heart when I look at the role of cloud transformation in our organization, which is a leader in the pharmaceuticals industry. We are a values-driven company, with the goal of always making decisions based on patient, trust, reputation and business—in that order. Patients have enough to worry about without having to be concerned if their digital experience is safe and secure.
For a long time, pharmaceutical companies only dealt with doctors, and even then it was not a deep relationship. But our model has changed for the better. The entire industry is focused on long-term health management. We want to establish long-term relationships with physicians and patients, and across our entire ecosystem and supply chain. Instead of a work force on the order of 70,000, we are looking at a potential patient population in the millions.
For that level of scale, size and trust, you have to use the cloud. Our business and the overall business climate move too quickly for anything but the cloud. We can’t wait a week, or even a day, for a new server. We need cloud agility, scale and resilience. In our organization, we have gone from pockets of cloud to a board-level, CEO-sponsored full-on initiative to move virtually everything to the cloud in the next three years.
Taking the Cloud Journey
I have been a cloud advocate for a long time in my career as a CISO. Fortunately, I have been in the same industry, which I love, for that entire time, but I have also worked in different companies. I am aware of both the challenges in cloud transformation, as well as the opportunities. Here is some guidance I can offer from my own experience and as an active participant in the broader cybersecurity community.
- Tread lightly. Cloud transformation is a journey. Don’t expect to go home over the weekend and come back on Monday fully formed in the cloud. Start with areas that can deliver immediate and clear benefits, such as backup, recovery and software development. Migrate more directly as you get more experience.
- Don’t underestimate the challenge of living in both worlds. Even for early adopters and companies seeking a cloud-first or cloud-only strategy, there will often be a need to reach back into the on-premises world for data. There are likely to be interdependencies with legacy applications, technologies and processes that are not transferable.
- Consider the depth and breadth of your ecosystem and supply chains. Most business models are no longer focused solely on internal operations. We are all dealing with external ecosystems. In the case of pharmaceuticals, it extends to patients, physicians, payers and beyond. The cloud can help you scale as needed, which is essential because your external ecosystem is typically even larger than your workforce.
- Embrace security automation. The cloud is about server builds, capacity extension, elastic infrastructure. In the past, we used to do many of those things manually. The value of the cloud is speed and agility, largely devolved from automation. In the shared security model, make sure you are automating your portion of the security responsibility, and don’t just rely on the public cloud provider’s automation. In the rush for speed, developers or line of business managers might want to avoid security. Don’t let that happen. Build security automation into your processes and models.
- Build up new sets of skills and processes. In the cloud era, software development is also in a period of rapid transformation. With cloud development, microservices, containers, Kubernetes orchestration and API security, many companies and IT/security teams are finding themselves back in the application development business. Organizations must have in-house skills in areas such as API security, DevOps and SecDevOps.
- Modernize hiring, training and talent acquisition. Stop looking for the 10-to-15-year security pro. They barely exist. Change your talent acquisition and retention processes to focus on fresher, more agile talent that has experience in cloud, DevOps, API security and other areas that are likely to hasten your cloud transformation. Manage your teams to keep them at your company, using flexible approaches, high levels of automation, support for remote work and more.
- Streamline security with a platform model. One of the changes in the cybersecurity industry over the past few years has been the emergence of platform models. We have seen many instances where innovative start-ups have come out with solutions to specific cybersecurity challenges. However, a company like ours is hard-pressed to get the support we need from a 30- or 40-person company. There are larger security companies that have been able to stay close to security innovation by acquiring these start-ups and embracing a platform model. This provides a greater level of confidence in dealing with a company that truly understands the challenges of cybersecurity scale, support, service and innovation—particularly in the cloud.
Reaping the Business Benefits
Cloud transformation has been of particular value to our organization in responding to COVID-19. We are on the front lines, working on treatments and partnering to deliver vaccines. With remote work and digital transformation, cloud transformation is allowing us to embrace new business models that will probably reshape our industry forever.
Why should our field sales teams continue to go door to door to physicians’ offices? Why do treatment centers require sick people to come into a facility where they come into contact with other sick people? Why can’t we use remote diagnostics for disease identification, research and other functions?
COVID-19 in some ways has been a rallying cry for digital transformation. For modern CISOs, the world has changed. Security has to be viewed through a new lens, not as a technology risk, but as a business risk. One of the ways to think about cloud transformation is an investment in the most critical requirements of the business—resilience, availability, agility and security.
The cloud provides a fundamental and inherent improvement, not just in security, but in your overall business operations and capabilities, much more so than you could ever build internally. As I said earlier: Cloud is no longer a choice, but a destination.
Mike Towers is Chief Information Security Officer at Takeda Pharmaceuticals. This article is excerpted from “Navigating the Digital Age, The Definitive Cybersecurity Guide for Directors and Officers, Third Edition.”