Micro Focus is now part of OpenText. Learn more >

You are here

You are here

How cloud-native is changing the role of the CISO

Amir Jerbi Co-founder and CTO, Aqua Security

Digital transformation has taken hold in many enterprises, but many chief information security officers (CISOs) remain concerned about the security implications. The emergence of easy-to-use cloud-native technologies such as containers and Kubernetes made the shift almost unstoppable, and this year, the COVID-19 pandemic has accelerated enterprises' digital journeys. But that doesn't mean CISOs' concerns should be ignored.

Done right, digital transformation can not only avoid increased risk, but proactively reduce it as well. For that to happen, CISOs need to evolve in their role and become transformational leaders who can empower the business and drive innovation.

Here's why CISOs need to embrace new technologies, get to know their advantages, and understand the change they introduce to security practices.

The speed imperative

For many years, nearly every organization in every sector has been making software and applications a fundamental part of the business, while redefining the customer experience to be digital-first. The pandemic made them step on the gas.

Schools and universities had to get their online platforms up and running quickly so that the education process could continue with only minimal interruption. An increase in online shopping made retailers boost their digital offerings to support the evolving needs of customers. Food delivery companies had to devise no-contact delivery systems.

Digital transformation puts more of the business in the hands of IT, with applications interacting with customers and automation making the business more efficient. With that responsibility, IT must bring applications to market as fast as possible and be ready to do it again, because competition demands that organizations innovate quickly. Cloud-native is the only way to make all this possible.

Power your digital transformation

Cloud-native technologies' faster delivery cycles are instrumental in digital transformation. Once you deploy a cloud-native stack on a decent scale, many things become possible: You can address customer needs faster, launch and scale digital offerings in days rather than months, tap into new markets, expand the customer base, and, as a result, make more money. 

With applications broken down into microservices, organizations also gain resiliency. Since microservices can be updated independently of the rest of an application and containers can easily scale up or down with demand, organizations can adapt to unexpected market changes much faster. According to McKinsey, companies with agile practices have managed the impact of the COVID-19 crisis better than their peers.

For example, airlines now need to manage many uncertainties before, during, and after flights. Planes might be suddenly grounded or rerouted. Seating requirements might be different from country to country. The documents needed to book, check-in, or board a flight differ as well. And all these things change constantly. Airlines that have embraced digital technology are better able to adapt—and cloud-native technologies are their most agile, flexible, and scalable option to do that.

But the speed and agility to experiment and deliver products quickly are of little value if they increase an organization’s exposure to risk. Digital transformation inevitably involves a change in the security mindset, elevating the role of the CISO. In a world of two-week sprints and a "failing fast" approach, it’s no longer suitable for security to become involved only at the end of a project. Security needs to match the agility of the digital business, empowering developers from the start, and become part of the fabric of digital transformation, accelerating innovation rather than slowing it down.

The evolving role of the CISO

Over the last decade, the role of the CISO and the security function within organizations has changed dramatically. Ten to 15 years ago, security was completely separate from application teams and widely perceived by them as an obstacle to new initiatives. Getting security approvals or defining security requirements for a project could take several months, which held developers back from deploying the product on time. This is unthinkable for the pace of modern business.

But as companies are taking on digital transformation projects and evolving their IT infrastructure, the risks are changing, too. In the cloud-native world, developers push new code to production continuously. Organizations deploy applications via containers or functions in a matter of minutes rather than days or weeks.

Traditionally, the CISO’s role has been to safeguard the organization against cyber threats and reduce potential risks. However, with an ongoing digital transformation, the CISO's focus must shift, so that the role becomes more strategic and influential. Today, the role of the CISO is measured not only by the ability to avoid a data breach, but also by how much security preempts new initiatives or makes it possible to bring services and applications to market faster.

Enable high-speed digital innovation

Beyond protecting the organization, the modern CISO's priorities are to drive growth through multiple projects and make this growth as smooth as possible from a security standpoint—not just removing obstacles, but creating business opportunities as well.

A severe vulnerability in one application can hinder digital transformation, but in a cloud-native development pipeline, vulnerabilities can be discovered, remediated, and mitigated much sooner than was ever imagined before.

Furthermore, when executed correctly, security can empower the business and create a sustainable competitive advantage. For example, a global cosmetics company used a cloud-native security solution to safely develop a mobile augmented-reality app that allows customers to try the company's makeup products via a selfie, without compromising their privacy.

Embrace change and tear down silos

How can a CISO enable and support digital innovation rather than hold it back? One of the best practices is to address security issues as early as possible in the software lifecycle—DevSecOps enables rapid development by making security a part of it. To achieve this, the office of the CISO needs to collaborate with and rely on its developer and DevOps colleagues. Another important principle is that security should focus on the remediation or mitigation of vulnerabilities that will allow the application to move forward, reducing contextual risk instead of blindly driving to eliminate it completely.

By allowing the business to operate in a secure fashion, the role of the CISO is crucial to the success of the digital transformation. Security should be designed to accelerate the development process, helping businesses to enable digital experiences and drive innovation. PwC, in its 2021 Global Digital Trust Insights report, noted that “like the high-powered brakes on a racecar, cybersecurity makes high-speed digital change a lot safer.”

In a rapidly changing world, one of the major challenges is how quickly you can address constantly shifting requirements, business priorities, and customer needs. For example, at the outset of the pandemic, airlines had to design a completely touchless experience at airports to make customers feel comfortable flying. By designing proper security controls, CISOs can help organizations become fast, resilient, and adaptable to change, without creating friction for customers or increasing costs.

Stay ahead of the competition

With the shortage of security professionals and the industry move to cloud-native, security must be transformed by becoming architecturally embedded and highly automated. Old silos must be torn down to make security part of the DevOps psyche. Without these changes, you will move too slowly, creating the risk of disruption by nimbler competitors.

Successful CISOs will be those who are willing to embrace the change, trust their colleagues, provide optimized security practices as part of DevOps automation, and decide when risk requires a response. Organizations that get this right will be best equipped to move fearlessly forward in the new digital landscape.

Keep learning

Read more articles about: SecurityInformation Security