How Does the Cloud Change Cybersecurity?

Brian Engle became chief information security officer of Texas last year, after serving as CISO for the state’s Health and Human Services Commission. He spoke with Government Technology about how the cloud and the Internet of Things are impacting cybersecurity.

How does the cloud change cybersecurity?

When organizations say they’re “going to the cloud,” that oversimplifies it. You start to see business processes happening in a lot of different places. An organization may have applications running in Salesforce. It may have an outsourced HR solution somewhere else in the cloud, and it may have an ERP solution somewhere else. So it’s not adding one thing; it’s adding numerous things into the equation.

How do I detect an attack across this very diverse set of environments — I see that as our next challenge. Most of our work around event monitoring and response addresses things inside the data center. Now we need to correlate things that happen in outside environments run by cloud providers that aren’t necessarily going to send raw data to us.

So you need a different tool set?

 A different tool set and perhaps someone who has a different observation perspective — the catbird seat — to see all of these things isn’t necessarily within our organization. Bits and pieces of this are available, and they’re starting to come together. But the rate of maturity for many things in security is a bit slow, and I just don’t think they’ll spring up ready to go. They’ll need to go through a continuum of maturity, and that means growth pains for us.

As the Internet of Things emerges, how does that impact your thinking?

It’s another complexity, but I’m not sure that it dramatically changes the threat landscape, except for the fact that we need to make sure that we’re considering it and we may have overlooked it in the past. In this world of scarcity, we’ve focused on what we consider the most important items — critical business systems, etc. But the fact that those don’t operate in isolation means we need to broaden our perspective.

Other types of devices have been connected by the Internet for a while — everything from controllers in critical infrastructure to road devices used by the highway department. Now the types of connected devices are potentially anything. Yet we continue to design these devices as we did in the past. We expect that something upstream is in charge of protecting them, and that’s not always the case. 

With all of the attention on cybersecurity now, is this a good time to be a CISO?

It’s an awesome time to be a CISO, but you really need to be ready. There are a lot of people looking for answers now. A lot of the things that we normally do have been under the radar. But when things go wrong — and a number of things have hit the news — questions are being asked, and we’ve got to be able to answer them for executives and board members. Those answers don’t come with speculation. They need to come with facts. People who can answer those questions and have those conversations will be in high demand.