As new technologies like the cloud, IoT, Big Data and more emerge, organizations are playing catch up to upskill their employees to handle challenges that come with them. According to ESG’s 2018 annual global survey of the state of IT, more than half (51 percent) of respondents said their organization had a problematic shortage of cybersecurity skills. The need for these professionals is expected to increase, widening the shortage. The U.S. Bureau of Labor Statistics projects employment for information security analysts to increase by 28 percent between 2016-2026, much faster than the national average. As the volume of data that organizations collect and store continues to increase and, in tandem, the skills gap widens, many are transitioning their data storage from on-premise data centers to cloud-based service providers. With this transition to and trust in the cloud comes a need for developing focused policies and plans to protect data assets. According to McAfee’s 2017 report, Building Trust in a Cloudy Sky: The State of Cloud Adoption and Security, 93 percent of organizations reported using cloud services, and more than half (57 percent) had moved from physical servers to hybrid cloud (both physical and virtual), up 38 percent from the previous year. The shift to the cloud is a necessary and valuable step forward to the future of data storage, but questions and concerns remain around the security of the data, especially if employees do not possess the necessary skills to protect these systems and, in turn, security is reliant on third-party venders. The same McAfee study found that four in 10 public cloud services are procured outside of IT, and companies report only 47 percent visibility into their cloud services. This “shadow IT” has caused 65 percent of IT professionals to believe this way of managing cloud storage is compromising security. Data security should not be viewed as the responsibility of cloud service providers. The owners of the data must ensure proper security measures are in place to protect their networks and users. Two key words to focus on are “of” and “in.” The service provider is responsible for security “of” the cloud, while the data owner is responsible for security “in” the cloud. Before making a move to the cloud, an organization should have developed the policies and plans necessary for that environment. How an organization configures these services will affect the type of actionable information the company can get and use, and when. These policies and plans include application security and countermeasures to reduce vulnerabilities to an acceptable level depending on the organization’s risk posture. Organizational plans and policies should include training and information on how to manage third-party relationships, what data is available and how to properly secure it, and the virtualization of data and how to manage its multi-tenancy, if that is the architecture that is being used. They should also ensure that employees who manage data understand these rules and effectively incorporate them. Another key aspect of data security is knowledge and management of accessibility. As data becomes a more integral component of operational success, a wider range of employees have access to data. For this reason, IT professionals must understand how to delegate access to information and ensure that all employees understand how to properly protect it. While plans will be unique to every organization, the first step, no matter how the plan is designed, is proper and reoccurring employee education and training. Organizations must prepare a cloud adoption program, regardless of the model to include governance and monitoring. As an organization moves to the cloud, they must answer some questions. How will you accomplish security monitoring? How will you provide access? How will you govern the cloud? With the increased adoption of cloud storage and the added benefit it offers to organizations, it is critical that education and training are adopted at the same rate. Organizational leaders should look to partner with institutes of higher education to keep education and training current and relevant. This can form a symbiotic relationship between industry and education, helping inform curriculum with the latest trends while simultaneously improving employee security education.
About the Author: Dennis Bonilla is the Executive Dean at the College of Information Systems and Technology and School of Business, University of Phoenix. You can connect with him on Twitter here: @DennisBonillaIT. Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
