Originally published in ITBrief

IT and security leaders have never had more reason to feel frazzled by their roles.

Fighting off fast-evolving threats and remaining compliant while also being asked to modernise IT in a saturated vendor environment has elevated the role of the CIO, CISO, and CTO in maintaining customer trust – with ADAPT’s Security Edge Survey revealing it is on the minds of 95% of IT security leaders.

With cloud advancements, an uncertain external operating environment and distributed workforces, CIOs have also been driven to consider business resilience more seriously, but thanks to the sheer volume and variety of their IT resources, many organisations are wondering how to securely modernise their workload, often made up of a “spaghetti” of on-premises applications and management consoles.

Untangling each strand of this spaghetti during cloud migration presents security risks that need to be comprehensively addressed with the right mindset. Without the right mindset, organisations are vulnerable to a potentially devastating cyber attack.

To minimise the potential of a cyber attack, organisations should have a very clear idea about how they will not just migrate to cloud, but modernise for cloud, which means ensuring security as a design principle is an absolute must.

While ADAPT’s Cloud Migration Study reveals a significant focus on infrastructure modernisation, security often remains an afterthought in the process despite increased budgets and a heightened focus on the issue from IT leaders – just 45% of CISOs believe security is built into new migration projects at the outset.

A significant opportunity to adjust security and resilience thinking accordingly exists across swathes of the sector, and as any disruption can introduce a new vulnerability or invalidate an existing security measure, a change management approach is essential to ensure ongoing resilience.

Security integration prior to migration can reduce the time taken to migrate the application by almost half and ensure it is fully secure and ready for deployment, but timing isn’t the only reason CISOs would do well to consider security pre-migration. By adopting a secure-by-design mindset, the CISO is able to minimise costs, the number of security vulnerabilities, and the likelihood of scope creep in the project.

Companies can ensure resilience by creating a detailed plan involving five best practices implemented at the User Acceptance Testing (UAT) stage:

  1. Expanding a security-focused mindset to include resilience, allowing companies to allocate resources toward dedicated response and recovery measures
  2. Identifying the organisation’s ‘crown jewels’ to ensure key data and applications are given priority protection
  3. Bringing security to the forefront of cloud modernisation, making the process much more efficient than addressing security post-migration
  4. Strengthening disaster recovery plans. While no amount of planning can fully prepare an organisation for a major outage, a company must rehearse its recovery strategy to be effective under pressure. Other investments in cybersecurity and resilience will be wasted if recovery efforts fail during a critical incident
  5. Adopting RPO (Recovery Point Objective) and RTO (Recovery Time Objective) metrics, which provide insight into how old the most recent backup must be in order to enable normal operations to continue in the event of a data loss, and how long a system can be down before it causes significant damage, respectively. These measures will help CISOs measure recovery efforts more effectively

To effectively manage the change pre, during, and post-migration, CISOs can be guided by ADAPT’s four pillars for secure cloud modernisation. These are the adoption of effective forensics, immutable storage, usable backup strategy, and a cyber recovery site to protect the crown-jewels mentioned earlier.

Companies are well aware that when trust in a company goes, their customers are likely to go with it. IT and security leaders are able to ensure their companies remain trusted while minimising complexity and costs, but will ultimately need to adopt a combined security and resilience mindset for the greatest impact.