CIOReview | | 9 JULY 2023In a world that is making great strides in developing cutting-edge cloud technology, what crucial strategies do you believe can protect cloud-based infrastructure, applications, and stored data? The main strategy from my point of view is that the organization should define and implement a cloud security posture management (CSPM). This practice will demand to set policies and secure configurations in the cloud, and with continuous monitoring any deviation or misconfiguration can be detected on time, reducing dramatically the risk level exposure related to threats or vulnerabilities. On the other hand, we should consider as well how we protect the information in transit and information at rest. All technical controls should be aligned with an internal data classification standard. And technically, encryption methods and algorithms must be defined for protocols/secure communication and storage, and we should not forget that all of these are part of an ongoing process with recurring reviews to match emerging and new threats in the cloud.Cloud has rapidly become a crucial part of the digital infrastructure of Latin American organizations. What, according to your observations, are the advanced cloud security challenges faced by today's organizations? Compliance is top of mind. Nowadays, many Cloud Security solutions have hundreds of compliance frameworks to identify where we are, and how good or safe we are regarding a secure baseline. Technically speaking, these misconfigurations and not having a consistent procedure for patching or vulnerability remediation, could reflect those workloads not being assessed properly, potentially causing burnout to the teams in charge.Regulation as well is playing a very important role in the cloud. To be compliant with the applicable laws in each country for data privacy and data protection could be challenging. For a consistent and solid data protection strategy, it is not enough just define data security controls, we should define roles and functions for the people in the organization, and of course, this effort goes hand in hand with security awareness for everyone in the company. Before your stint at Sempra Infraestructura, what are some of your experiences and notable takeaways that empowered you to improve cybersecurity in general and cloud security in particular?Cybersecurity is not that different in many aspects of our life. For example, the first thing a doctor does in a health check is to start gathering relevant information. So, as a beginner, we need to know about risk and security and where we are in terms of it. It is an absolute necessity to perform assessments (internal and external) to get a deep understanding of where we should start to improve, where we want to go, and how fast we could go. Defining metrics is critical as well. Defining our key performance indicators and key risk indicators is going to set the direction where we should move, including the inner pace to improve and how near or close we are to where we want to be. As an ending note, what is your advice for other senior leaders and CXOs working to strengthen the security of cloud technology and services?Only what is measurable can be improved. It is critical to keep an eye on all the relevant metrics related to the risk exposure from the inherent activities of the business. And it would only work with people with a comprehensive understanding of risk management. I would say as well that "A chain is only as strong as its weakest link." So, unless you're providing continuous training and awareness in the organization for all the people, we could foster the security culture from a holistic approach. If this "link" fails, no matter how strong security controls are in place or how much the investment in technologies is being done. Every organization should have an identity and access management (IAM) strategy based on the user identity, access privileges, and authentication related to services in the cloud, including applications
< Page 8 | Page 10 >