Security Market Segment LS
Monday, 10 December 2018 16:30

Rethink cloud security attitudes, says CISO


Security professionals should educate themselves more about cloud security, REA Group chief information security officer Craig Templeton has told iTWire.

Templeton thinks there is a "fear and loathing" of the cloud among security professionals. This is partly because many of them have an infrastructure-centric view of the world, and so they get hung up on "who is turning the knobs".

Security professionals in regulated industries took a while to come to terms with compliance issues in the context of the cloud, but the regulators have nothing against the cloud, he said.

"At the end of the day, they [security professionals] are managing risk," he said, so they should be thinking in terms of improving resilience.

Templeton suggested the migration to the cloud is following the same trajectory as outsourcing did. There are the early adopters, the sceptics (usually the result of a lack of education), and the holdouts (particularly those in regulated industries, although they will eventually move if no problems are apparent).

We are probably in the middle of the second wave, he said, as even the Australian Government has adopted a "cloud first" policy. (See also NAB goes AWS – the bank is in the midst of a three-year cloud-first transformation.)

There are "some really cool Aussie start-ups in the security space" that REA has been using, said Templeton. There's a risk that they will be acquired by "stupid" companies, but he plans to keep using them while he can. Security start-ups need to be "wired" the right way to be effective, and the imposition of other corporate cultures can counteract that.

Furthermore, Australian start-ups tend to move to the US as customers there are prepared to accept the slightly higher level of risk associated with a new business, providing the product addresses a problem they are experiencing.

Another consideration stems from the way cloud security products are usually delivered from the cloud. This means an organisation can subscribe for a period, and then quickly switch to a different product when the threat changes. This is in contrast with on-premises security products, which generally require an upfront investment and therefore have to be "sweated" before their replacement can be financially justified.

Attackers are using the cloud, so defenders should be following suit, Templeton said. Just as cyber crime has been commoditised thanks in part to the cloud, the cloud also enables lower cost and faster paced protection.

Attackers are using various types of automation, including bots, so rules-based defences are inadequate because it is impossible to write new rules fast enough. New approaches that can automate responses are required instead, and REA (the company behind and related Web sites) is focusing a lot of its security efforts in this area.

Being a pure digital business with one million visitors per week, REA is an attractive target, he said.

While it's hard to do security better than a specialist provider (the large cloud providers have more and better security professionals on staff than most of their customers could afford), there is a risk that the "blast radius" of a successful attack on another of your cloud provider's customers could also include part of your operation, so that should be taken into consideration when making plans.

Another potential trap is "one size fits all" thinking. Even if two companies are in the same industry, a given set of security measures might not suit them equally well. Relevant regulations may impose the same baseline measures on them both, but some of the specified measures may do nothing to improve the security at one of them. A better way of looking at the issue could be to follow the example of increasingly personalised cancer treatments, he suggested.

Drawing another analogy, Templeton said cyber risk is like climate change. You can't see it, but the signs are around you. And while some people feel they can't do anything that will make a real difference, they need to be persuaded to adopt strategies that will will keep themselves — and their organisations — safe.

"Everybody has to contribute" in some way, he said.

The writer attended AWS re:Invent as a guest of AWS, and interviewed Craig Templeton during the event.

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Stephen Withers

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News