Appoint a cloud purchasing 'czar' as business-cloud mediator: Stewart-Rattray

Businesses concerned about the security of cloud-computing systems should appoint a 'cloud purchasing czar' whose sole responsibility is to evaluate cloud service providers (CSPs) and manage their interactions between business and IT executives, a leading security consultant has advised.

Speaking at the recent CSO Perspectives Roadshow, BRM Holdich director of information security and IT assurance Jo Stewart-Rattray said the czar model – promoted by the likes of Gartner analyst Daryl Plummer – offers the important ability to bring order to what is often a chaotic process of cloud-system purchasing and deployment.

“The czar is an independent arbiter who receives cloud purchase requests, gathers intelligence as to what the business might need,,” she explained, “and then presents back to the IT leaders what the business users need – and any pitfalls there might be. They then allow the business to make the decisions.”

Empowering the business in a structured way is critical to ensure that credit card-wielding employees don't compromise information security controls by simply running up their own cloud-based services without central control or recourse. Such 'shadow IT' remains a major problem for organisations working to come to grips with the implications of cloud models.

Because the czar maintains relationships across the business, they also have the important role of being able to identify potential savings and “establishing that discussion with Finance,” Stewart-Rattray said, noting that the czar would be a specialised assistant to existing CIOs.

“Ultimately, CIOs sign off on it,” she said. “All you're doing is giving the task to someone to go out and do the legwork for you. If [I were a CIO and] someone did cloud without my knowledge, I would be miffed to the nth degree – but if they did it with my involvement, I would be chuffed that there was a specialist to go out and present those options for me. I could then go and present those options to my fellow members on the executive, and with hand on hard be able to say 'this is independent advice'.”

Stewart-Rattray, whose other advice around cloud security included paying extra attention to contract conditions for storing and managing data, noted that a cloud purchasing czar would also offer value in addressing security requirements around telecommunications and cloud services.

By working with potential CSPs and third-party cloud-services brokers at an early stage, the czar would be able to maintain a level of assurance around potential providers of telecommunications services, ensuring that they can deliver an end-to-end security infrastructure.

“There are organisations becoming cloud services brokers who look at these issues from end to end, and this is the sort of person that your cloud purchasing czar would hook into,” she said.

“They could have that sort of discussion and investigation to see that it's going to be as secure as possible from end to end, and that it meets your requirements from end to end. Due diligence is absolutely key, as it always has been, in the selection of service providers.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitycloud security

More about CSOGartner

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts