Security Pros Should Get Into The Cloud in 2011

ReadWriteWeb has a short but peppy write up on 2011 resolutions for SMBs to get serious about security.  The standard AV/endpoint topics are discussed, but also the need to get serious about cloud computing.  In a recent Global Information Security Workforce Study done by (ISC)2 and Frost & Sullivan, 73% of surveyed (ISC)2 professionals believe that new skills are needed to meet the demands of the cloud computing space. 

Some security professionals may choose to fight the cloud by simply waving a hand and proclaiming that it is not secure.  In the SMB space not every company handles PCI data, and many do not handle PII data that requires special treatment under the law.  The cloud makes sense for companies that are constrained by cash flow or capital budgeting.  For example, a company that operates an 8×5 IT shop may be able to have security and uptime monitored 24×7 by moving into a cloud solution.  This would be cheaper than a 24×7 local staff and the additional capital expenditure for monitoring tools.  Saving money for any company is a good thing.  That allows more money for raises and bonuses, which everyone likes. 

What should security professionals do to prepare for the cloud in 2011?

  • Learn about the cloud
    • Take at least one technical class about cloud computing technology
    • Take at least one business class that will help you with understanding ROI promised by the cloud
    • Collaborate with other security professionals regarding their experiences
  • Work with business leaders to embrace the cloud
    • Talk to your CFO or Controller about cost savings the cloud can bring
    • Concentrate on areas that make business sense. Not everything has to go in the cloud, nor should it
    • Illustrate the risks and benefits of moving to the cloud for those systems
    • The CEO should have the final say on any course of action, be a trusted advisor.


Security professionals should provide the expertise needed for the business to succeed.  Under ISO 27001 top management should determine and sign off on the acceptable amount of risk for the company.  At the end of the day this rests with the CEO or President, who is advised by the CISO, CFO, BizDev, and other leaders. 

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.