WIREDGOV

techUK are delighted to announce Scott McAvoy, Cloud Security Lead UK&I for IBM Security  for being selected as techUK’s ‘Cloud Security Champion’ for the...

Congratulations to Scott McAvoy, Cloud Security Lead UK&I for IBM Security  for being selected as techUK’s ‘Cloud Security Champion’ for the month of August. 

The purpose of techUK’s Cloud Security Champion campaign is to celebrate the work of UK cloud security specialists in helping build a culture of trust and confidence in cloud computing and showcase how they are supporting organisations to adopt, deploy and use cloud services securely. This is also an opportunity to learn from those working in cloud security about the current threat landscape and examples of the strides being made in enhancing security. 

A new techUK 'Cloud Security Champion’ will be chosen every month, so if you would like to nominate a friend or colleague to be the next Champion please drop us a line.

What are your current responsibilities as Cloud Security Lead and what does a typical day involve?

I am the Cloud Security Lead UK&I for IBM Security. Most days the focus is on leading a team of Cloud Agnostic, Cloud Security Professionals.  This may involve overseeing client deliveries, developing future client work or understanding how the changing Cloud landscape impacts us as a team.

The team looks at Cloud Security Strategy, Architecture and Automation so we have a good level of cross-skilled individuals who can apply Infrastructure, Endpoint, Data, Application, Operations, Compliance Management, Identity & Access Management to Cloud environments. One of our main activities this year has been to conduct Cloud Security Assessments for large UK banks, UK Government departments and in other areas of industry such as Travel and Hospitality.

What do you most enjoy about your work?

IBM is a supportive environment for innovation, which suits me well as I really enjoy understanding the wider context of Security, looking to the future and defining strategy. 

Coupled with this I get a lot of opportunities to share my knowledge either direct with clients or via conferences such as our IBM Security Summit events and partner events where I’ve talked about Cloud Security and DevSecOps.

Why is cloud important to UK’s economic growth and what does the future hold for adoption and maturity of cloud in the UK?

Cloud adoption will continue to rise, clients don’t want to own or rent data centre space anymore.  Long-term cost benefits can support the regrowth required following COVID-19 and potentially accelerate plans to exit DCs.  As Cloud Service Providers (CSPs) mature, we will see the emergence of more industry appropriate Cloud platforms such as the IBM FSS Cloud, which is regulatory aligned.

Cloud adoption must be seen as an opportunity to ‘get security right’. With the global average cost of a data breach being $3.8m, the cost of any breaches will reduce any savings made via Cloud.

Would you agree that the conversation about cloud security has shifted and cloud users increasingly recognise the security benefits of cloud services?

When I started working on Public Cloud environments the conversation was always based around a lack of trust in cloud and a fear of change in maintaining necessarily strict security requirements.  It was difficult to demonstrate that Cloud is secure. 

Then there was a period of acceleration and the conversation changed to, “Cloud is happening, how can we keep up in Security and how do we need to adapt?”

Now we are seeing Cloud in terms of enhancing Security and adopting the practices of DevOps and SRE so that Security is integrated and automated, moving towards Continuous Compliance.

What are the key security concerns affecting greater cloud adoption and how can these issues be addressed?

CISOs have recognised that Cloud is a considerable change in thinking for Security, as we need to integrate cloud with other business areas. This needs a change in culture which is not easy to achieve. Strategically transforming from a Security team to a Cloud Security team is a significant undertaking and resource requirements should not be underestimated.

One technical challenge is Multi-Cloud. Some industries are required to run workloads across multiple CSPs. Providing assurance that all Security controls are implemented and providing risk mitigation across multiple environments, considering that security controls may be configure natively within the CSP, within Operating Systems and via integrated security software, is not straight forward.

What steps should organisations take to adapt their cloud security posture to the rapidly changing online environment?

Following on from the last answer, they should understand their Cloud Security Posture!  I don’t see a lot of examples of a truly well understood Cloud Security Posture across a business

A business culture that has security embedded, becomes like muscle memory, not just for CSO or technical security teams but across the business, is an essential foundational aspect of Cloud Security posture. Your people are you best asset. Yes, the insider threat still exists, but if a non-malicious employee causes a breach then it is us in Security who have failed, not the employee. This is something which Dr Jessica Barker has been talking about for a while and I’d recommend catching one of her recordings.

Understand how to codify Security requirements so they can be integrated and automated alongside other Cloud activities, the logging provided out of Cloud environments enables a much finer grained assurance feedback loop.  Every Cloud transaction is logged so there is no excuse in Cloud not to be informing the assurance processes.

How can the cloud market equip organisations with the understanding, skills and knowledge to make the right cloud decisions for now and for the future?

The most important thing is to share knowledge, expertise and learnings. CSPs have opened up a lot of resources for organisations to understand recommended practice in Cloud. In depth training and Certification Programs help but these are all technically focused in my experience. We need to recognise that Cloud impacts both the technical and less technical folk so just focusing on technical aspects of Cloud is not enough.

Building trust and confidence in the security of cloud computing services remains fundamental to the continued use of cloud services by organisations. What would you suggest is the one thing all companies should do to improve their cloud security?

The one thing I would recommend, above everything else, is having a formal Cloud Security Strategy. I have seen examples where Cloud Transformation has started with no clear strategy for Security and has led to longer lead times, higher cost and, in some cases, failure.

A strategy may lead to the development of a Cloud Security Centre of Excellence where all transformation objectives for Security in Cloud are defined, implemented and rolled in to BAU activities. This ensures that Security is part of the Cloud Transformation conversation across the business and enables a standard Security approach to be adopted in all Cloud environments.

How can the cloud industry encourage someone considering a career focussed on cloud technologies?

I would stop the over emphasis of the technical aspects of Cloud. I’ve lost count of the number of times I have heard someone say ‘I’m not technical enough’ when speaking to them about joining my team. The benefits of a diverse team to solution design or problem solve are noticeable and yet we tend to put people off applying for positions in Cloud and Security by focusing on things they are not comfortable with.

I would also extend diversity to the leaders of our industry, if we don’t have a diverse group of people at this level then we won’t encourage others.

Thank you Scott for taking the time to answer techUK's questions! If you would like to learn more about techUK's Cloud Security Champion please reach out to laura.foster@techUK.org