CISOs need to make sure they fully understand their cloud service agreement Armor's founder and CEO Chris Drake told SC Media's Online Editor Doug Olenick when the two sat down for a brief chat with at Black Hat 2017.
Q: Why are companies using cloud services having to many problems?
Drake: We are really trying to communicate to CISOs and CTOs the importance of understanding the Shared Responsibility Model that is used with most cloud service companies. We need to get them to realize that with a company, say like AWS, Amazon is responsible for the security of the cloud, security in the cloud is the company's responsibility. This is not made clear by most cloud providers and something many customers are not aware of.
Q: What are some of the problems facing the industry that concern you?
Drake: That bug bounty programs are not paying enough and gray hats are taking a risk analysis of their position and deciding that it's worth the risk of getting caught and jail time to sell their vulnerability to a hacker for say $100,000 then to the company for $10,000. Companies have to pay the going rate for these vulnerabilities. It has to be worth it for them to pay the higher amount than deal with the consequences.
Also, the lack of talent in the industry is a real problem. Companies have to do a better job of bringing in people without a standard cybersecurity education. This includes looking at people without a college degree and bringing in people trained in other IT areas and retraining them for cybersecurity. However, the real struggle here is identifying these people and bringing them into the fold.