How CISOs can balance security and business agility in the cloud

In this Help Net Security interview, Natalia Belaya, CISO at Cloudera, discusses common misconceptions about cloud security, the balance between protection and business agility, and overlooked risks that CISOs should prioritize.

Belaya also offers practical strategies for integrating cloud-native security solutions and mitigating misconfigurations at scale.

What key security principles should enterprises follow when migrating to the cloud, particularly for hybrid and multi-cloud environments?

One of the biggest misconceptions about cloud migrations is assuming that security is built-in by default. Many organizations move to hyperscalers like AWS, Google Cloud, or Azure believing they inherit full or near full security protection as these platforms are certified. In reality, cloud security migration should follow a shared responsibility model that is clearly understood. They need to know exactly where cloud providers’ security ends and where their responsibility begins.

Enterprises should understand how to protect their own data and applications beyond the security provided by cloud infrastructure. This can be done by implementing measures such as zero trust, strong identity and access management, monitoring and threat detection, network segmentation and integrating cloud-native security tools to enhance protection.

Managing workloads across hybrid and multi-cloud environments can further add complexity, making it crucial to implement a comprehensive cloud agnostic security approach that safeguards sensitive data and meets compliance requirements.

How do you balance security with business agility in cloud adoption, especially when CISOs face pressure to accelerate digital transformation?

Security should be seen as a service that enables business growth, rather than being a blocker. CISOs must align security with business goals, ensuring it supports innovation rather than creating roadblocks. This requires understanding business priorities, knowing where to focus efforts, and integrating security seamlessly into operations.

For instance, if a company needs to deploy a product in a cloud provider environment, the security team should have a strategy for integrating it securely into the cloud – and support implementation of additional controls that are required. Security should facilitate this process efficiently by providing security requirements and standards ahead of time, outlining what is needed to achieve additional levels of certification on the top of the cloud.

Embedding security into DevOps allows businesses to innovate quickly while maintaining protection. By automating security processes and checks throughout the software development lifecycle and ensuring real-time monitoring – teams can build securely from the start instead of fixing vulnerabilities later.

What are the most overlooked cloud security risks that CISOs should be prioritizing but often don’t?

One of the most underestimated risks in cloud security is attack surface management. Many organizations lack visibility into their cloud assets – some don’t even know how many cloud environments they have. It’s impossible to protect what you don’t know exists, so good asset management is key.

Shadow IT is another key issue. Different teams, such as marketing or product development, may spin up cloud resources without informing IT and security teams. A forgotten, misconfigured cloud environment could expose sensitive data or become an entry point for attackers.

Additionally, security maturity varies within organizations. While production environments may be well-secured, development and test environments often lack proper controls. This can lead to threats like cloud cryptojacking, where hackers hijack resources for cryptocurrency mining, draining cloud resources instead of stealing data.

To mitigate these risks, organizations must ensure continuous visibility, standardized security policies, and proper governance across all cloud environments – while educating teams on secure cloud usage.

What are the common security misconfigurations in enterprise cloud environments, and how can they be prevented at scale?

It is hard to believe but lots of common security misconfigurations are still rooted in basics.

One of the most frequent cloud security mistakes is not securing access properly – common examples of this include publicly exposed storage, APIs and weak authentication. Unpatched and outdated software is also still very common, which leaves systems vulnerable to exploitation by threat actors. Businesses are often guilty of assuming default settings are secure, essentially prioritizing convenience over security. Implementing a good secure configuration and posture management can help to mitigate these risks.

Organizations need to ensure that their security baselines are well-documented, automated, audited and regularly audited. By adopting this approach, businesses can reduce their attack surface and maintain strong security posture across all of their environments.

How do you recommend integrating cloud-native security solutions into an enterprise’s broader security stack?

I recommend having a strategic and unified security requirements approach. Start by identifying security gaps and vulnerabilities within your cloud infrastructure. This will help to determine the specific cloud-native security solutions needed and how they fit into your existing system. By addressing these gaps, you can implement a security framework that ensures seamless unified visibility, control and compliance across both cloud and on-premises environments.

On top of this, leveraging security solutions that are cloud and enterprise agnostic will put you in a better position to adapt to changing threats, ensuring organizational resilience when managing hybrid and multi-cloud environments.