In my opinionrisk assessments focused toward identifying and mitigating cloud based security and privacy risks are different for different companies. Even prior to understanding or performing a risk assessmentone needs to understand the businessthe business processeswhere the data flowswhat data is collectedand how it's processedstored and transmitted. For mebeing a security leader for a healthcare companythrough my assessmentsI needed to identify risks. At the same timeI needed to mitigate these risks in such a way that I established trust with my business partnersmy business leadersand my patients more often than not. Whenever I spoke to some of my patientsthey wanted to knowwhat we were doing to manage the trust of making sure that their data is safesecureand rightfully used.

My experience stems from being at the US Navy followed by joining a Silicon Valley company. And both these places view cybersecurity practices very differently. On the military sidewe definitely care a lot about security. I really don't know of any organization that cares more about security than the US military. I feel like in the militarywe have to because if we don'tpeople are going to die. Whereas in Silicon Valleyif you don'tyou’d probably lose some moneybut then you'd come back with another service to make up the lost money. Another big difference is that working for the government allows you to have unlimited resources. Whereas in Silicon Valleyyou really need a business reason for doing security. You are always resource constrainedand you have to prioritizewhile mitigating the risks and knowing that the exploitable risks can have a significant impact on the company.

As Lokesh saidyou first need to gain a lot of trust with your business leaders and then have a clear cut ROI methodology for prioritizing your security investments. From that perspectiveconducting an in-depth assessment of risks around data is critical for paving the way for a defined return on investments. And truly it doesn’t matter whether the data is in cloud or endpoints or servers or containers or bare metal. One deep audit of the meaning of data across all systems can provide me a path to prioritize implementation of technology controls around cybersecurity.

Building on top of what Bob mentionedwe don't treat cloud data risk as a separate animal than our other data risk. Basicallywe try to leverage the existing governance policies and processes that we’ve established for our data in general. Being a government entitywe have many data privacy obligations like the California Street and Highway Codewhich has some special requirements toward data privacy. We already have the processes which are integrated with our contracting and vendor management process. We leverage the same processes and the same infrastructure which is in placeand we didn't derive any separate thing for cloud data.

It really comes down to a sense of trustwhich obviously needs to be backed up by a contract. One of the most common questions that I get is around data residency. To methat's all part of data governanceit's not just how you manage what data is in there. But do you know what data is allowed to be where? I get questions from a lot of European banks that will say“All rightwe're a SaaS companyand soif we give you our datawhatever data that might behow do we know that you know where the data is? How do you know that the data is not going to go across regions and that you have control over?” To methat's part of data governanceand it's part of the plan that we have built into our security processes because we have to give the assurance to our customers that from a GDPR perspective it's not crossing those borders. And yesyou're right. Even for GDPR there's no certification to prove compliance. It's almost self-attesting. Typicallycontracts will mention where the data can livewhere it can't liveand you have to allow yourself enough flexibility in the contractual language. For instanceit's very hard to say things like “this data always lives only in Germany”. Because you may need the ability to switch cloud providers or have multiple regions for backup inside of Germany. We have internal policies that go all the way from deployment to database creation to business processes from the perspective where the data residesand also from the perspective of how we deal with governance & residency requirements.

The problem from my perspective is that it is no longer about where the data israther about who has access to it. Data risk assessment to me becomes a privilege access problem. And what's more interesting is that it is not about all data accessbut about critical data access.

I bet every one of us has compiled more data in OneDrive and Microsoft Teams this year than anywhere else without even knowing it. Something I've learnt while working at a lot of companies is that if you have very strict policies like “this data type should be put in this storage or shared in that way”it only works to a point till the end user figures out an easier alternative. People tend to do whatever is more convenient. For exampleI worked with an insurance companywhere they worked with third party agents that resell their insurance. I discovered that these agents would write out all the clients details in an email and then email it back to us. The company’s security team was building complex backend encryption stuff and I was like “Yesbut all your sensitive data is coming from your agents and it’s an email that they just cut and pasted and sent it to you. They take pictures of the driver's license and attach them to the email. That's your problem.” From my perspectivegiven the changing dynamicsthe right way to set governance policies is to leverage unsupervised machine learning models to start observing how access occurswho has accesswho doesn’twhere do they access it fromwhen do they accesshow do they access itetc. Rather than being strictyou start to learn the access models so that you can start to learn the deviations and say“OhI know the CFO works from home right now. He uses Microsoft Office and goes to teams.” If you start to see access models that deviate from that from different placesthat's enough for you to care and start to say“I should look into this.” It is the same way how banks handle credit card fraud - they look for common access patterns and block whenever major deviations from the common pattern occur.

It is a collaboration effort - you have to work with HRLegalEngineering. You have to come up with a policy that works within the culture of the organization and that your stakeholders are willing to buy into. You have to come up with a policy that works within the culture of the organization that your stakeholders are going to buy into. If you're buying into ityou’re going to say“Yesthis is a great policy and will help us out and we are going to abide by it.” One thing we started doing at Directly when I joined is now we have annual training. Every single yeareverybody has to review the employment guidethe acceptable use policythe security policy and privacy training. This way we have it recorded. “Yesindeedyou know about what you're supposed to do and what you're not supposed to do.” You can’t really punish someone for doing something that they didn't know they weren't supposed to do.

I think at the end of the daythe most important thing is knowing where your data is and controlling where you're going to put the data. Relying on end user awareness on where your data is will never get you to the finish line. If you're not controlling the user behavioraround what apps they can use and cannot use eventuallysooner than laterI think you'll never be done. You will always have something to run afteryou will never be not even 30% where you need to be right in terms of achieving your goals.

One of the best ways I've seen enforcement happen is when the problem is delegated to the management of the business unit by tying simple metrics to performance bonuses. This can work if you are doing broad strokes across the businessyou can’t be very micro about it. You first have to agree as a business what is the data we really care about. e.g. for the manufacturing business unitthe manufacturing process which lets say is 5% more efficient than the other countriesis important to protect. If they lose that processthey've lost any equilibrium of profit within it.

Knowing exactly what is important and critical to the organization. Being able to know how that data is collected/createdwhere it is storedhow it is being usedwho it is being shared withand then finallyis it being disposed of if unused.

I think just having a good handle on what data is where. I think that's a problem that's just perennially hard to solve. Just having Google Driveor AWSGoogle CloudBoxjust having a magic wand that you can wave to knowhere's where we store all of our datahere's where all of our file shares are.

I have a very similar point of view. I could just do it in one word - Visibility.

If I had a magic wandI would really want that super visibility in all my multi-cloud environments. Not only where the data iswhat kind of datawho has access to itand also the operational visibility when people are operating on data. On top of thatbeing able to know violations that are currently occurring against our policies.

I would say continuous visibility. The way the data movesthe way the data is storedtransmittedand processed among these cloud workloadsand across different workloads are quite different. As a security leaderI need accurate continuous visibilitynot just any visibility.