Episode Summary

The cloud has been around for a while now. And ever since it emerged — two decades ago — it has brought in new ways to think about security, identity, and access management.

But at the end of the day, we still need to make sure that the right people have the right information at the right time.

In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Meg Anderson, the VP - CISO at Principal Financial Group. They talk about the changes in cloud security since the emergence of the cloud, some of the best and worst practices, and what the future holds for cloud security.

##

Guest-at-a-Glance

💡 Name: Meg Anderson

💡 What she does: She's the VP - CISO at Principal Financial Group.

💡 Company: Principal Financial Group

💡 Noteworthy: Meg participates in a number of CISO councils. She is a board member of the Financial Services Information Sharing and Analysis Center (FS-ISAC), where she chairs the Strategy Committee and is on the FinCyber Advisory Group for the Carnegie Endowment for International Peace. Before the role of VP - CISO, Meg acquired over twenty years of technical and leadership experience in application development.

💡 Where to find Meg: LinkedIn

##

Key Insights

⚡ Adversarial relationships within a company can hinder security. There's no room for adversarial relationships in cloud security. We need to embrace collaboration and partnership. Meg talks about Principal Financial Group's culture, "At Principal, what I think is different when I think about cloud security is that there are no adversarial relationships. We're all learning; we're all respectful. And obviously, I say all, but sometimes, there are conflicts. However, we get through them. And I think that that culture is really important."

⚡ Access control and data protection are essential. As we expand in the cloud, we need to keep prioritizing access control and data protection. Meg explains, "They have to be very intentionally thought about and architected. The cloud brings new ways, of course, to think about identity and access management. There are new tools to do it with, but then, in the end, we still really need to make sure that the right people have access to the right information at the right time, and we can't lose sight of that. And our customers trust that we'll protect their information and money no matter where we're doing our computing. So it's not a choice."

⚡ You need to have a strategy. If you want to move forward and adopt the cloud, you need to put a strategy in place first. Meg explains, "If you start with the strategy, it'll pay dividends. You'll reduce risk. You'll increase efficiency. You're probably going to save time and money. It's probably going to turn out better. You're not going to be creating tech debt. So really, stepping into the cloud with a plan is just much better than playing around and looking at it as an opportunity to experiment and try new things."

##

Episode Highlights

Automation is critical for security integration

"There's definitely more ownership by the cloud team and the cloud engineers as compared to relying on specialists that were previously in the infrastructure team. So I think some of the ‘shifting security left’ conversation that we've had over the last decade or more is something that we really need to keep our eye on, because that automation is critical to integrating security into the deployment pipelines and allowing engineers to own their code and its security. That's a change that I think we are, at least, in the midst of here at Principal."

We need to stop oversimplifying the cloud

"Software as a service is very different from platform as a service or infrastructure as a service. So when we simply talk about the cloud, I think it gets to the point of oversimplification that's probably doing more harm than good, especially at the higher levels of companies, at the board regulators. Everyone's asking, 'How are you securing the cloud?' Period. And so, I think that oversimplification might be an opportunity for growth and for us to really be talking about the various components of the cloud a little bit differently in the future."

Don't be afraid to ask for support

"It sounds pretty basic, but early in my career, there were times where I assumed that, 'Well, they're my leader, they should know, and eventually, they'll figure out what I need and what I want.' And while I've never been called shy, I would say that I probably wasted too much time thinking about why they weren't figuring it out. How should I ask them? When should I ask them? And now I see the value in not just asking for investment or the tangible things that you might need, but in asking for support and finding out who will be your advocates in the organization. If you want to make a change and really ask for what you need to get something completed, get somebody to help you across the organization."

This podcast is hosted by Orca Security