Interview with the CISO: Michael Ball, AGF Investments

We recently posted an interview with a Netskope customer regarding the importance of IaaS security. This week, we sat down with Michael Ball, CISO at AGF Investments, and discussed his concerns for security in the cloud and the tips he recommends any organization can practice.

How do you approach security in the cloud?

Cloud security challenges are familiar to any CISO. We need a security program and policy that can dynamically expand and adapt as we extend into the cloud.

What’s your top security concern in the cloud?

Most traditional security controls were not designed to help gain visibility into cloud app usage and related risks. They can’t provide the visibility and control needed. We have multiple cloud apps, each provider has their API and reporting, managed separately. We need one view across our entire environment. A CASB has become a necessary component of a security program for any enterprise adopting multiple cloud services and transferring sensitive data to the cloud providing a holistic view into the entire cloud environment.

Are you concerned with sensitive data leaks?

All my peers talk about this. Enterprises in general are not even doing a good job of DLP internally. So much of our sensitive data is in cloud services. Data loss in the cloud is a big concern for us, and is one reason for slow adoption of general cloud storage strategies.

Do you see unfettered access to the cloud from unmanaged devices as a security risk? Controls and governance over unmanaged devices are important. We’re looking at ways to safely implement BYOD. It really comes down to having visibility. Any company’s brand and reputation can be at risk when you don’t have visibility.

Are you concerned about malware and ransomware? In discussions with my community, we’ve been looking at malware and ransomware using cloud services to hide and spread. Right now, we’re concerned with cloud storage. We’re watching this closely.

What percentage of users do you believe are going directly to the cloud while mobile or remote? About 70 to 80% which opens us up to risk. I can’t see anything they’re doing while they’re outside the perimeter.

Any tips to peers evaluating their cloud security programs? Start by understanding your users. What cloud services are they accessing today? You can’t implement the right tools until you understand the problem.

Then what? The concept of context is so critical. To really understand how your business uses the cloud, you need to see real-time cloud activity details in context. Including users, devices, locations, dates, times, content, and activities such as “share,” “download,” “upload,” and more across any service, service instance, or service category. And lastly, select solutions that truly extend visibility and control into your cloud infrastructure through a single management console.

Would you recommend Netskope to your peers? Yes, In discussions with other security professionals, I regularly recommend Netskope. Netskope understands the cloud threat landscape, and listens to customer needs with an architecture built for any use case.