The increased use of cloud-based applications is weighing on the CISO community, according to a new study, The CISOs Report: Perspectives Challenges and Plans for 2022 co-conducted by CISOs Connect shows.

But you definitely can do it securely if you adequately plan your migration to the cloud.

The wrong way is the traditional “lift and shift,” where you take what you have running in your existing infrastructure and move it to the cloud. That’s usually a recipe for disaster.

The problem with lift and shift is that you need two support teams: a legacy team to support everything you wrapped and moved into the cloud, and a cloud team to support the wrapping of the old and new technologies. This method rarely delivers the improvement that organizations are looking to receive from the cloud.

The better way is to adopt a cloud-native approach, where you design specifically to take advantage of cloud native capabilities such as microservices and containerization. You need to provide your team with the right education, and select the right cloud service provider for the right job. Cloud utilization is here to stay, so the real question is how do people get themselves and their institutions more cloud-ready before doing the move.

That’s why when planning cloud migration, it’s good to reevaluate why you are moving to the cloud, and then decide what should migrate. Not everything in your portfolio is cloud-ready, and you don’t want to find yourself making a costly mistake that does not deliver the anticipated benefits.

Another thing the study revealed is that the battle isn’t easing. Almost 70% of the more than 400 CISOs who responded to a survey perceive the threat landscape to be more severe than it was a year ago.

But even though the landscape isn’t easing, the complexity of the attacks isn’t necessarily increasing. The top 10 security issues from OWASP have stayed pretty consistent for at least the past 10 years, suggesting that a lot of organizations are failing to do basic cyber blocking and tackling.

They’re falling short in part because security professionals are concerned with the latest and greatest technology. But if you’re not doing basic identity access management, and basic security such as patching, you’re going to run into problems, no matter what threat intelligence you’re consuming. We need to make sure we’re doing basics well and tapping our existing tools fully before we start to look for more advanced technologies.

If you’re following good cyber hygiene basics you should be protecting yourself against more than 70% of the attacks that most organizations fall for.

Third-party vulnerabilities were another concern CISOs raised in the report. We need to steer clear of complacency in this regard. Vendor risk assessment must focus on asking the right questions based on the services or software they are providing. Third party questionnaires have been around for a long time now and organizations have become complacent. Before SolarWinds how many were asking questions about what these vendors are doing to protect their code base so your organization isn’t compromised.

With all these risks, it’s important to assess your organization’s threat landscape on a regular basis, and on an ad hoc basis as the business environment changes. Corporations that have pulled out of Russia since the war in Ukraine began are now potential targets for nation-state activists, in addition to insider threats and criminal ransomware risks.

In a similar vein, ransomware has broken the business continuity and disaster recovery model because it locks up everything, and everything has to be recovered for operations to resume. So you have to reevaluate business continuity plans to defeat things like ransomware.

Too many organizations look at these various components as wholly isolated events. We’d do better to look at information security as a true ecosystem. Let’s get back to good cyber hygiene and build from there.

Disclaimer: The views are solely those of David Cass.