Cybersecurity is facing a gaping skills shortage. Businesses are piling on an obscene number of point solutions to compensate. The resulting heap of tools typically falls short — and they still require hands to wield them. Can cloud providers shovel businesses out of this deepening hole?

We see security frameworks today with as many as 250 controls and nobs, according to Mark Ryland (pictured), director of the Office of the CISO at Amazon Web Services Inc.

A cloud provider could potentially subtract some of those nobs away. It could make security a shared responsibility where the provider mans some aspects of security, co-pilots others with the customer, and leaves what it must in the customer’s hands.

“What remains is … you’ll take your expertise and you’ll refocus it on more application security,” Ryland said. In fact, security teams can transform themselves and their methods when they shift some tasks to cloud providers and to in-house engineers and coders.

Ryland spoke with John Furrier (@furrier), host of theCUBE, SiliconANGLE Media’s mobile livestreaming studio, during the AWS re:Inforce event in Boston. They discussed the ways in which cloud and infrastructure as code could rescue cybersecurity (see the full interview with transcript here). (* Disclosure below.)

Code goes to work in security

When chief security officers move to cloud, where everything is programmable, they discover shortcuts, Ryland pointed out. “What we’re seeing now is people say, ‘Look, I have all this expertise, but I also see that with the software-defined infrastructure and everything as an API, if I pair up an engineering team with a security-professional team, good things will happen,'” he said.

What sorts of good things? Security pros can hand off repetitive tasks to engineers who will simply write code that accomplishes the same thing, for instance. And security pros are also becoming more proficient in code themselves. They can shrink policies that used to be documents into code, according to Ryland.

CISOs must work to get the OK from regulators to move to these new methods. “There’s risk committees on these boards of these large public organizations, and the risk committees don’t know a lot a lot about cloud computing,” Ryland stated.

AWS is leading the charge toward shared-responsibility with new announcements around network traffic analysis.

Watch the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of the AWS re:Inforce event. (* Disclosure: Amazon Web Services Inc. sponsored this segment of theCUBE. Neither AWS nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE