The following was adapted from a sit down chat recently with our team. Security is a big challenge in enterprise. You have legacy security teams that have traditionally worked in a check post type model where we have a six month product plan, and these dates we're going to do penetration tests, and at this date we'll do the security architecture review. That kind of all just flies out the window when you start having safe digital teams that are deployed into production multiple times a day.
We've worked pretty closely with some enterprise security teams in helping change their work flow and disseminate ownership of security back into the teams that are actually deploying these services. So you no longer have this ivory tower on a security team saying, "This is bad." How you should be securing the Cloud is by asking how, not saying no.
You need to enable teams to have ownership of their own, or a significant part of their own security model. It is the only way it can really scale. You can take what was traditionally, say, a security orbit and write automation around that and have compliance checks that are doing what we like to call continuance compliance. We're running these checks --you can be running them every five minutes if you like--and you have a dashboard of high risk items in your Cloud.
But that only goes so far. You need to start again, instilling teams to think about security when they're designing systems.