Mar 2022 | Interview | Russ Langel
Alan Katawazi:
Russ, great to have you here. Let’s dive right in—cybersecurity and cloud infrastructure seem like two separate beasts. But you’re saying they should be tackled together?
Russ Langel:
Absolutely. A lot of companies still treat them as separate initiatives, but that’s a mistake. Moving to the cloud without thinking about security from the get-go is like building a house and leaving the doors unlocked. The cloud changes how security works—it’s not just about protecting a single perimeter anymore, it’s about securing everything, everywhere, all the time.
Alan Katawazi:
That makes sense. But let’s be real—companies are often moving to the cloud because they need to modernize fast. Security can feel like a speed bump. How do they balance that urgency with doing security right?
Russ Langel:
Yeah, I hear that all the time—speed versus security. But here’s the thing: if you rush to deploy without security, you’ll end up spending way more time fixing problems later. I actually worked with a firm where security was an afterthought for years. They were focused on rapid development, pushing features, and expanding their cloud footprint without a solid security foundation. Then, they suffered a major breach—customer data was exposed, and suddenly, security became their number one priority. That year, they shifted their budget dramatically—security went from being a small slice to the dominant spend for the entire fiscal year. It was a painful but valuable lesson. That’s why I tell clients, 'Bake security in from day one.' Use cloud-native tools, automate security policies, and make sure identity and access management is tight. You’ll move faster in the long run because you’re not constantly backtracking to fix vulnerabilities.
Alan Katawazi:
Ok, but say I’m a CIO and I need to convince my leadership team that we need to do this right. What’s the key argument?
Russ Langel:
It comes down to risk versus reward. If you cut corners on security, you’re exposing your company to massive risks—data breaches, compliance fines, reputation damage. The reward of moving fast isn’t worth it if you’re setting yourself up for failure. But if you integrate security into your cloud strategy from the start, you get the best of both worlds—scalability, flexibility, and resilience.
Alan Katawazi:
So, what’s the biggest mistake companies make when securing cloud environments?
Russ Langel:
Hands down, assuming the cloud provider handles everything. AWS, Azure, Google Cloud—they all have solid security features, but it’s still on you to configure them correctly. Identity and access management (IAM) is a big one—too many organizations over-permission users and services, leaving doors open for attackers. Then there’s misconfigurations—like leaving storage buckets open to the public. It happens more than you’d think.
Alan Katawazi:
Yeah, we’ve all seen those headlines about companies accidentally exposing customer data. What’s your advice to avoid that?
Russ Langel:
First, always use the principle of least privilege—only give users the access they absolutely need. Second, automate security scans and audits—there are great tools out there that catch misconfigurations before they become problems. And third, treat security as a shared responsibility—your cloud provider gives you the tools, but it’s up to you to use them wisely.
Alan Katawazi:
How does running AWS vs. Azure affect the outcomes of a cloud’s security?
Russ Langel:
That’s a great question. Both AWS and Azure offer top-tier security features, but the way security is implemented differs. AWS gives you a lot of flexibility, but with that comes the responsibility to configure security correctly. Azure, on the other hand, integrates more tightly with Microsoft’s security ecosystem, which can be an advantage if you're already running a Microsoft-heavy environment. The real difference comes down to how well an organization configures and manages security within the chosen provider. The best cloud security approach isn’t about choosing one provider over the other—it’s about setting up strong governance, monitoring, and automation no matter where you deploy.
Alan Katawazi:
What are the prerequisites for security in the cloud?
Russ Langel:
Security in the cloud starts with a few key fundamentals. First, you need a solid identity and access management (IAM) framework—permissions should be granted based on the principle of least privilege. Second, encryption should be enabled for both data at rest and in transit. Third, organizations must establish continuous monitoring and logging so they can quickly detect and respond to security threats. And finally, compliance with industry standards—whether it’s SOC 2, HIPAA, or ISO 27001—is essential to ensure that security controls meet regulatory requirements.
Alan Katawazi:
What sort of mindset should a board of directors have when considering the financial implications of their cloud security?
Russ Langel:
Boards need to think of cloud security not as an expense, but as an investment in business continuity and risk management. Security breaches can lead to devastating financial losses—not just in fines and legal costs, but also in brand reputation and customer trust. A proactive approach to security reduces long-term costs and ensures the organization remains resilient against evolving threats. A board that prioritizes security is a board that prioritizes stability and sustainable growth. After all, the point of pp Product Perfect is to help organizations modernize their legacy systems while ensuring security is built into every step. We don’t just migrate applications—we optimize them for the cloud while strengthening their security posture. We strive to be architects and engineers in the technical trenches, but then also, we look beyond the trenches into the air to see what the next move is and help maneuver the technology toward that.
Alan Katawazi: So if a company is about to embark on a cloud migration, what’s the one piece of advice you’d give them?
Russ Langel: Don’t treat security as an afterthought. Security and cloud architecture go hand in hand. Plan for both at the same time, automate wherever possible, and regularly assess your security posture. The companies that do this right from the start end up being the most successful in the long run.
Engaging discussions with our consultants, partners, and clients on key industry trends and developments.
Senior consultants with previous experience with these types of projects can set the stage for a well-framed engagement.
A focused session on your specific software applications, platforms, or projects. Typically this includes technical resources from both sides.