Transparency about the risks of breaches of confidential business information, intellectual property, and regulated information is essential to protecting sensitive data. Fortunately, centralized cloud platforms and expanded operational data available from these platforms allow managers to assess risks, discover breaches, design guidelines based on trade-offs between risk and value, and in many cases automate the enforcement of these guidelines.
To a large extent, the rules for the data that certain groups of employees are authorized to access and the data that must remain in the private cloud can be enforced by the cloud platform itself. Data on the company’s quarterly financial results, for instance, can be automatically blocked from leaving the secure environment of its private cloud until results have been officially released.
For organizations engaged in wholesale cloud migrations, roles and responsibilities will require significant changes—moving from specialized roles, such as server or network managers, to broader roles for integrated service managers. These service managers will be well positioned to steward business risks because their perspective is more comprehensive than that of specialized managers, for example, when making judgments on when to use private- or public-cloud resources.
Nonetheless, the democratized nature of cloud purchasing and usage constitutes risks that automated guidelines cannot fully address. The proliferation of wireless devices that can access cloud computing anytime and anywhere, for instance, extends the reach of the company’s information infrastructure, but by doing so, the information also becomes more vulnerable to breaches. Among the risks: lost or stolen devices with sensitive data stored on them. This means that the mind-sets and behaviors of line staff and managers can have great impact on cybersecurity. As a result, companies must drive risk awareness across the organization and provide risk orientation for new and lateral hires. Linking compliance to compensation through clear metrics reinforces the culture shift.
The cloud in its many forms is an exciting development for enterprise IT, but it also creates new types of challenges in protecting sensitive information assets. A business-focused risk-management approach enables large institutions to strike the right balance between protecting data and taking advantage of more efficient and flexible technology environments.
This article was originally published in McKinsey Quarterly. Copyright (c) 2012 McKinsey & Company. All rights reserved. Reprinted by permission.