Critical questions to answer in developing a cloud risk-management strategy
Many organizations claim to have a cloud strategy. But, when you ask their executives what the strategy is, they simply say: “Well, we’re in the cloud.”
Unfortunately, getting to the cloud is not a strategy—especially when it comes to protecting the cyber assets that you are migrating there.
There is a link between security and having a plan. Like saving for college or buying a house, you take a strategic, structured approach to ensure success. Without this, organizations using the cloud invite maximum risk, as opposed to effectively managing risk.
We are entering a critical time for this: By next year, one-half of organizations will run more than 40 percent of their workloads in the public cloud, and nearly one-third will run more than 60 percent of their workloads there, according to a survey from the Cloud Security Alliance (CSA).
In addition, these organizations are embracing increasingly complex cloud architectures, with 66 percent committing to a multi-cloud environment (and 35 percent using at least three cloud platform vendors) and 55 percent operating in a hybrid-cloud environment.
Among those adopting cloud platforms, however, security remains the top concern, as cited by 81 percent of participants in the CSA survey, with the leakage of sensitive customer/personal data, unauthorized access, infiltration into sensitive network areas and data corruption weighing on the minds of IT departments these days.
To best respond to these and other cloud-based risks, here are some questions that organizations must answer in developing a cloud risk-management strategy—and why the questions matter.
Which departments in your organization are using the cloud? How are they using it?
Why this matters: As organizations pursue hybrid and multi-cloud deployments, there is an exponential increase in the complexity of maintaining security and ensuring compliance and governance. To manage environments in which workloads are both on-premise and in cloud environments, it is imperative to understand who is using the cloud and what types of workloads are going there. However, many organizations find this problematic, as workloads can be dynamic and business units using the cloud can be within shadows or have rapidly changing requirements and, thus, difficult to track.
To respond, chief information security officers (CISOs) and their teams should invest in modern security and compliance tools that enable them to automatically gain comprehensive visibility into what is moving into the cloud, how it is changing, and how they may be subject to the latest vulnerabilities and threats.
Who overseas cloud acquisition and utilization in these departments?
Why this matters: Enterprises that are undergoing a digital transformation and adopting a hybrid cloud strategy face the unique challenge of protecting an ever-increasing attack surface, as well as maintaining compliance with industry and regulatory requirements. The dynamic and self-provisioning nature of today’s private and public cloud environments creates shadow IT challenges which can lead to cyber and compliance risks.
CISOs should work closely with C-suite executive and business leaders to evaluate who is going to lead the digital transformation, and who will oversee the day-to-day implementation of it. In some organizations, this may be the CIO or Chief Digital Officer. In either case, cloud security is a shared responsibility. CISOs need to help cultivate a culture that believes—and practices—this.
What are the essential risk management duties? How do they break down, and who does what?
Why this matters: It’s critical to include all of the “ingredients” of cyber and compliance risk management for the hybrid cloud. These include vulnerability management, security and operations, internal audit, governance/compliance and configuration management. A CISO should have in place dedicated security operations and analyst teams, internal auditors and compliance and governance teams to cover these areas.
How do you ensure that the cloud risk-management strategy is properly executed—both on a departmental and enterprise-wide level?
Why this matters: The C-suite must take part in ongoing risk-management strategy discussions and development, especially when a hybrid, multi-cloud environment is involved. Enterprises also need to implement a common Risk Management Framework based approach to get everyone working under a common framework to assess the effectiveness of the risk-management strategy with common metrics.
To keep C-suite executives and business leaders informed and engaged in the interest of optimal security and compliance, CISOs and their teams should deliver real-time metrics with continuous monitoring for cyber and compliance management, providing executive-level dashboards that depict the overall cyber risk and compliance risk posture throughout the entire hybrid multi-cloud.
It’s clear that cloud migration isn’t strictly an “individual department thing.” It isn’t strictly an IT thing or a CISO thing or a C-suite thing either. It’s a mission-critical move which demands the input and constant involvement of all of these organizational components.
When they all come together to determine who is migrating what—and where—along with the assigning of roles related to cloud investment/oversight, security, common risk and governance/compliance management framework, they are no longer “flying blind” in their pursuit of a digital transformation. Instead, they are proceeding strategically, to maximize the cloud’s value while minimizing its risk—a winning and lasting plan.