Cloud Strategy and Security: Seeking Collaboration
Cybersecurity is the central theme of this year's Business Continuity Awareness Week, and it's no wonder. Individuals and businesses are feeling more vulnerable than ever due to the increasingly concrete threats posed by the digitally interconnected world.
The recent ransomware attack last Friday, with its unprecedented impact, put an end to the persistent notion that you must be an attractive target for hackers to be affected. These attacks strike without discrimination. Humans, as always, turn out to be the weakest link. No matter how robust your security measures are, all it takes is for one employee to click on an apparently innocuous link or work on an unsecured public Wi-Fi network, and the backdoor is wide open.
In this blog, I want to draw attention to another "backdoor" in cybersecurity: cloud providers. Cloud applications are now an integral part of the application landscape. For IT managers, they offer solutions to streamline processes and reduce costs. However, this doesn't automatically put you on cloud nine: securing data in the cloud requires targeted action in terms of vendor management.
The problem is that not every organization is adequately prepared for this. Transitioning to a cloud application can be a quick process, and it often doesn't stop at one application. Organizations that move part of their IT off-site are well aware that they need to transform from being a management organization to a governance organization. But that's where it starts: the speed of this organizational development is often slower than technological change. This is understandable as well because a governance organization demands different knowledge and skills. In practice, it sometimes involves hiring new personnel, but this transition should not take years.
Furthermore, using and governing cloud services (and vendors) requires a balanced mix of technical, organizational, legal, and procurement competencies. In cases where personal data is involved, the involvement of a privacy officer and a corporate lawyer is essential, considering the required data processing agreements. Collaboration between disciplines is vital, and internal silos are counterproductive. Security, continuity, and privacy requirements should be set based on a unified vision, without conflicting with one another. It should be clear from the outset (even before moving IT to the cloud) whether the vendor complies with these requirements and will continue to do so. Conducting a risk analysis is a valuable but often overlooked tool in this process.
I don't mean to give the impression that cloud vendors are not doing their job properly. Quite the opposite. Many vendors often provide a level of professionalism and focus that is challenging for an organization to achieve internally. Nevertheless, security is always the ultimate responsibility of the organization, and the vendor is responsible for implementing the promised measures.
That's why I advocate considering the broader implications for your organization from the very beginning when developing a cloud strategy. Whether or not to opt for the cloud should not solely be based on cost or the desire to slim down the IT department. The decision of "Cloud unless…" should also consider the organization's ability to effectively take and maintain responsibility for data security. Implementing a cloud strategy requires organizational development and, by definition, is a multidisciplinary issue.