5 questions your business must answer to understand the hidden risks in the cloud
Storm clouds on the horizon if you fail to prepare. Image: NOAA on Unsplash
- Moving to the cloud promises huge benefits, but only if done properly.
- Some risks are obvious - but many get overlooked.
- Here's a checklist of what you need to know.
Digital transformation is upon us and the COVID crisis has accelerated the journey. New services available only in the cloud with the ability to automate data processing, enable operational cost efficiencies, and manipulate data in new ways are creating opportunities that can’t be ignored. We are anticipating the spend on digital transformation (the use of smart technologies to reinvent products and services, improve operational efficiencies; all to drive enterprise growth) doubling from the current $469 billion to an estimated $1 trillion by 2025.
In 2020 most organisations accelerated their use of cloud capabilities to address business gateway bottlenecks and empower collaboration in the shift to working from home - or anywhere. With businesses having an accelerating critical dependency on secure cloud services, it's essential that they understand and drive through business decisions on how to manage the risks.
Some of the risks are obvious (43% of cloud databases are not encrypted), whilst other risks are more hidden (76% leave key points of access open such as encrypted communication, and worse 60% have no logging enabled on cloud storage to track who is accessing them). These are simple mistakes security experts are used to fixing, so why isn’t this happening? The cost of cloud risk, if not managed effectively, can have serious consequences on the profitability of digital transformation.
A joint research paper by Palo Alto Networks and Accenture flagged three major hurdles in moving to the cloud: technical complexity, the challenges of maintaining comprehensive security, and ensuring compliance. These challenges are often impacted by a company's culture and organisation, and result in four key challenges for the business:
- Lack of visibility of security vulnerabilities.
- Employee training on security tools.
- Employee training on safe practices.
- Evaluating the current state of security.
As a business leader how do you both identify these cultural and organisational issues and drive change across your organisation to ensure you uncover the hidden risks and maximise the opportunities that digital transformation enabled by cloud capabilities provide.
Here are 5 key questions you should ask your business:
- How does moving specific business processes to the cloud change our risk profile?
Eighty percent of respondents suggested their cloud infrastructure was constantly evolving. The question should be WHEN was the risk analysis completed and how frequently should it be re-assessed. Cloud is effectively a new and often complex supply chain, which means new dependencies. Understanding risk means your security teams can see into your digital processes and have mapped all potential impacts end to end. Challenge them on the blind spots and what they are doing to cover these risks. With the constant evolution of cloud usage and your business processes, security teams must be asked if they are fixing blind spots once found (usually the hard way) or are they proactively investing in processes and capabilities to find and mitigate these risks before it’s too late?
- Do you have clear definitions of responsibilities inside and outside your own business?
Ninety-four percent of organisations use more than one cloud platform, such as Google (GCP), Amazon (AWS), and Microsoft (Azure). And of these, 60% use between two and five virtualising operating platforms (normally cloud services such as kubernetes on docker). Getting past the technical jargon, it’s important to recognise that any digital process will have multiple services provided by third-party companies. As you digitize more processes this becomes increasingly complex. The boundary points where responsibilities shift are often complex and ill-defined at the granular level. It's worth identifying some and testing to see if clearly defined boundaries are understood. Seventy-three percent of companies struggle to clearly delineate between their cloud security provider’s (CSP’s) security responsibilities and their own, and that’s just one small part of the digital process.
A simple test: consider one small change and look at the knock on effects, such as what happens if you need to change the way data is passed/communicated?
- Do you understand the regulatory impacts? Do you have clear governance?
Beyond industry specific regulation, most are aligned to region or country. The power and the governance challenge of the cloud is knowing exactly where the data is actually stored and processed in the world. If for example you’re processing personal data, that adds layers of complexity for complying with data protection laws, such as GDPR (the EU’s General Data Protection Regulation). The advantage of cloud is its agility, its dynamic nature. You must have a clear line of sight as to who is responsible for collating all the governance and regulatory insights from the different cloud services utilised and the different tools used to gather the insight. You must challenge what impact shifting data storage and processing may have on your regulatory requirements and the compliance status of your various parties. This can likely become a full-time role for someone in the business. Be clear on how frequently updates are passed back to business leaders to ensure your insights are still accurate.
- Do you have the skills and knowledge to manage your cloud transformation?
If you don’t have a joined-up cyber strategy that can keep pace, visibility and governance will struggle. Technical complexity is seen as the biggest challenge in starting the move to the cloud and having the right skills rated closely behind. Seventy-five percent of companies say their cloud security tools and solutions are outpaced by threats to their cloud systems. Over 60% as a result are using at least six different security tools from different cloud vendors. The notion of agility in digital processes is like a generational shift that requires either re skilling or hiring new staff. This is why simple mistakes that should never occur are made. Asking someone to cook in a kitchen is very different to doing it in a laboratory, and agile means everything is happening faster. This requires organizational shift. Who is driving this change in skills and processes? How are you assessing the teams' capabilities, readiness to adapt, what is the resilience around this transition, and how are you ensuring cohesion between your new operational processes and those of the service partners involved. If you can’t answer these questions you're not operationally ready.
- How are you validating you have sufficient visibility into cloud services and supply chain dependencies?
Ask your peers if the cloud is less expensive or more, and expect different answers.
The cloud empowers creativity and new opportunities, scaling dynamically as demand changes, but at the same time it requires careful management that can often be a hidden cost. Many companies have seen their cloud transition increase costs, which is common to those that don’t carefully monitor which services are running, validate why they are running, and stop them when no longer required. Like water that seems infinite it's easy to leave the tap running. With many digital processes running across multiple clouds and platforms, visibility in order to manage cost and risk is critical: effectively your Profit and Loss statement is now agile too! If P&L is not in sync, or something in your supply chain breaks, you have an issue. Each and every digitized process must be effectively managed. How is each team using cloud services, gathering insight on utilisation, risks, and dependencies? How is that data aggregated, validated, and reported to the business on a regular basis?
Don't miss any update on this topic
Create a free account and access your personalized content collection with our latest publications and analyses.
License and Republishing
World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.
The views expressed in this article are those of the author alone and not the World Economic Forum.
Stay up to date:
The Digital Transformation of Business
The Agenda Weekly
A weekly update of the most important issues driving the global agenda
You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.
More on CybersecuritySee all
Filipe Beato and Jamie Saunders
November 21, 2024