Staying above the cloud on risks and controls

Poor attention to these critical areas can lead to serious consequences, including cybersecurity breaches, business interruption, regulatory violations and fines, and costly budget overruns. Worse, you may not get the business value you had envisioned from your investment. And you’re potentially not able to benefit from automation and reduce overall compliance efforts and costs.

Regardless of your level of cloud maturity, bringing risk into the cloud conversation earlier can help companies migrating to cloud position themselves more solidly for success and help build trust.

Five ways cloud is impacting risk and controls

Our analysis of over 1,000 enterprises revealed five factors that affect cloud risk and controls and how companies can most effectively address each one.

1. Mature governance, risk and controls can generate clear benefits

We found a direct correlation between an organization’s overall cloud maturity level and the maturity of its governance activities. Across the board, cloud-powered companies – those that are realizing significant and sustained value from their cloud operations – assess the maturity of their cloud controls as significantly higher than other companies.

For example, cloud-powered companies have overwhelmingly developed formal controls that are distinct to cloud operations, have developed a common controls framework that they have tailored to new cloud services, and they have documented their shared responsibilities with their cloud service providers (CSPs). Critically, most note that cloud-related controls for governance, risk and compliance activities are owned by a single business function with its own dedicated resources.

Takeaways

These are key considerations when developing a cloud strategy. Companies should also take fuller advantage of shared responsibilities and how the CSP defines them. Qualifying, clarifying and implementing controls can help address those requirements. Risk solutions that CSPs include as part of their offerings are often underutilized.

CSP shared responsibilities should be understood, and companies should translate their own responsibilities into their control strategy and playbooks. Companies should also revisit these often as relationships change.

Successful cloud-powered organizations build these questions into their processes:

• Do you have a common controls framework? Has it been tailored to address technology in the cloud? If not, what barriers have prevented you from tailoring your controls and whose involvement is needed to resolve those barriers?
• Have you assigned systems ownership for your cloud-based assets? As part of that ownership, have you provided adequate training in evaluating cloud risks and the relevant controls executed by either the CSP or your own management to support an effective control environment?
• How are you monitoring for adherence to your common controls framework and onboarding new technologies/assets? Who is responsible? On what cadence is this monitoring performed? How have you updated your feedback loop to incorporate the results of monitoring into your risk assessment and related controls mapping?

2. Executives can do better at collaborating early to incorporate risks

Our survey shows that cloud-powered companies are doing better at incorporating risk and controls into their cloud strategies, but they didn’t necessarily start that process early enough. While they are more proactive than the other companies in our survey, the majority of cloud-powered companies (58%) did not engage risk leadership at the earliest stages — planning — for their cloud transformations.

Playing catch-up clearly isn’t the most efficient way to go about this process. Remediation can be tedious and costly. Given that remediation can take years, it can easily become an unexciting job that no one wants. Remediation can mean engineering teams may have to rework or revisit code and configuration related to existing applications, which could lead to a slowdown in the development of new applications.

Takeaways

Even if a risk strategy was flawed to start with, it’s important to avoid repeating past mistakes.

• Who needs to collaborate and when? It’s critical that risk and security be involved at the beginning to help with planning and design, as well as to be involved throughout.
• Collaborate on existing issues, consult internally to find the best path forward and decide what to tackle first. Early success is important, because remediation can be costly, and not just in the form of direct expenses.

3. Multicloud infrastructures complicate risk further

The predominant operating model today is multicloud: 65% of all survey respondents said they use multiple cloud service providers to handle their workloads. Multicloud offers features like flexibility and robustness, letting enterprises choose the right CSP for each workload as well as various software as a service (SaaS) providers for business process enablement, but it also introduces higher levels of risk. Many organizations have struggled to develop a security model that can be applied across CSPs, since each CSP has its own approach to security and governance and different security tools, all of which makes consistency difficult or impossible.

Takeaways

Help unify your cloud environment with a common starting point.

• Make it easy to monitor and secure the complex multicloud security framework through “single pane of glass” solutions that bring multiple tools together. The proliferation of cloud-based applications makes this type of streamlining crucial.
• A large enterprise may well have several thousand distinct applications running across multiple CSPs. Develop rules around where certain types of workloads should be placed, and automate to the extent possible.

4. Strong relationships between CIOs and risk and security leaders are key

Many executives that say their companies are achieving value from their cloud initiatives report stronger relationships with their chief information security officers (CISOs) and chief risk officers (CROs). Because risk officers will ultimately oversee how well your framework functions, their involvement is critical from the outset.

Takeaways

Leadership related to governance should vary depending on the type of risks.

• If your organization’s risk issues are primarily regulatory, the CFO and chief compliance officer should be involved.
• To lay the groundwork for security and privacy throughout the cloud infrastructure and ongoing governance and controls, your CISO and chief data officer should be part of the overall cloud executive leadership and should have a strong hand in the task. Security teams and IT teams must have formal playbooks for working together to secure the cloud.
  • The chief data officer may need to be involved in regulatory/compliance considerations related to standards that enforce data requirements (e.g., General Data Protection Regulation (GDPR)).
  • The company may need to involve their COO/chief product officer and possibly the chief legal officer to help assess impacts on contractual customer commitments of both the CSP and the company.
  • The executive in charge of ESG strategy may need to understand the sustainability impact of cloud computing.
• The executive and the board should provide strong support for the kind of collaboration needed to address cloud risk issues and prevent them from recurring.

5. Evolving regulations mean staying ahead of industry-specific risk

Regulations around the use of the cloud are in flux — and they vary from one industry to the next. The GDPR, the Federal Risk and Authorization Management Program (FedRAMP) and HIPAA (for Health Insurance Portability and Accountability Act) have all introduced new complexities for organizations looking to store data in the cloud, but the rules aren’t relevant for every type of business. For example, recently, banking and financial businesses were issued new guidelines from the Federal Financial Institutions Examination Council (FFIEC), which outlined reasonable practices for managing architecture, infrastructure and operations, with a specific eye toward the use of cloud services.

Banking organizations that we surveyed agreed that the new rules were having an impact: 90% reported undertaking some type of remediation activity to bring their cloud services into compliance.

Takeaways

Companies should be aware that legislation and regulation around cloud, particularly the ways in which data is stored in the cloud, is likely to be in flux for years to come. Further complicating the environment is that there is no single source for companies to reference.

1. Monitor the environment and look ahead when thinking about your cloud adoption strategy. Whether focused on ERP data modernization, application modernization or cloud-native development, stay agile and informed, as regulatory pressure increases on cloud compliance framework. It’s critical to know the why behind cloud modernization and what’s next when it comes to proactive risk management.
2. For heavily regulated industries (like banking and capital markets, energy and utilities as well as insurers and healthcare payers), cloud adoption can often be driven by the need to remain competitive and compliant. Enhanced cybersecurity regulations will escalate those needs.

There are indications of where regulators may be going, however. To see where cloud regulation is headed and how it may apply to your company, check these government publications:

• Regulation SCI (Systems Compliance and Integrity)
• Treasury report concerns on cloud
• DORA (Digital Operations Resilience Act)