1. Incorporate cloud governance into your overall risk governance program
Too many organizations treat cloud governance as a separate entity, assuming that the cloud provider is protecting their sensitive information.
This mindset dates back to just a few years ago, when many companies used on-premises servers and internal, for-our-eyes-only cloud environments and IT merely supplemented business operations.
In our connected age, the on-prem model is quickly becoming obsolete. Stakeholder expectations and enterprises’ own business models demand instant access to services and data, which the cloud provides.
With the cloud having become an essential component of business operations, it’s imperative to fold cloud governance into overall organizational risk governance. Only then can the enterprise bring its full resources to bear on securing its cloud-hosted data and applications from unauthorized access.
2. Plan for the worst
Being prepared for worst-case scenarios can enable an organization to respond quickly to threats and minimize damage to the business and the bottom line.
Organizations should already be doing this, and many are doing so via their risk governance and risk management practices. But moving to the cloud ups the ante: the old on-prem risk paradigms don’t transfer to this new, complex ecosystem.
Businesses must envision a malware attack, DDOS attack or data theft on the massive scale that the cloud affords, and design their processes and systems to withstand them with minimal disruption to the business.
With hackers using increasingly sophisticated techniques to conduct and hide their nefarious activities, risk managers need to let their imaginations go wild and even a bit dark. “Expect the unexpected” is a great rule of thumb, and can help organizations to minimize their losses in the event of a cloud breach.
3. Know the impacts
Good risk governance includes understanding the full effects of a security compromise, which is critical for remaining calm in the proverbial storm that may follow, and for providing assurance to stakeholders.
A breach on the scale that the cloud affords can make for juicy news and sensational headlines, but oftentimes the impacts are minimal. So what if encrypted information was stolen, if it can’t be viewed? Knowing the real-life effects of a security incident can help your organization avoid the damage that bad news reports can wreak on your reputation and revenues.
4. Focus on risks, not threats
As flashy as firewalls and red teams can be, cybersecurity—the first line of defense—is only as effective as its governance.
Just as critical, if not more so, is the second line of defense, which is independent oversight of cybersecurity risks under a Chief Risk Officer or other independent risk executive. The second line should be positioned to pose a credible challenge to the CISO or IT Security executive operating in the first line, as well as to the cloud host. The second line should be providing independent oversight to aid in identification, mitigation, escalation and remediation of risks where appropriate.