While cloud has been around for a number of years, it has taken on new importance and is no longer seen as just an IT thing — cloud acts as an enabler to digital technologies and is essential to corporate strategies. Companies are embracing cloud in a number of forms, including data and infrastructure services, enterprise software as a service, development platforms, analytics, artificial intelligence and other emerging technologies.
Our PwC US Cloud Business Survey indicates that there’s shared ownership for cloud across the C-suite and that chief risk officers (CROs) play an active role in many areas of cloud decision-making. In others, there’s room for improvement. This collaboration is crucial to realizing value, but companies still aren’t sure how to get the most out of their cloud strategy.
The pandemic accelerated technology transformations as companies shifted to remote work, so it’s no surprise that data privacy, cybersecurity and customer trust rose to the top of the list for CROs — more than a third of executives say their focus is on these areas.
Meanwhile, challenges related to internal controls and governance of cloud systems and processes seem to garner less attention from risk officers. We believe that overlooking these areas will likely be a costly mistake for many companies because they can affect speed of adoption and the ability to achieve ROI while also endangering customer trust. In fact, 53% of companies say they fail to realize substantial value from their cloud investments. Establishing controls and governance in the form of externally facing attest reports (for example, SOC1, SOC2) are crucial steps to building customer trust.
Governance and controls aspects often aren’t addressed early enough when a company moves from an on-premises system to a cloud-based system.
From a governance perspective, for instance, existing policies and procedures should be reevaluated to determine whether expectations set are applicable to the cloud environment and whether adjustments need to be made to accommodate the shared responsibilities model. Additionally, key stakeholders should define responsibilities, including managing the third-party relationship, assessing the company’s responsibilities versus those of the service provider and monitoring for adherence to those responsibilities.
There’s a widely held assumption that moving to cloud will alleviate the need to consider governance and controls, but that’s clearly not the case. Companies need to be ready to share responsibilities with their cloud provider. There are compliance issues to consider before a company can go live in a production system, and internal controls should be addressed well ahead of any migration.
For example, companies need to understand what regulatory risks are affected by the change and then design appropriate controls to help mitigate those risks.
Risk and compliance functions should be brought into the conversation both during the planning phase of a project and to maintain, scale and secure a cloud transformation.
Cloud service providers are implementing continuous updates to their systems and rolling out new offerings faster than most companies can keep track of them. It’s crucial for organizations to put controls in place to monitor new functions and make sure those updates don’t jeopardize a company’s compliance with existing regulations. In addition, companies should be wary of overlooking the need to be able to provide sufficient audit evidence that a control is operating effectively throughout a period.
Companies also should retain trust with customers and be able to state to them that using cloud services hasn’t compromised compliance and the controls they have in place. Much like trusting a contractor (and their subcontractors) in a building project, your company — and customers — need to trust that cloud providers will comply with your company’s terms of service.
CROs need to understand that considerations for cloud are not one-size-fits-all. For instance, infrastructure as a service may introduce more customer considerations than platform as a service. Most of all, the new way of working cloud makes possible — characterized by agility and innovation — means that what worked before is no longer going to be directly applicable. You can’t rely on your existing compliance and security approach in a new cloud environment.
The shift to new technologies and ways of working means that governance and internal controls are changing. Risk management leaders should take a seat at the table earlier to begin understanding and addressing these concerns before a company makes any changes over to a new system or implements new products and innovations.
Most CROs say their companies don’t start considering security and compliance for cloud projects until mid-phase — during business requirements gathering (37%) or technical requirements gathering (29%) — instead of during the planning phase.
This may be because a lower percentage of CROs (59%) see themselves as the key decision-makers or strategy drivers — even for cybersecurity and privacy — compared with most other C-suite roles. It could also be that compliance is often an afterthought when implementing new technology, resulting in potentially costly changes when systems need to retroactively be made compliant with existing regulations.
Security, privacy and regulatory issues will continue to be areas of increasing concern as organizations face rising pressure to demonstrate that they have adequately secured customer, employee and business partner data in the cloud.
Cloud service providers are responsible for securing the platform itself — but the task of keeping your organization’s data and intellectual property safe is up to you.
Responsibility for cloud security is almost always shared. For example, a cloud software application provider is responsible for security of the application itself, but you are responsible for assigning access privileges within the application layer of security. The application layer will therefore determine who has access to processes and data that may need to be secured and protected. Incorporating a risk strategy for security of the application and cyber layers and data privacy into the planning phases of your transformation or new projects can help deliver continuity and strengthen your organization’s resilience.
A successful cloud security strategy requires buy-in across the C-suite and a clear understanding of responsibilities for migration, adoption and ongoing governance. This can help you avoid duplicating tasks and help your cloud migration proceed smoothly and on schedule.
Companies need to start understanding the regulatory requirements early in their cloud transformation. Setting up compliance early can help you avoid leaving any potential gaps exposing the company to risk, avoid audit/regulator findings and reduce costs of compliance by taking advantage of automated tools cloud providers have — not to mention costly rework of having to retrofit controls after the fact.
Both technology and finance stakeholders are aware of the risks associated with cybersecurity, but have not always had to collaborate on these.
Risk leaders can serve as the bridge, connecting IT understanding with the strategic business priority of building customer trust.
For example, if risk leaders are not brought in until the technology requirement phase, the company may assess the shared responsibilities model and determine that the cloud service provider doesn’t meet the company’s security requirements and be required to build in incremental controls. Or, in some cases, it might require them to revisit the service provider selection.
Security requirements can get overlooked altogether if risk leaders are not brought in until the business requirements gathering phase or later — resulting in a technical reworking of the project and insufficient time for a company to update its controls.
The CRO and CISO functions now need to work more closely with the CIO and their C-suite counterparts to adjust their risk strategy as new technologies are adopted so that compliance and controls can keep pace with innovation.
Q: At which stage of the project does your company start considering security and compliance? Source: PwC US Cloud Business Survey. June 15, 2021: CRO base of 70