No Match Found
While many businesses have embraced cloud technology in all or part of their operations, one key piece of the puzzle — risk and compliance implications — may be missing. Generally, these considerations may have been deprioritized or sidestepped, a byproduct of attempting to move quickly without complete clarity about the ramifications that a cloud transformation has for meeting compliance obligations and helping address risk effectively.
As we learned in our 2023 Cloud Business Survey, it’s clear that organizations embarking on cloud initiatives should consider risk and controls early in the process, building controls into their cloud transformation.
Poor attention to these critical areas can lead to serious consequences, including cybersecurity breaches, business interruption, regulatory violations and fines, and costly budget overruns. Worse, you may not get the business value you had envisioned from your investment. And you’re potentially not able to benefit from automation and reduce overall compliance efforts and costs.
Regardless of your level of cloud maturity, bringing risk into the cloud conversation earlier can help companies migrating to cloud position themselves more solidly for success and help build trust.
Our analysis of over 1,000 enterprises revealed five factors that affect cloud risk and controls and how companies can most effectively address each one.
We found a direct correlation between an organization’s overall cloud maturity level and the maturity of its governance activities. Across the board, cloud-powered companies – those that are realizing significant and sustained value from their cloud operations – assess the maturity of their cloud controls as significantly higher than other companies.
For example, cloud-powered companies have overwhelmingly developed formal controls that are distinct to cloud operations, have developed a common controls framework that they have tailored to new cloud services, and they have documented their shared responsibilities with their cloud service providers (CSPs). Critically, most note that cloud-related controls for governance, risk and compliance activities are owned by a single business function with its own dedicated resources.
These are key considerations when developing a cloud strategy. Companies should also take fuller advantage of shared responsibilities and how the CSP defines them. Qualifying, clarifying and implementing controls can help address those requirements. Risk solutions that CSPs include as part of their offerings are often underutilized.
CSP shared responsibilities should be understood, and companies should translate their own responsibilities into their control strategy and playbooks. Companies should also revisit these often as relationships change.
Successful cloud-powered organizations build these questions into their processes:
Our survey shows that cloud-powered companies are doing better at incorporating risk and controls into their cloud strategies, but they didn’t necessarily start that process early enough. While they are more proactive than the other companies in our survey, the majority of cloud-powered companies (58%) did not engage risk leadership at the earliest stages — planning — for their cloud transformations.
Playing catch-up clearly isn’t the most efficient way to go about this process. Remediation can be tedious and costly. Given that remediation can take years, it can easily become an unexciting job that no one wants. Remediation can mean engineering teams may have to rework or revisit code and configuration related to existing applications, which could lead to a slowdown in the development of new applications.
Even if a risk strategy was flawed to start with, it’s important to avoid repeating past mistakes.
The predominant operating model today is multicloud: 65% of all survey respondents said they use multiple cloud service providers to handle their workloads. Multicloud offers features like flexibility and robustness, letting enterprises choose the right CSP for each workload as well as various software as a service (SaaS) providers for business process enablement, but it also introduces higher levels of risk. Many organizations have struggled to develop a security model that can be applied across CSPs, since each CSP has its own approach to security and governance and different security tools, all of which makes consistency difficult or impossible.
Help unify your cloud environment with a common starting point.
Many executives that say their companies are achieving value from their cloud initiatives report stronger relationships with their chief information security officers (CISOs) and chief risk officers (CROs). Because risk officers will ultimately oversee how well your framework functions, their involvement is critical from the outset.
Leadership related to governance should vary depending on the type of risks.
Regulations around the use of the cloud are in flux — and they vary from one industry to the next. The GDPR, the Federal Risk and Authorization Management Program (FedRAMP) and HIPAA (for Health Insurance Portability and Accountability Act) have all introduced new complexities for organizations looking to store data in the cloud, but the rules aren’t relevant for every type of business. For example, recently, banking and financial businesses were issued new guidelines from the Federal Financial Institutions Examination Council (FFIEC), which outlined reasonable practices for managing architecture, infrastructure and operations, with a specific eye toward the use of cloud services.
Banking organizations that we surveyed agreed that the new rules were having an impact: 90% reported undertaking some type of remediation activity to bring their cloud services into compliance.
Companies should be aware that legislation and regulation around cloud, particularly the ways in which data is stored in the cloud, is likely to be in flux for years to come. Further complicating the environment is that there is no single source for companies to reference.
There are indications of where regulators may be going, however. To see where cloud regulation is headed and how it may apply to your company, check these government publications:
Our insights are evolving at the speed of your cloud transformation. Stay connected with exclusive access to PwC's tech content. Navigate challenges and risks more confidently and realize value from your cloud investments, faster.