CIOs Need to Get Real About Security in the Cloud
One of the reasons -- or excuses, depending on your point of view -- that some CIOs have been hesitant to migrate some or all of their IT services into the public cloud is the ever-present concern of security threats.
When IT professionals, as well as the public in general, hear another major hack or virus impacting a brand-name company on an almost weekly basis -- take WannaCry as the latest example -- I can certainly understand the reluctance to entrust a third-party service provider with control of your critical data, potentially putting your brand at risk. (See New Insight on WannaCry's Roots.)
However, let's take a rational and unemotional view of the realities of this situation.
First, any CIO who tells his or her company's board and shareholders that they have mitigated the risk of a security breach is simply lying through their teeth. In a time when we question whether foreign governments are negatively impacting the US presidential elections and when major movie studios are quaking in their boots that their blockbuster films are being made available on the web before they are commercially released, it is simply impossible for anyone with an ounce of integrity to say unequivocally that they can guarantee the safety of their data.
Another reality is that while data breaches can certainly harm any company's brand and market positioning, there are some industries where the impact is greater than others.
Certainly the US Food and Drug Administration and the entire pharmaceutical and life sciences industry, as well as big banks and insurance firms, are wise to take every precaution possible. And of course government agencies and utilities are in a particularly vulnerable position to hacks and attacks.
However, in any industry, we need to look at data security much as we do any issue regarding risk management.
Some of the questions we should ask include: What is the potential risk? What exposures can you mitigate against? What is the cost of safeguarding against those risks, and ultimately, like any other business decision, what is the perceived return on investment on pumping money in this area versus other potential investments that can drive value for the organization?
These are all excellent questions for any business and its IT department. However, the best example of how these work are found not in the biggest of the big, but in the small firms with limited resources.
There are many small and midsized companies ranging from $250 million to $3 billion in revenue where the reality is that they simply don't have the human capital to address these issues of data, security and cloud migration internally.
I led a team of 35 professionals responsible for major projects, events and facilities. I did not have the luxury of a single, dedicated security employee or chief information security officer (CISO).
For CIOs from midsized companies who use security as an excuse to not migrate services into the cloud, here's a question I'd like to ask: Who do you think is better staffed, prepared and versed in dealing effectively with bot proactive security and addressing security breaches? Is it Amazon and Microsoft or your company with your limited human and financial resources?
Security in the cloud is a real issue, make no mistake there.
Still, like any other issue of risk management, or any other business decision for that matter, we need to look at it rationally, dispassionately, and with a business and financial mind set not with knee-jerk emotional reactions. Take a deep breath, put your best minds on the issue, and come up with a realistic security plan that benefits and protects your business.
- Employees & the Cloud: 3 Ways to Nurture IT Talent
- CIOs: Stop Worrying & Learn to Love the Cloud
- Digital Transformation: Why IT Culture Matters