About 25 years ago, I helped manage a project to determine how much business leaders and IT professionals knew about the existence of local-area networks in their organizations. Remember, this was a time when LANs were still pretty new, were not well understood by non-technical executives, and were a source of confusion about their benefits and risks.
When business executives in one Fortune 500 company were asked how many computer networks were installed in their company, the consistent answer across the six C-level executives we surveyed was, “One–the one that hooks to our data center.” When we asked the CIO, he said the number was either 3 or 4. And when we queried business units, we got the real answer:
I see the same thing happening today in cloud computing adoption. Oh, there’s no debate that cloud computing is pervasive, in terms of breadth of penetration. Third-party data based on input from technical professionals indicates that nearly all organizations are using cloud to some degree, and the average organization is accessing services from five different cloud service providers. But it seems like many business professionals are in a state of denial when it comes to just how pervasive cloud usage is in their organizations. And that’s because many of them still try to find excuses to justify saying “no” when it comes to sanctioning wider and deeper use of cloud services.
For many organizations–and, in particular, many C-suite executives–it just seems to be easier to tell their employees that they can’t use cloud services than it is to find ways to ensure that cloud computing is used securely and intelligently to leverage its many undeniable business benefits.
This is hardly the first time we’ve seen business leaders react this way. It happened with important technology trends such as personal computer adoption, IT outsourcing, distributed data centers, bring-your-own-device, and telecomputing. Lack of technical understanding on the parts of business leaders often led to debates over security, data sovereignty, loss of control, and fear over compliance and legal issues, too often resulting in an arbitrary lockdown against those technologies.
“I often talk with corporate executives about their use of the cloud, and I’m surprised to hear how many of them claim their organization doesn’t use cloud services,” said Sean Duca, regional chief security officer, Asia-Pacific, for Palo Alto Networks. “But after about 15 minutes of conversation, it becomes clear they are using cloud for things like Office365, data storage, and other pervasive services.”
And it’s not only tactical applications that are being developed, deployed, accessed, and managed in the cloud. Research indicates that 40% of organizations are storing personally identifiable information (PII) in the cloud, while 21% are storing healthcare records data in the cloud.
To Duca and others, the key point is getting business leaders to a place where they are comfortable not just with using cloud for critical applications and tasks, but also with an understanding of how data is going to be protected and available when and where it is needed. And to do that, C-suite executives and board members need to think about cloud security in a modernized, business-centric manner.
“It’s important to start by sharing security telemetry with others,” said Duca. “Crowdsourcing is a powerful way to get a collective benefit, and it’s important that business leaders get comfortable with that concept.” Duca likened this to doctors sharing information with colleagues, both informally and, increasingly, through formal mechanisms about unusual or never-seen-before symptoms. Doctors aren’t sharing PII about named patients, but they are helping other practitioners protect their patients–and are getting the same benefit in return.
“We have about 24,000 customers around the world sharing security intelligence with us today,” he said. “If a suspicious packet comes from a particular IP address, I can share that information with others to be on the lookout and take precautions. If thousands of people are contributing millions and billions of pieces of information, it becomes much harder for the adversary to launch repeat attacks. We can do real pain to our adversaries, and, in so doing, make our business leaders more comfortable that the right steps are being taken to secure data in the cloud.”
Greg Day, Palo Alto Networks’ CSO for the EMEA region, emphasized that many cloud security, privacy, and data sovereignty concerns of business executives can be addressed by asking some straightforward questions of their technical leaders, including:
- Who controls what goes into the cloud?
- How transparent is the cloud service vendor about their security practices?
- What data is being kept in the cloud, and what are the proper data retention policies?
- Where is the data stored, and who has access to it?
- How does all this shape our policies and practices on critical compliance mandates such as GDPR?
“These are not technology decisions,” said Day. “These are issues deeply rooted in an organization’s most fundamental business processes and workflows. It is the ‘moment of truth,’ where business leaders who want to move faster and CISOs who want to do methodical evaluations around cybersecurity work toward a common goal.”
So, what should business leaders do, and what questions should they ask, to help them get past the reflexive responsive of “no” when it comes to broader and more strategic adoption of cloud computing?
- Understand that not every piece of enterprise data is the equivalent of “top secret.” Certainly some information is so strategic and so essential to the organization’s competitive advantage that business leaders are going to be hesitant. So, start small. Find applications and classes of data that aren’t mission-critical, and use that as your foray into enterprise use of cloud services–and learn from your experience.
- Keep in mind that the technical stuff–the cloud security widgets–are far less important than how data is protected and how data protection in the cloud aligns with business goals and processes. Of course, your SecOps team and your IT professionals care a lot about tools, but even they understand that tools are only good if they enable, rather than roadblock, the business units.
- Realize that cloud computing is the ultimate lever in your journey to digital transformation. Simply put, you will not transform your organization into a truly digital business using legacy models for infrastructure, data protection, and cybersecurity practices. Without strategic–and secure, of course–adoption of the cloud, you will not get to the promised land.
- If you are adopting DevOps–the tight alignment of your development teams and your business units for rapid, frequent software releases and updates–you need the cloud. You’re not going to deploy multiple redundant data centers, even in small form factors, to be dedicated to each of your DevOps activities. Cloud enables you to move faster, more efficiently, and more cost-effectively in the DevOps era.
- Embrace the shared-responsibility model, where your cloud service provider handles security of the platform itself, and your internal team works to ensure your data is secure. It’s a powerful, synergistic way to go.
And smart, strategic, and innovative approaches to security that go far beyond the latest next-generation firewall will make the difference between cloud simply being viewed as a nice way to reduce Capex and cloud becoming a catalyst for agility and transformation.
Mike Perkowski, co-founder of New Reality Media, is an award-winning journalist who founded, led, or helped develop some of the most successful and influential high-tech media properties over the past several decades.