Research carried out by Nominet ahead of a senior leaders’ dinner to discuss cloud security found that 61% of security professionals thought the risk of a security breach in the cloud was the same or lower compared to on-premise systems. Did this finding mark a tipping point in perceptions towards cloud security?
The CISOs gathered around the table – many from the financial services industry – were less bullish than the 274 IT and security executives Nominet surveyed. Here are the main talking points from the event.
1. The financial services industry has been slower than most to adopt cloud services
This is no surprise. Financial services is a mature, heavily-regulated industry with a large compliance burden. Its position is not necessarily through a lack of desire to move to the cloud, but risk factors. However, caution can put traditional bank at a disadvantage compared with challenger banks who have no legacy systems to manage. Financial services firms cannot simply outsource “the cloud problem” because it needs internal teams to understand the detail. Moving into the cloud is as much a cultural step as technical but there was reluctance to commit core systems just yet.
2. Few firms are cloud-first; more are cloud-by-default
CISOs described being dragged into the cloud by third-party suppliers who are hosting and analyzing their data who knows where. Sometimes this transferring of data is done by suppliers of suppliers that either they hadn’t been informed about or were buried in contracts that had been rolled over for years without due scrutiny. In particular, cloud start-ups can fail to understand their responsibilities for managing data in the cloud. SaaS companies are poor at providing data back to their users, for instance when there is an investigation following a leak. Large customers should use their scale to educate providers on these points.
3. Security strategy has reached the CEO’s in-tray
The common question from the CEO is: “Are we safe?” IT and security strategy has risen up the boardroom agenda for two reasons. Firstly, because of the prospect of large fines for data misuse brought about by GDPR legislation. Secondly, “digital transformation” is seen as a way of driving down costs. Some CEOs like the marketing benefits of cloud if it is part of a modernization program. One CISO said that when his lead competitor suffered a major data breach, his budget was increased by 150% to prevent against a repeat.
4. Digital transformation is a people challenge
Cloud adoption presents its own set of challenges. A large proportion of CISOs spoke of a significant proportion of IT spend taking place outside of the technology team, which appears to increase as enterprises go into the cloud. Security teams have more to do to ensure employees do not imperil their firms by accessing the company cloud with unapproved devices. There is also a mindset shift required for some security teams to embrace the agility of the cloud and how it can improve day-to-day operations. The risk-averse climate has increased workload because clients expect CISOs to carry out assurance reviews on their behalf to keep suppliers and customers happy.
5. Cloud is not the low-cost option
This was a surprise: price is not always a big factor in cloud purchasing decisions. CISOs pointed out that relying on a handful of remote workers to operate a cloud infrastructure might seem cheaper on paper, but they require careful in-house support. Over the lifetime of the outsourcing, it might actually work out more expensive than on-premise IT. Yes, storage is cheap but computing power is quite expensive. The major cloud providers are not yet fighting for customers on price. There was also a worry about “lock in” with a single cloud provider. Once an enterprise has outsourced and reconfigured to the cloud internally there appears to be no going back. CISOs emphasized the importance of discussing an exit plan during procurement.
6. Higher reward comes with higher risk, for now
The advantages of cloud are still emerging. There are numerous instances of scaling horizontally, the performance is an order of magnitude higher and flexibility means it is easier to analyze metadata. If something is not working in a firm’s security stack they can just delete it and start again, rather than pulling cables out. However, security teams can be drawn into spending an endless amount of time optimizing cloud-based apps. Cloud also adds complexity because of huge redundancy and security implications. Many enterprises employ a multi-cloud strategy – taking some form of service from several cloud providers. This means the risk of a breach is increased because there are more potential points of failure over a greater attack surface. All agreed that the worst thing that can happen is a data outage and for the CISO to have to race to find what happened and when.