What Your Executives Expect You to Know About Cloud Security

Your organization is almost certainly using the cloud for critical business functions
like customer relationship management, sales renewals, financial planning, payroll,
talent tracking, benefits management, project management, customer support,
software development, and more. Somewhere along the way, the cloud became
mission critical, and now it’s here to stay. Your fellow executives are starting to ask:
Do we have a process for tracking sensitive information throughout its lifecycle?
Are we protecting our “crown jewels?”
Are we considering the cybersecurity aspects of our major business decisions?
Are we evaluating security risks associated with third parties?
A recent survey estimated that a full 30% of an organization’s business information
is in the cloud, and 35% of that is not visible to IT. If this is true for your organization,
it means you can’t fully answer the above questions.
What’s the right answer? Turn your organization’s cloud switch to “off?” While that
may have been a viable answer in the past, it isn’t today. Not only are individual
users able to go around IT because their goal is to get their jobs done as efficiently
as possible, but entire lines of business are now dependent on cloud services for the
organization’s competitive advantage. The only answer is to have a strategy. Rather
than just looking at cloud through the lens of cyber-risk, take this opportunity to
educate your corporate leadership about one of the biggest risks, but also one of
the biggest opportunities IT has seen in years. Your strategy should articulate not
just your cyber-risk, but should also address the question “What is the risk to our
business of not being in the cloud?”
The strategy you discuss with your corporate leadership should include:
Current state of affairs
For CIOs there’s no scarier question than “How are we using the cloud today?” To establish
credibility, articulate current challenges, and gain buy-in for your strategic plan, you need to provide

your corporate leadership an accurate assessment of the current state of affairs. This includes how
many and what types of cloud services are in use in your organization, what they are used for,
who uses them, how important they are to your business, how enterprise-ready they are based on
objective measures, and what that means in terms of your cyber-risk.
Safe cloud enablement plan
Safely enabling cloud means you need to be able to find, understand, and secure the cloud
services that are in use or under consideration, both sanctioned or unsanctioned. You need to be
able to answer risk, security, and compliance questions specific to your business. Some sample
questions to ask include “Does any confidential content reside in our sanctioned cloud storage,
and if so, who has access to it?” or “Do we have any Payment Card Information residing in our
cloud Customer Relationship Management apps?” Finally, securing the cloud isn’t about blocking
services. It’s about applying policy at the activity and data level to address real risks.

Would you know if a rogue employee stole your data?

I hope you answered “No” to the question, otherwise you could be in for a big
surprise! Let me explain….
Unless you keep your money under the mattress, you trust your bank to keep your
cash safe, right? Of course they no longer keep a pile of notes in a vault, and most
of the transactions consist of bits and bytes. Sometimes crooks get their hands on
your assets, but the banks are good at discovering this and covering any losses.
That’s not too difficult, because it’s pretty obvious that something has gone
missing. Back at the office, you put your valuable information (like trade secrets
or tomorrow’s quarterly results) in your company computer systems, safe in the
knowledge that your servers and networks are managed by trusted professionals
who are loyal employees of your firm. If something went missing, you would know
immediately, wouldn’t you? But that’s the fundamental issue with cyber security –
nothing goes missing, and everything is still exactly as you left it. There is no broken
glass or forced locks, and no evidence an intrusion, so of course you do nothing.
Meanwhile the thief has copied the data, and can exploit it or sell it without fear of
being discovered.

But they are vetted for that role?
Of course they are vetted. Sometimes by amateurs in your HR department, sometimes
by professionals in third party vetting companies, and sometimes by government
agencies. But it doesn’t really matter, because one-time screening will not find
someone who shifted his allegiance from his employers over a period of time. Could
your company re-screen its employees (and contractors) in these roles several times
a year? I doubt many IT professionals would tolerate that sort of intrusion, and they
would go to work for a more reasonable employer.
So what should we do?
Companies spend far too little on protecting their sensitive data. Typically only 2.5%
of your total IT budget is allocated to digital security. That is barely enough to build
and operate your defence mechanisms, and certainly not enough to implement the
proper vigilance onodd behaviour. Best practice calls for a segregation of duties,
where it would take at least two people in a position of trust to perpetrate fraud. The
accounting profession has invested significantly in “Separation of Duties” because
of the understood risks accumulated over hundreds of years of accounting practice.
For example, many corporations found that an unexpectedly high proportion of
their internal control issues came from IT, and so they insisted on SoD for that
aspect of their business. SoD is now becoming the norm in large IT organizations
so that no single person is in a position to introduce fraudulent or malicious code
or data without detection.

The two most common mistakes in cyber security

Based on our “due diligence” work with many companies, here are the two biggest
mistakes we see them making:
Technology creates the problem, so it must be the solution
Most companies look to their IT department to prevent breaches and detect
compromises by using an array of hardware, software and appliances. In reality,
most of the problems are caused by human behavior – innocent mistakes like
sending files to the wrong person, or sharing your password, or loaning your laptop;
malicious actions like fraud; and naïve response to social engineering attacks like
impersonation and identity theft. IT departments mistakenly believe that they
can block these behavioral characteristics by installing digital security products.
Of course we humans are clever enough to circumvent many of these controls,
especially if they get in the way of us doing our job. So while an audit of the technical
architecture can make the IT team look really smart, the same audit of the actual

workflows and processes can highlight lots of work-arounds and security shortcuts.
That’s why a number of companies have changed their governance model to have
the Chief Information Security Officer report to the CFO or the COO, rather than to
the CIO. Technology may have caused the problem, but technology alone will not
solve it.
Our goal is to achieve compliance.
This is the measure of success most used by the company executive committee,
because they lack a deeper understanding of the real risks. They simply want to
be convinced that the company is meeting its statutory and regulatory needs, so
that they cannot be accused of neglecting their duty of care. It’s the same mindset
as buying insurance just to make sure theFINANCIAL results don’t suffer any nasty
surprises. Compliance tends to consist of a checklist of mitigating actions, with the
inference that if you can tick the box then you are secure. This is a dangerous “illusion
of precision”, because mere compliance with an arbitrary set of regulations is totally
different from security sufficiency, and many compliant companies have big gaps
in coverage elsewhere and so fall woefully short of meeting a lot of common sense
criteria.Our advice is to use a third party to perform an audit of the current state
of your policies, architecture, processes and behaviors; then design a holistic set of
corrective actions; and then implement these actions by prioritizing the protection
of “the vital few” – your family jewels.