Your organization is almost certainly using the cloud for critical business functions
like customer relationship management, sales renewals, financial planning, payroll,
talent tracking, benefits management, project management, customer support,
software development, and more. Somewhere along the way, the cloud became
mission critical, and now it’s here to stay. Your fellow executives are starting to ask:
Do we have a process for tracking sensitive information throughout its lifecycle?
Are we protecting our “crown jewels?”
Are we considering the cybersecurity aspects of our major business decisions?
Are we evaluating security risks associated with third parties?
A recent survey estimated that a full 30% of an organization’s business information
is in the cloud, and 35% of that is not visible to IT. If this is true for your organization,
it means you can’t fully answer the above questions.
What’s the right answer? Turn your organization’s cloud switch to “off?” While that
may have been a viable answer in the past, it isn’t today. Not only are individual
users able to go around IT because their goal is to get their jobs done as efficiently
as possible, but entire lines of business are now dependent on cloud services for the
organization’s competitive advantage. The only answer is to have a strategy. Rather
than just looking at cloud through the lens of cyber-risk, take this opportunity to
educate your corporate leadership about one of the biggest risks, but also one of
the biggest opportunities IT has seen in years. Your strategy should articulate not
just your cyber-risk, but should also address the question “What is the risk to our
business of not being in the cloud?”
The strategy you discuss with your corporate leadership should include:
Current state of affairs
For CIOs there’s no scarier question than “How are we using the cloud today?” To establish
credibility, articulate current challenges, and gain buy-in for your strategic plan, you need to provide
your corporate leadership an accurate assessment of the current state of affairs. This includes how
many and what types of cloud services are in use in your organization, what they are used for,
who uses them, how important they are to your business, how enterprise-ready they are based on
objective measures, and what that means in terms of your cyber-risk.
Safe cloud enablement plan
Safely enabling cloud means you need to be able to find, understand, and secure the cloud
services that are in use or under consideration, both sanctioned or unsanctioned. You need to be
able to answer risk, security, and compliance questions specific to your business. Some sample
questions to ask include “Does any confidential content reside in our sanctioned cloud storage,
and if so, who has access to it?” or “Do we have any Payment Card Information residing in our
cloud Customer Relationship Management apps?” Finally, securing the cloud isn’t about blocking
services. It’s about applying policy at the activity and data level to address real risks.