Critical questions to answer in developing a cloud risk-management strategy

Critical questions to answer in developing a cloud risk-management strategy

Critical questions to answer in developing a cloud risk-management strategy

Many organizations claim to have a cloud strategy. But, when you ask their executives what the strategy is, they simply say: “Well, we’re in the cloud.”

Unfortunately, getting to the cloud is not a strategy—especially when it comes to protecting the cyber assets that you are migrating there.

There is a link between security and having a plan. Like saving for college or buying a house, you take a strategic, structured approach to ensure success. Without this, organizations using the cloud invite maximum risk, as opposed to effectively managing risk.

We are entering a critical time for this: By next year, one-half of organizations will run more than 40 percent of their workloads in the public cloud, and nearly one-third will run more than 60 percent of their workloads there, according to a survey from the Cloud Security Alliance (CSA).

In addition, these organizations are embracing increasingly complex cloud architectures, with 66 percent committing to a multi-cloud environment (and 35 percent using at least three cloud platform vendors) and 55 percent operating in a hybrid-cloud environment.

Among those adopting cloud platforms, however, security remains the top concern, as cited by 81 percent of participants in the CSA survey, with the leakage of sensitive customer/personal data, unauthorized access, infiltration into sensitive network areas and data corruption weighing on the minds of IT departments these days.

To best respond to these and other cloud-based risks, here are some questions that organizations must answer in developing a cloud risk-management strategy—and why the questions matter.

Which departments in your organization are using the cloud? How are they using it?

Why this matters: As organizations pursue hybrid and multi-cloud deployments, there is an exponential increase in the complexity of maintaining security and ensuring compliance and governance. To manage environments in which workloads are both on-premise and in cloud environments, it is imperative to understand who is using the cloud and what types of workloads are going there. However, many organizations find this problematic, as workloads can be dynamic and business units using the cloud can be within shadows or have rapidly changing requirements and, thus, difficult to track.

To respond, chief information security officers (CISOs) and their teams should invest in modern security and compliance tools that enable them to automatically gain comprehensive visibility into what is moving into the cloud, how it is changing, and how they may be subject to the latest vulnerabilities and threats.

Who oversees cloud acquisition and utilization in these departments?

Why this matters: Enterprises that are undergoing a digital transformation and adopting a hybrid cloud strategy face the unique challenge of protecting an ever-increasing attack surface, as well as maintaining compliance with industry and regulatory requirements. The dynamic and self-provisioning nature of today’s private and public cloud environments creates shadow IT challenges which can lead to cyber and compliance risks.

CISOs should work closely with C-suite executive and business leaders to evaluate who is going to lead the digital transformation, and who will oversee the day-to-day implementation of it. In some organizations, this may be the CIO or Chief Digital Officer. In either case, cloud security is a shared responsibility. CISOs need to help cultivate a culture that believes—and practices—this.

What are the essential risk management duties? How do they break down, and who does what?

Why this matters: It’s critical to include all of the “ingredients” of cyber and compliance risk management for the hybrid cloud. These include vulnerability management, security and operations, internal audit, governance/compliance and configuration management. A CISO should have in place dedicated security operations and analyst teams, internal auditors and compliance and governance teams to cover these areas.

This article originally appeared on To read the full article and see the images, click here.

Nastel Technologies uses machine learning to detect anomalies, behavior and sentiment, accelerate decisions, satisfy customers, innovate continuously.  To answer business-centric questions and provide actionable guidance for decision-makers, Nastel’s AutoPilot® for Analytics fuses:

  • Advanced predictive anomaly detection, Bayesian Classification and other machine learning algorithms
  • Raw information handling and analytics speed
  • End-to-end business transaction tracking that spans technologies, tiers, and organizations
  • Intuitive, easy-to-use data visualizations and dashboards