Cloud migrations involve a lot of discussions and resources which is why you understand the importance of ensuring cloud security.
But, is that understanding common across your organization? Or, are you finding it difficult to explain this to business leaders?
A security breach resulting in the loss of sensitive data is expensive, to say the least. Ponemon Institute research estimates that the average cost of a data breach is US$3.9 million. Desjardins Group had to spend CAD$70 million in 2019 for a privacy breach that exposed the personal data of 2.9 million members. Desjardins also faced a class-action lawsuit from its members.
The indirect costs of a security breach can be substantial as well.
The fallout from breaches has impacted customer confidence and lowered market capitalization; Equifax lost over 30 percent of its market value immediately following its 2017 data breach. It can also lead to job losses.
Image source: From data boom to data doom, Kaspersky Lab
Considering these consequences, every business should proactively take steps to improve security in their cloud computing environment.
Providing your leadership with a clear plan for securing cloud data and fact-based priorities helps everyone sleep better.
Let's take a closer look at how you can get buy-in for cloud security:
Explain how cloud security supports business goals
Your organization has a fiduciary responsibility to its shareholders.
Show how security controls support higher-level business goals like regulatory compliance, brand reputation, and customer retention. You can explain how your cloud applications are classified for potential risk based on each application’s criticality to business goals.
Help your business leaders understand that you have different requirements for different classes of applications and deployments, and how internal and external requirements may affect your security requirements.
External compliance requirements include regulatory standards with which your applications or systems must comply with. Internal requirements can include secure coding standards that apply to each class of applications.
Lose the security jargon
Most business leaders don’t live in the security world, and even common terms like “pen tests” and “SaaS” will not be familiar to them (and they are probably not interested in the difference between IaaS and PaaS).
You could rather use business terminology to help them understand you have different requirements and policies for different classes of applications and deployments, and how internal and external requirements may affect your security requirements.
Present the security risks
Business leaders know there are security issues and risks — that’s why they are worried.
Demonstrating the risks shows that you’ve done your homework. Explain that hosting an application in the cloud doesn’t automatically mean more risk.
More often it's just “different” depending on the deployment model selected (SaaS, PaaS, IaaS) and the “shared responsibility” model of the individual Cloud Service Provider (CSP). Some risks are familiar to leaders, such as vendor lock-in and malicious insiders.
Help them understand that you recognize the risks specific to the cloud environment, including business risks like vendor lock-in and the security risks, like malicious insiders, ineffective deletion of data, and isolation failure.
Demonstrate security controls to mitigate risks
Risks and threats are a fact of life today.
Most of these risks can be mitigated or eliminated through technical controls. By necessity, the cloud provider will implement some of these controls and internal teams will implement others.
Security controls can include things like 2-factor authentication and testing plans that even non-technical leaders can understand, as well as configuration controls to be implemented by the cloud provider, and verified by internal teams.
Providing leaders with consistent, repeatable, and verifiable reporting with the status of each set of applications — including those hosted in the cloud and in-house — allows them to understand the organization’s risk posture quickly.
Provide transparency and reporting
Security is not a one-step program.
The ability to show verifiable auditing of each security control is critical.
This will undoubtedly include items where controls are not yet implemented or out of compliance due to the release of software patches or the disclosure of new vulnerabilities. Reporting should document schedules for control implementation and plans for validating controls.
Data security is paramount
Remember how we said breaches can lead to significant damage to your business? Security is everyone's concern and it's not just a technology issue.
That's why you must make an effort to assure business leaders that you have a good grasp of the threats your organization faces and a documented plan for mitigating risk.
Organizations that can enumerate regulatory requirements and technical risks and translate those into understandable controls are able to seamlessly communicate about their security posture.
To get an in-depth understanding of why you should take a security-first approach to your cloud strategy, read our new whitepaper.