5 Steps to Building a Secure Cloud Strategy

Corporate IT has lost the battle with shadow IT, and it’s time to embrace what that means for enterprises. Beyond employees using their favorite productivity apps like Dropbox and Evernote, enterprises rely on the cloud for critical business functions such as customer relationship management, financial planning and everything in between.

Organizations use 730 cloud services on average, according to the latest Netskope Cloud Report. For the first time ever, departments can use cloud apps without consulting their in-house IT department. Individual users are now able (and empowered) to go around IT because their number one goal is to get their jobs done as efficiently as possible.

It’s an exciting -- and equally scary -- time for IT teams to navigate these new challenges, address security concerns, and convince senior leadership that the benefits of cloud outweigh the risks. Take Genomic Health, a leading cancer diagnostics company. In a webinar hosted by Box, Netskope and Okta, the company’s CISO discussed how the organization uses the cloud to create a competitive advantage across its business, ranging from crunching clinical trials data to collaborating with medical researchers worldwide. Without the cloud, the company would not be able to gain a time-to-market advantage over its competitors.

Rather than just looking at cloud through the lens of cyber-risk, IT leaders must take this opportunity to educate corporate leadership about one of the biggest opportunities IT has seen in years. To clearly articulate the benefits of cloud and gain buy-in from executives, take these five steps to build a compelling enterprise cloud strategy.

1. Audit the current state of affairs: To establish credibility, articulate current challenges, and gain buy-in for your strategic plan, IT leaders must provide corporate leadership an accurate assessment of the current state of affairs. For CIOs who haven’t performed an assessment of cloud usage in their environment, there’s no scarier question than “How are we using the cloud today?” Address this by understanding how many and what types of cloud services are in use in the organization, what they are used for, who uses them, how important they are to your business, how enterprise-ready they are based on objective measures, and what that means in terms of cyber-risk.

2. Define the cloud’s role in organizational success: Before laying out a strategic plan, it is important to express the importance of the cloud to the business and the value to be gained by using it. Think broadly across multiple dimensions about the ways the cloud can affect the organization, including top-line growth, cost savings, and risk mitigation. Rather than enumerate, quantify and prioritize these areas of value to help justify the plan.

3. Articulate a cloud vision: After quantifying the ways the cloud can benefit the business, it’s time to put together a clear vision. This should be a collaborative process with line-of-business counterparts, resulting in a shared vision that senior leadership can support. Involve these peers early and turn them into allies, as they will be champions, and ultimately will provide support for any unforeseen bumps in the road along the way. This vision should align closely with overall business strategy and contain quantifiable business results to track and report on over time. For all of its benefits, the cloud is not a silver bullet. Consider many of the costs, roadblocks, and setbacks associated with new software projects, such as purchasing decision-making, implementation time, lack of maturity of some offerings, implementation snafus and bugs, IT and user training, and investment in controls for security and compliance.

4. Develop a safe cloud enablement plan: Safely enabling cloud means IT must find, understand, and secure the cloud services that are in use or under consideration. This goes beyond knowing the number of services their associated risks, but also understanding risky usage of and/or sensitive data in the cloud apps in the environment, both sanctioned or unsanctioned. Be able to answer risk, security, and compliance questions specific to the business – both the current and future state. Some sample questions to ask include “Does any ‘confidential’ content reside in our sanctioned cloud storage, and if so, who has access to it?” or “Do we have any Payment Card Information residing in our cloud Customer Relationship Management apps?” Finally, securing the cloud isn’t about blocking services. It’s about applying policy at the activity- and data level to address real risks. An example of this would be to allow users to access cloud-storage services, but block the upload of corporate content to all except for a sanctioned one.

5. Create a strategic roadmap, owners, and resource needs: Create a roadmap with key milestones, timelines, and owners. Make business counterparts key players in the strategy. They need to co-own it, not just in name, but also in shared goals and incentives, proper resourcing, regular meetings, and shared communications. Give those partners partial responsibility for presenting the plan to the executive team and board and for communicating its progress on an ongoing basis. And lavish those partners with praise when things go well so they link their own career success with the success of your project.

Cloud adoption has become pervasive and will continue to grow. The answer is not to stop this growth, but rather, to partner with the business. In driving innovation forward in the enterprise, IT needs to take the lead and work with the business leaders to develop a joint strategy that shares risk and responsibility.

Al Guibord is co-founder of The Advisory Council International, a non-profit organization that advises boards of directors and C-level executives by assessing and testing their cyber security defenses. 

For reprint and licensing requests for this article, click here.
Analytics Data security
MORE FROM DIGITAL INSURANCE