Today, I had the opportunity to talk to a group of partners on Cloud and security. The goal was to make them ready for the Cloud and make them ready to answer the customerâ€™s questions. One block â€“ obviously â€“ was about security and as I look at it (and as I said), this starts with the customer’s processes. In addition, you need a clear and implemented data classification scheme. I am convinced that a Cloud provider, which offers the needed transparency and a secure environment (and does not only tell you that they are as secure as e.g. a bank) will often reduce your risk exposure if your overall IT organization is mature enough.
Now, I read this study: New Study Says Senior Leaders are Increasingly Distant from Security, Privacy â€“ a study by Carnegie Mellon and therefore not from a consulting company who wants to sell services. To look at some data and quote the article:
Westby says a comparison of the level of board participation in key areas for IT security governance show the facts:
- Review/Approve Annual Budgets – Sixty-one percent of 2010’s respondents say they never review budgets, compared to only 40 percent from the previous survey;
- Review/Approve Top-Level Policies – 2010’s survey shows that 33 percent say they never do, compared with 23 percent previously.
- Review/Approve Roles & Responsibilities – 43 percent of respondents say they never take part re: IT security personnel, compared with only 28 percent last time.
And these are the customers who want to move to the Cloud? In my opinion the board is key, when it comes to risk management and they have to get involved and take part of it.
Is this the boardâ€™s fault? This would be too easy from my point of view. This is just the way a lot of security professionals handle this problem and complain that the board is not interested in such themes. What did we as a community do to change this? In the best case we implement risk management process and include the board in those processes â€“ and speak techie language, not the boardâ€™s language. We rarely show how a risk might affect the business process but how it affects the technology. Last but not least we never show the board how we could use security to help the business to grow.
Letâ€™s stick with the Cloud for a second. The standard security person tells his/her board that we cannot go to the Cloud because of security (heard that very, very often). Why do we not approach it the other way round: We should actually move our â€œcompany internalâ€ data to the Cloud to reduce cost and increase security? This is actually true in a lot of cases.
All of a sudden security becomes an asset instead of a blocker â€“ we have to change our attitude! It starts with us!