Cloud Security, Risk Assessments/Management

The cloud divide: Risks and rewards for companies that moved pre-pandemic

Two camps emerge when one considers impact on business from the pandemic: Those organizations that transitioned to the cloud before COVID-19 transformed how companies manage networks and data, and those who did not.

From a business perspective, the advantage lies with the former. Deloitte interviewed 1,300 professionals from organizations either already operating in the cloud or planning to adopt the cloud in the next 12 months. Only 5.8% of professionals in cloud-savvy organizations experienced slowdown due to COVID, compared to 16.4% among companies that plan to move to the cloud in 2021.

But what about security?

Vikram Kunchala, the cyber cloud practice lead for Deloitte’s financial advisory group, spoke to SC Media about the expanding cloud divide, where security fits, and how organizations can close the gap with early adopters.

What struck you as unusual or unexpected in your research?

The speed of migration decreased for 16 percent of the people surveyed  ​who planned to move to the cloud.

Before the pandemic, organizations that really had a cloud strategy or cloud initiative, that were moving down that path, seemed to do well from a market penetration perspective, a customer engagement perspective. The pandemic really accelerated all of those. And folks who had a strong or fixed presence [in cloud] really came out better than their peers who did not have one or were slow to the game.

On top of that we’re seeing folks who have embedded security front and center in cloud initiatives are better positioned to move, because they feel that they have the right guardrails. That's versus others who are thinking cloud first. For them, there’s always that doubt in the back of their mind, "am I doing the right thing? Am I making some mistake by moving stuff to the cloud?"

Why were those who moved to the cloud better off once the pandemic hit? Is it because the cloud made them more nimble?

That’s exactly right. One of the biggest advantages that the cloud provides us, besides the flexibility and the elasticity, is business agility. If I have to spin up new software fast, I can leverage some of the pre-built capabilities that the infrastructure of the cloud provides so I can in a matter of a few months put up new applications. Or if I need to launch a new geography, I can do that with the click of a button. And that has given a lot of companies really awesome agility to react to the marketplace conditions that sometimes are beyond their control, like the pandemic.

But the acceleration has dropped off?

For some organizations it has but it can be a function of industries that have been hit badly by the pandemic, trying to just stay afloat, pulling back on initiatives. But [the result is] there will be a broader divide between folks who’ve adopted cloud and cyber and pushed through the pandemic and folks who are late to the game. That’s going to expand that digital divide.

So, competitively, is that significant?

Absolutely, they’re going to be at a disadvantage. You can see that every day – mom and pop shops that are able to take orders online versus restaurants where you have to pick up the phone and call. Overall, take that to every industry: something or other kept people from getting online, because they didn’t have the infrastructure or the cloud readiness.

Can that yawning gap be closed? How do companies overcome the digital divide?

Obviously, they have to prioritize what’s important to them as a business, and if cloud adoption is key, then accelerating the effort in a secure manner is essential. If you have any kind of budget, maybe it’s a good time, even if you’re catching up, to start small, validate the proof of concept, put up your guard rails and then scale it fast.

You don’t want to put security last as you move to the cloud. Were those that already moved to the cloud in a better security position?

Right – otherwise, you’re just trading one set of problems for another. It’s all relative. Yes, they were in a better place, but I think they still need to think through security more holistically. Pre-pandemic, there was a mad rush to get to the cloud as a cost saving measure, as a business [enabler]. Security was really an afterthought. So from an infrastructure perspective, they were able to move fast when the pandemic hit, because they were already in the cloud and could provide more access to applications and to their workforce. But ask me if it was done securely – I would say probably not. They haven’t thought through that they’re moving 50-100 applications. What are the risks of an application? What kind of data does it hold? Who can use it? Is it internet facing? All those drive a certain kind of risk to the organization and they have to think through those in a programmatic manner to put security into the process.

Do companies that weren’t in the cloud before the pandemic have the opportunity then to do this right?

Yes. Even if you’re already in the cloud, you still have ways to go back and fix it, but it’s going to be a little bit more expensive after the fact. Of course, people who are trying to catch up now should always put security front and center. It can never be bolted on. We have this mantra to design security in rather bolt it on. That security is an afterthought is still surprising after everything that keeps happening in the world.

Is that because the security and app development groups in a company have different goals, that sometimes seem at odds?

The priorities of the application team are different than the priorities of the security team. The priority of the applications development team is to get this thing out fast; the functionality, the time to market [are most important].

Has there been better coordination or collaboration between development and security more recently?

Oh, absolutely. The move to the cloud [inspired] this notion of DevOps, that bring together the development team and the operational teams. What we’ve been talking to our customers about is the notion of DevSecOps earlier on, this notion of shifting security left. Right at the conceptual phase when you’re thinking about an idea, of a product or an application, that’s where you need to introduce security.

Are companies more willing now to shift left?

Yes, they really understand the risks. Now there is pressure from regulators or customers. A big driver is the notion of trust. As an end customer, I have to have trust in you as a service provider that you can keep the data I give you about myself safe and secure. So, it only hurts them if they don’t take these measures. Helping the developers and business team understand this is why security is important in language – like, "hey, we won’t be able to sign on new customers," or "this is going to disrupt our reservation system and we can’t take new orders," is a much better way of explaining than pointing to poor quality in code. The business people are looking at functionality – is it doing what it’s supposed to do. To me security is synonymous with quality of code. If it looks great but it’s not a secure application, then I would not trust that. Would you buy a really nice looking car without seatbelts?

In terms of the divide we spoke about previously, what are a couple of things companies need to do to close the cloud gap between themselves and their competitors?

It really comes to understanding that cloud has a different operating model – it’s not a place where I put my stuff; it’s what can I do with the power of the cloud? It's really rethinking your business to say, "can I leverage the capabilities the cloud provides through flexibility and architectural capabilities and AI? How do I leverage those capabilities for my business?" That’s a separate thought process. And once you’ve got that framed up, then you build new applications in the cloud. You have to understand, "what am I really engaging with my customers for, what are my regulatory requirements that apply to me, what data jurisdiction or residency laws do I need to comply with, what data am I capturing that is personally identifiable or sensitive that I need to protect?" These considerations have to be baked in early to drive the controls that you build as you start operating in the cloud, or moving applications to the cloud, or building new applications in the cloud.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.