Cloud use has always been about business innovation, but now we find ourselves in a new era. Today, enterprises are already doing most or all their business in one or several cloud environments. Out-of-the-box on-prem software has become a relic of the past. With cloud-based software-as-a-service and platform-as-a-service, we no longer need the box.
So isn’t it finally time for CISOs to think outside the box? Because malicious actors certainly are. They’re devising ever-more-creative ways to slip inside and move around to spy, steal, and sabotage.
Freeing teams to do the same — to put on their innovation hats, and dream and scheme new tools and techniques to thwart cyber threats — has become a must to stay ahead of our adversaries.
None of this gets any easier. Securing the amorphous, shifting cloud was always challenging and becomes even more so as the organization increases its number and type of cloud environments.
Many of the respondents to PwC’s 2024 Global Digital Trust Insights — 42% — run more than one cloud. Hybrid cloud use, while diluting the “concentration risk” posed by putting all of the company’s data in one place, can multiply security risks by giving malicious actors more surface area for a breach.
The ways bad actors might get in may seem virtually limitless. Organizations must place controls everywhere: on identity and access, lateral movement, email accounts, website portals, applications, proprietary information, customer interactions, operating systems, and connected devices.
The industry’s top performers have attended to their controls either internally or, often using managed services, are reaping rewards: faster business growth, less-costly breaches, reputational integrity, increased revenues.
The remainder of our respondents have yet to do so much of this critical work. They may have their heads in the cloud, but they’ve not yet planted the boots of their security programs squarely on the ground.
Good intentions plus right action equal great outcomes
Chances are high that most readers are well aware of the extent of their cloud risk. Cloud security was the No. 1 cyber risk concern among nearly half (47%) of respondents to our 2024 Global Digital Trust Insights survey. Attacks on connected devices (42%), also a cloud-related risk, was second on the security-risk list. Concerns over cloud security only increase among users of multiple — hybrid — clouds: 54% of these respondents named cloud as their most pressing cyber security risk.
Nearly every organization — 97% — has gaps in its cloud risk management plan. Only 3% maintain up-to-date plans that address all nine cloud security areas. Risks posed by fragmented regulations, for instance, have yet to be addressed by 42%; 41% have no plan for dealing with concentration risk; 36% have not yet addressed third-party cloud risk.
These deficiencies can cause enormous problems for enterprises. And once bad actors gain access to one environment, they’re likely to try their luck with others.
Our respondents acknowledge the heightened risk that using multiple, or “hybrid,” cloud accounts can bring. Hybrid public-private cloud users were more likely to list cloud-related threats as their most pressing (54% vs. 47% overall).
These users pay a price for minimizing their concentration risk. They spend more on cloud security because they must. Hybrid cloud users were also the most likely to select cloud among their top three priorities for security investments over the next year (36% as opposed to 33% overall).
Shaken, not stirred
Cloud security tops the list of budget priorities over the next year among all respondents, along with network and internet-of-things (IoT) security, which are also cloud-connected. Application security, another cloud-related concern, comes in second among planned expenditures.
But most companies haven’t yet done the basics, as we’ve seen. Rather than letting cloud risk management plan languish, it’s important for companies to shake up the status quo, involve themselves in discussions around innovation, and allow the organization to get creative with cloud.
For example, the company might want to join the so-called “Platform Revolution” by linking its customers and external partners to deliver even more services to both. That sort of bold move can only succeed with the right security in place. Or—is there a cloud project the company wants to try? An initiative for doing security differently that the team might propose?
Start by recognizing the challenges in securing the cloud. Understand that the organization must do more to control access, thwart lateral movement, and tackle other cloud challenges. Now’s the time to shake the security program out of stasis or sluggishness, and breathe in new life.
Will 2024 be the year the company turns its good cloud security intentions into great outcomes?
With the right intentions followed by right actions, the companies that dare to follow their cloud-security dreams and bring them to fruition are the organizations that will reap the richest, most rewarding outcomes.
Prakash Venkata, principal, cybersecurity and privacy, PwC US