Assurance in the Cloud - How to turn compliance challenges into competitive advantage?
21 May 2019
Technology is revolutionising the way we live, work and communicate with each other. I recall a time when a mobile phone was an item of luxury. Now, as we approach 2020, the number of connected devices per person is expected to be 6.58, that’s about 50 billion connected devices! This has all been made possible by “the cloud”, arguably the most powerful technology impacting today’s businesses. On-demand, flexible, scalable, and elastic IT infrastructure, Cloud brings significant benefits to those who consume technology.
Last week, at our Technology client breakfast briefing I had the opportunity to present on ‘assurance in the cloud’. A good proportion of clients attended were already using cloud solutions, however comfort levels dropped when questioned around how secure they felt in using these services.
Personally, Cloud has transformed how I communicate with my friends, colleagues and family. For example, I use Google Hangouts to chat to my overseas colleagues and G Photos for sharing holiday pictures with my family. In the business context, senior business leaders say Cloud computing will have a profound impact on their business and is the key enabler for more advanced technologies, such as Artificial Intelligence.
Put simply, Cloud is a form of outsourcing - a third party provides the infrastructure on which you store your data and you use it at your convenience. However, this brings with it a new set of risks. Hence, it’s no surprise that the path to innovation and efficiency driven by Cloud is often slowed down by real or perceived concerns about security, compliance and data privacy.
The growth of security regulation
This rapid advancement in technology has created sophisticated cyber threats. As the Cloud technology matures, so have the user expectations – there is an increased demand for trust and transparency.
This has led to the growth of security related regulations - starting with basic information security certification back in 1995, it now has many forms. The pace of regulation has increased significantly in recent years, for example with GDPR and cyber essentials coming into effect with heavy financial penalties for non-compliance. There are also various specific Cloud focused regulations such as HIPAA (Health Insurance Portability and Accountability Act), FedRAMP (Federal Risk and Authorisation Management Program), Privacy Shield and C5 (Compliance Controls Catalogue).
The Compliance challenge
Such regulations and the demand for transparency, has led to many customers exercising their “right to audit”, requiring Cloud providers to complete onerous and costly security control self-assessments and questionnaires.
Compliance to competitive advantage
However, compliance can create a differentiated position if approached right – customers want assurance that their data is secure and that Cloud providers have the right controls in place. Cloud providers who demonstrate good governance and a sound control environment through certifications and independent assurance reports (for example SOC1 and SOC2 reports), create a service-differentiating marketing tool that sets them apart from competitors.
These assurance reports allow Cloud providers to display how they are approaching and managing their risks and challenges, and help to build trust and transparency with their stakeholders – customers, regulators and investors. In most cases, saving management time, allowing them to focus on product development and growth priorities.
According to Gartner, Cloud computing providers who refuse to undergo this scrutiny are ‘signalling’ that customers can only use them for the most trivial functions.
Areas to focus on
Cloud technology brings many benefits. With the right support and planning, benefits will outweigh the cost and the associated risk. Here are my three takeaways for users and providers:
- Demonstrate leadership and differentiation in a “disruptors” market
- Demonstrate to your current and potential customers the strength of your governance structure, control environment and approach to security, and consider an independent assurance report
- Implement the right controls, monitor them continuously, be agile and proactive in meeting your customers’ needs. This will build trust and create transparency
- Ask the right questions of your cloud providers before procuring the services and challenge the provider to give you answers
- Recognise the challenge - review what the risks are, and be clear about how you will mitigate them
- Understand how both your and your Cloud provider’s controls work and the level of assurance you need
If you have any questions or you’d like to discuss how we can help you, please contact me.