4 Reasons Why Cloud Security Projects Fail
Do not make these mistakes when implementing cloud security in your company.
I recently wrote about the importance of having a cloud security strategy for your company.
The need for a proper security roadmap, whichever cloud model or platform you use, cannot be underestimated.
But one key question remains — what next? i.e., what happens AFTER the roadmap is implemented ??
This is what I want to talk about today and give some reasons as to why a LOT of cloud security projects fail after the initial security push.
What makes Cloud Security fail?
In my own experience .. some of the critical reasons that Cloud Security implementations fail are the following :
Reason 1: Treating It Like a Project And Not an Environment
The Cloud is a different animal and an entirely new way of doing things
It is not a solution you implement and then forget about
Treating it like a project you finish and then hand over is a surefire way to have a data breach.
Treat the cloud as a separate environment as critical as your on-prem one with the same level of governance required
The Cloud is not something you do on the side while focusing on your on-prem systems
Reason 2: Not Formalizing Responsibilities
Assuming responsibilities on your on-prem environment will translate to the cloud is a dangerous assumption to make
Many companies fail to set down who will be responsible for implementing security controls, patching, monitoring, etc., in the cloud, leading to ambiguities that can be disastrous.
Ensure a formal and approved org chart is set up that establishes who is responsible for cloud security in your organization.
If your organization plans to outsource most of its cloud work, make sure your organizational chart reflects that.
Reason 3: Not Aligning With The Business Roadmap
Without a proper strategy, you will just be buying/implementing controls with no idea of the larger picture of the problem you are trying to solve.
Similarly, the cloud does not exist in a bubble and has to be aligned with your overall business strategy.
If the company plans to use AWS in the next three years, then investing in Azure-based tools is not the way to go in the long run.
Reason 4: Not Showing The Return On Security Investment
A long-running challenge in cyber-security is not having proper metrics to report to management.
Without metrics, you will not have visibility and will be unable to report the status of controls to management.
Without visibility, management will not see a return on investment and will not provide future approvals for tools you will need
The Cloud will become too cumbersome to manage until a data breach happens, and then everyone will be scrambling to put something in place, i.e., the kneejerk reaction.
Why Cloud Security Governance Is Needed
Before we get into Cloud Security Governance, let me be clear about what it is not.
Cloud Security Governance is not :
- A tool or commercial product that you implement
- A Policy that you write and then forget about after passing an audit
- A checklist
- A standard
- A certification that you acquire
Cloud Security Governance refers to a formal management model / framework you put into place to make sure all the cloud security processes remain working and functional.
This is critical, as you will be surprised to know that in many companies, there is still confusion about who will handle cloud security , who will do patching , who will report security breaches, etc.
This is why having a Cloud Security Governance model is so important.
Key components
The level and detail of a Cloud Security Governance model may change from organization to organization, but some things remain the same.
The Cloud Security Alliance also offers some excellent guidance on how to go about implementing a framework, as does Amazon Web Services.
Regardless of the organization, some of the minimum components of a cloud security governance model are :
- A formal Cloud Security policy approved by management
- A cloud security roadmap or strategy to implement that policy AND align it with the larger business strategy of the company
- A proper organizational chart formalizing who is responsible for cloud security
- Reporting metrics for senior management visibility into cloud risks
Create a framework with these things in mind, and cloud security will become a living, breathing entity that evolves and matures over time!
Wrapping it up .. the key questions that a cloud security governance model helps to answer are :
- What is handling cloud security in our organization?
- How secure is our cloud?
- Are our cloud security investments giving us value?
- What are the key risks we should know about?
I hope you enjoyed reading this. If Cloud Security interests you then check out my video on creating a Cloud Security Strategy from earlier
Taimur Ijlal is a multi-award-winning, information security leader with over two decades of international experience in cyber-security and IT risk management in the fin-tech industry. Taimur can be connected on LinkedIn or on his YouTube channel “Cloud Security Guy” on which he regularly posts about Cloud Security, Artificial Intelligence, and general cyber-security career advice.
In Plain English 🚀
Thank you for being a part of the In Plain English community! Before you go:
- Be sure to clap and follow the writer ️👏️️
- Follow us: X | LinkedIn | YouTube | Discord | Newsletter
- Visit our other platforms: Stackademic | CoFeed | Venture | Cubed
- More content at PlainEnglish.io
