How to accelerate cloud adoption with security by design
Article | Robert Masse, Partner and National Cloud Security Leader
In a world of continuous change and disruption, Canadian organizations should be embracing security to accelerate business transformation and resilience.
Now more than ever, organizations are looking for ways to build resilience and future-proof their businesses from new and emerging threats. Over the last two years, there has been a dramatic shift toward fast-tracking digital transformation plans and investing in the cloud. And this growth in digital shows no signs of stopping. According to Deloitte’s latest research on the state of cloud adoption in Canada, 88% of the 200 organization decision-makers surveyed from across the country plan to increase their use of advanced technologies to create new market opportunities and 74% plan to increase their cloud spending over the next five years. Despite this optimism, the same respondents only expect to shift 5% of their workloads to the private or public cloud in the next three years—with leaders choosing privacy/data concerns as their No. 1 barrier to achieving progress.
Cloud presents an unwavering opening for organizations to drive business transformation and better enable agility, new products, and unrealized data strategies. However, many are missing the opportunity to change their organizations—their ways of working and teaming—by taking full advantage of the technology’s potential. Simply moving existing IT infrastructure or software into a virtual environment is not enough. Organizations can start by considering their business strategies, goals, and outcomes, and how they bring together digital imperatives like experiences, insights, platforms, connectivity, and integrity in a cross-functional way.
Achieving velocity demands a mix of cloud and cyber skill sets and strategies. Deloitte’s research has shown that those organizations with mature adoption of cloud and cyber technologies "become more resilient and agile" (75% versus 53% overall) and are better able "to predict future trends, risks, and threats" (70% versus 49% overall). Perhaps this explains why a recent Deloitte global cybersecurity survey showed that is the second top priority for CISOs and CIOs in their digital transformation efforts. So how can organizations effectively embrace an integrated cloud/cyber strategy to maximize their digital potential?
The security paradox
It’s important to recognize that cybersecurity is still one of the most misunderstood areas of the cloud. In Canada, our survey revealed that security is both the top barrier to cloud progress and the No. 1 driver of cloud adoption.
We also found that those who do understand the security benefits of the cloud also have difficulty convincing decision-makers that the cloud is secure, with 85% of respondents saying they find it challenging.
88% of the 200 organization decision-makers surveyed from across the country plan to increase their use of advanced technologies to create new market opportunities and 74% plan to increase their cloud spending over the next five years.
Source: Deloitte, Accelerating to the cloud: Breaking through the cloud-adoption plateau, 2021
New thinking for cloud security in a cloud-enabled world
In our view, the way organizations approach their cybersecurity and cloud needs to evolve. Simply lifting and shifting old programs and procedures from legacy technologies into cloud environments is ineffective and can be a barrier to more wholesale adoption.
Leading organizations embrace cybersecurity as a differentiator to promote greater stakeholder trust and better use of cloud-native solutions (programs built specifically for the cloud) that take advantage of the cloud’s full potential.
So where does one begin?
How to embrace the cloud with security by design from the start
An organization’s view of security as either a barrier or an opportunity often depends on their maturity. Less mature organizations point to security as a bottleneck to speedy enterprise cloud adoption. More mature organizations talk about “shifting left,” with DevSecOps (development, security, and operations) and security by design cloud migrations that bring together cloud and cyber teams in centres of excellence. Finding the right talent to shift left in a way that balances security and velocity is a challenge in today’s Canadian marketplace.
Our view is that you should not lift and shift on-premise controls to the cloud. Migration requires a mindset shift. Organizations will want to shift their thinking from protecting their home with the biggest gate and security alarm to creating an environment where security is everywhere in a more federated way, across every individual, access point, processes, and aspect of the network/application/infrastructure. Done right, organizations can dramatically enhance their overall cybersecurity posture.
More evangelizing and awareness are needed. A bolder vision and courage are required to push through the perceived barriers.
We’ve also found that once senior executives and boards understand how security works in the cloud they realize that it’s as an asset and not a liability. It’s a tool that helps organizations accelerate and not slow down. Organizations have a better ability to scale their security needs much faster and more nimbly in the cloud than they can on premises. Why? Because of the automation capabilities and the increased storage and data capacity. In the cloud you can push infrastructure as code, allowing you to fix a security problem in real time, before it’s too late. You also no longer need to spend hours or days standing up a new physical server when your storage capacity runs out—that now happens automatically and within seconds. Continuing education is often needed to ensure this message is communicated across the organization and achieve board support and C-suite alignment.
As seen in our survey results, Canadian leaders feel that there are still a lot of unknown unknowns, causing what we feel could be a plateau effect in response. More evangelizing and awareness are needed. A bolder vision and courage are required to push through the perceived barriers.
Security as a catalyst for velocity: Five considerations
Ultimately, the cloud’s potential and what it can accomplish is too great. Those who have already adopted know just how powerful the cloud can be. With the ability to act quickly, automate security features, and easily adjust your security needs along with your business needs, your organization will be ready for whatever comes your way. From our view and experience, we see these five areas as imperative to accelerating cloud and security by design strategies that drive business agility and resilience.
- Lead with strategy not technology: The cloud is an enabler of true business transformation, and your business goals and objectives should come first. Organizations should consider their business strategy and what it is meant to achieve. The technology itself should come second—to help you get there.
- Embrace security with velocity: Keep security levels high by incorporating cloud-native security capabilities that also allow you to rapidly iterate your shift to the cloud.
- Create a centre of excellence: Integrate your cloud and cybersecurity teams so you can transform both areas together.
- Be bold in your vision and leadership: For this transformation to work, C-suite and board alignment is imperative to facilitate faster adoption and scalability. Overcoming security perceptions about the cloud will need to be tackled to make this happen.
- Develop shared governance models: With cloud adoption, security duties can be split between the cloud provider and the company. Work with your provider to define who’s responsible for what.
To learn more about Deloitte Canada’s latest state of cloud research, download the full report: Accelerating to the cloud: Breaking through the cloud adoption plateau
2021 Future of cyber survey
Complexity is the new normal. How companies are achieving visibility.
Partner and National Cloud Security Leader
Robert Masse is a national partner in the Risk Advisory practice. With over 20 years of experience in cybersecurity, he’s built a reputation as a pragmatic security executive. He helps clients develop security programs like incident response, cyber intelligence and information security management.