A new culture for cloud
Cloud has to be embraced. If people embrace it, then the rewards will follow.
Companies often fail to take proper account of people in their digital transformation and change management programmes. The move to the cloud is no exception. Adopting the cloud can have a profound effect on the culture of the organisation.
Some staff do not like the cloud. They can be sceptical about its benefits and its impact on their jobs. These reluctant adopters will not usually go so far as to sabotage its implementation and running, but their lack of commitment can make it a more difficult and lengthy process. Over time, though, people gradually adapt to technological change in a positive way. We have seen this countless times in the past, as mainframe computers have given way to personal computers, paper documents have been largely replaced by electronic documents and conventional marketing is being overtaken by social media campaigns. We are seeing similar levels of flexibility and acceptance among the workforce as businesses move from on-premise to cloud computing. The world of the cloud is highly automated, which means fewer people are needed to generate the same output – but in most cases the efficiencies of the cloud can lead to greater output, so the workforce headcount may remain the same or even increase. Cloud is quite likely to be a job creator, not a job destroyer. Both parties – employer and employee – have to recognise that moving to the cloud means a change in corporate culture, how things get done and how success is defined.
The risk of employees committing fraud, stealing data, causing malicious damage or simply being negligent is a perennial problem, but one that companies have to be especially vigilant about in times of change when new policies and practices can disguise, or even encourage, untoward behaviour. More than half of high-impact data loss incidents are caused by people – staff or contractors – who have authorised access to a company’s computer network. Using a cloud service provider creates an additional level of insider risk for companies which has to be managed. The company therefore needs to carry out an insider risk assessment of its own organisation and establish at the contract negotiation stage what recourse it has to the CSP for any risk-loss events. Senior managers often have the wrong idea of what a malicious insider looks like. They may think it is someone who has recently joined the company. In fact, it is more likely to be a long-standing and previously loyal employee, contractor or business partner whose attitude shifts and feels justified in acting inappropriately or illegally. Not understanding this can lead to a lack of consensus among mangers and disagreements on the measure and controls needed.
There are also serious regulatory minefields to avoid, especially on the data privacy rights of staff. Data privacy regulations must be adhered to. It has been known for cloud customers to ask their cloud providers to monitor the customers’ staff and report on their actions, without establishing the legal and ethical basis of such monitoring and reporting. This is a major error, with potential legal repercussions. Formal governance is needed to ensure that staff monitoring meets a clear business purpose, is controlled, proportionate, reasonable, risk-based….and legal.
- It’s crucial to address people’s concerns about their job security, making them feel needed, is key.
- Before contracting a cloud service provider, a sound understanding of the customer’s insider risk and how effectively it manages this is a pre-requisite for a meaningful dialogue.
- Knowing what a malicious insider looks like is vital.
- Data privacy regulations must be adhered to.