5 Things CISOs Should Ask Before Moving To Cloud


Today, IT infrastructure is fast moving and incredibly complex, making it difficult to secure data residing across physical, virtualized and cloud environments. There is continuous demand to adopt cloud technology among businesses of all sizes. Cloud offers a wide range of benefits, from cost savings to boosting a company’s agility. This brings to focus the most important issues at stake when moving to the cloud. Here are five simple questions that help shed light on your organization’s need and preparedness to move to the cloud.

1. What is driving your migration to cloud?

The “cloud” has been a key word in boardroom discussions for quite some time. Organizational assumptions of the cloud vary, but it is important for security professionals to cut through these preconceptions and encourage taking decisions based on business requirements. The key benefits of migrating to the cloud include IT flexibility, security, collaboration, data recovery and reduced cost. When aligned to the context of business requirements, these benefits translate to helping organizations scale operations efficiently, have greater visibility, ensure business continuity, cut down on capital expenditure, and increase productivity by removing roadblocks.  The security team has a task cut out to identify the primary goal for an organization’s need to move to the cloud.

2. What should you be considering when building your cloud security strategy?

The enterprise cloud strategy provides the framework for performing agile business practices on public cloud and securing data. An ideal security strategy should cover data usage and classification, list the personnel accessing data, adhere to regulations and compliances affecting the business, and include a comprehensive security model that encompasses data on all types of storage and networks. Once the strategy is in place, it is important to frame a cloud usage policy that is complimentary to the cloud strategy. Nevertheless, the IT team should win the support of the board and C-Suite level staff to ensure the success of the strategy.

3. How have new data security regulations shaped the cloud?

Demonstrating the readiness for cloud requires that organizations should comply with, implement, and enforce cloud security policies as envisaged by local and international governing bodies. For instance, the EU General Data Protection Regulation (EUGDPR), which will come into effect in 2018, plays a crucial role in shaping online business transactions and exchange of information. In addition, most countries have their own federal and state regulations for ensuring the privacy of public data. Another important regulation that is governing the cloud is the “breach disclosure laws.” Under the disclosure laws, companies are under an obligation to notify individuals—within a stipulated time—if their personal data has been compromised in any way.

4. What are the considerations in a shared responsibility model?

Cloud security is a shared responsibility between the cloud service provider (CSP) and its consumers. According to this model, CSPs are responsible for ensuring that cloud infrastructure is secure whereas the companies that use the cloud are responsible for their data, networks, applications, and operating systems. Taking it even further, the shared responsibility model applies to compliance just as it does to security. Unraveling the role of CSP under this model would require security professionals asking smart questions to the CSP, so that they can derive organizational comfort in identity, access, data and application control, and security. These questions may be as varied and specific as:

a)     What are the vendor’s security practices?

b)    Can they prove their cloud security expertise claims?

c)     Does the CSP demonstrate knowledge of industry-specific security challenges?

d)    Can the CSP provide third party security certifications and audits?

e)     What visibility do you get into the CSP’s cloud infrastructure?

5. What are the best practices for reducing data security risks in the cloud?

The impact of any cloud adoption or migration will give rise to a wide range of perceptions about cloud security. Controlling the perceived complexity of cloud security is an important task for security professionals. The foremost in the task list for reducing data security risks lies in getting the board and C-suite buy-in. This is because the biggest trial towards ensuring success on the cloud lies in meeting organizational and business process challenges. Without the full support at the top-level, it would be difficult to do effective business on the cloud. However, the security team must take the following steps to reduce data security risks:

a)     Identify the regulations and compliances that affect your business

b)    Identify your encryption and key management solutions

c)     Establish and apply identity and access control policies

d)    Establish auditing and reporting procedures

e)     Train all users on policies


At any rate, it is important to question the cloud IT procedures or policies suggested or are already in place to determine their validity. Remember, your IT policy drives user behavior, making it consistent with your strategy. A successful cloud policy not only ensures security and compliance, but also minimizes the likelihood of an adverse impact of a risk.