We all get that feeling when we board an airplane: We know it’s safe and we know we’ll get there, but that lingering doubt in the back of our minds or in the pit of our stomachs is always there as we take off. I think the same sentiment applies to organizations using the cloud. The 2014 IBM Chief Information Security Officer (CISO) Assessment survey shows that the fear of losing control or ownership is the main reason why many security and business leaders are still hesitant to adopt the cloud.
There are tens of millions of flights per year that take off and land without incident, yet people still worry. Many say that security in the cloud is even stronger than traditional, on-premise IT security, yet people still worry. The airline business is wholly dependent on the safety of its passengers, and the same can be said for cloud providers. We must have the confidence to let go.
The 2014 IBM CISO Assessment looked closely at security leaders’ thoughts, apprehensions and approaches to cloud security. What does adoption currently look like? What are the elements of a good strategy? Are investments being made now? How about in the future?
The survey’s findings indicated that the fear is definitely there. The assessment asked security leaders to estimate the likelihood of particular events happening in the next three to five years. The No. 1 event on the list, with nearly half of respondents anticipating its occurrence, was a major cloud provider having a significant security breach that causes a high percentage of its customers to switch providers.
The good news is that CISOs are using the cloud anyway. Eighty-six percent said their organization has or is planning to implement cloud initiatives. The assessment found that 60 percent are currently using software-as-a-service, 59 percent are using infrastructure-as-a-service, and 30 percent are using platform-as-a-service, with an additional 43 percent planning to use it. People are flying.
What About Investment?
Of those who have adopted or plan to adopt cloud services, two-thirds will spend more than 10 percent of their security budget on the cloud over the next 12 months. In the next three to five years, 75 percent of security leaders expect their cloud security budget to increase or increase dramatically. People intend to fly more.
So what is bolstering the confidence of security leaders? What is important to them when it comes to a solid cloud security strategy and a strong vendor? There are many possibilities, such as data security, compliance, managing access, visibility into user activity, privileged users and internal training and skills. The top three areas — which more than 70 percent of respondents said were very important — included ensuring the privacy and security of data, protecting against network and Web-application attacks and meeting regulations and compliance. These elements are also reflected in what security leaders look for in a cloud vendor: 64 percent said that a basic level of network protection was very important; 61 percent said managed services for the cloud; and 58 percent said security policy management across clouds and service-level agreements for security.
Because a cloud provider’s business relies on its ability to guarantee security, it’s natural that this area would receive its focus. Security leaders and their business counterparts have to find ways to build their confidence and relinquish a bit of their control. The usage and investment in cloud flying is already there; it just may take some time for people to get comfortable flying.
Originally published on the Security Intelligence blog on November 5, 2014