Migration to a cloud infrastructure is becoming a necessity for organizations globally to build operational resiliency and effectiveness, but this is complex and creates new risks.
On February 8th, the U.S. Department of Treasury released a report assessing the opportunities and challenges of adopting cloud-based technologies within the financial sector. Themes were identified through responses from almost 50 American financial sector organizations at various stages of cloud implementation.
The concerns identified in the report extend beyond the financial sector and are ones that we have advised our clients on as they transition to a cloud environment. We highlight some of these challenges here and discuss how organizations can securely and effectively continue their digital transformation.
The challenge of third-parties
The report highlights the challenges of current third-party due diligence approaches. It concludes that self-attestation questionnaires are no longer enough to mitigate cyber risks.
Organizations are caught between the need to assess risks on-boarded through vendor relations, and the immense resources required for a comprehensive audit of their third-parties. Information exchange itself can be a challenge, with growing reticence by suppliers to share sensitive information that may expose their own infrastructure.
We are increasingly encouraging our clients to take a proactive role in third-party risk identification while minimizing business disruptions. By combining a consultative approach with questionnaires and short interviews with key security stakeholders, organizations can gain rapid insight into the state of their vendors’ cyber security programs.
Additionally, organizations should carry out a passive external scan of their vendors’ networks and conduct a prompt threat analysis. The analysis should include deep and dark web collection of any indications of malicious intent towards the organization or compromised credentials of its employees to enable a threat-led and risk-based approach to third-party cybersecurity management.
The challenge of the talent gap
The Treasury also identified challenges inherent to shortfalls in cyber security and information technology staff in enabling a company’s transition to the cloud. The report describes the shared responsibility model of cloud adoption, where financial institutions and their cloud service providers have separate roles in maintaining the security and integrity of this new operating environment.
A lack of sufficiently qualified staff within any organization moving to the cloud can have disastrous consequences and lead to misconfiguration and vulnerabilities which threat actors increasingly exploit. Our team has advised numerous clients in this transition from the strategy development stage through to network penetration and staff augmentation.
Incorporating a security mindset from the outset of an organization’s cloud adoption strategy helps to ensure the transition is both a secure and successful one.
The challenge of crisis management
A third identified challenge is the significant expansion of a cloud-based organization’s attack surface and the need to adapt crisis management approaches to this new reality.
While many organizations within critical sectors configure their cloud environments for maximum resilience and minimum down-time, cyber crises impacting cloud services can have disproportionately negative effects on business operations. In our work with clients from all industries, we have increasingly focused cyber crisis management exercises on cloud-based scenarios.
Many organizations are rapidly realizing the criticality of revamping their approach to cyber crises when they impact cloud environments and require a significant reliance on third-party vendors. Exercising these processes in simulated conditions can ensure that crisis management teams are ready to work seamlessly with their vendors to mitigate the impact of a cyber crisis.
The challenge of regulations
The financial sector alongside others expressed a lack of comprehensive understanding of both the current and future state of cyber security, as well as data privacy regulations at national and state levels in the US. The White House’s new national cyber strategy, agency-level cyber security regulations and state-level consumer data protection laws combine to generate a complex, challenging to navigate, and constantly evolving ecosystem.
Expanded to the global stage, this lack of clarity can lead to unintentional non-compliance with government policies, or a reticence to adopt cloud technology at all within organizations. Cyber compliance advisory is becoming a necessity for both domestic and international businesses.
Understanding which regulations apply to their business, how to best understand the future of the regulatory landscape and how to setup a cyber security program that remains compliant in the face of the continued emergence of new regulations and policies is critical to the resilient implementation of new technologies across all organizations.
Navigating cloud adoption
While the adoption of cloud-based technologies can feel daunting, organizations are not alone in their identification of challenges inherent in the process. The Control Risks cyber team leans on decades of heritage in threat mitigation and risk management to bring best practice strategic advisory to institutions looking to maximize the benefits of digital transformation while minimizing the accompanying risks.
Have a question about resiliency, compliance or digital agility for your organization? Email our team at[email protected].