New Survey from Cloud Security Alliance and Google Finds Cloud Adoption Improves Risk Management and Mitigation

The Cloud Security Alliance (CSA) released Measuring Risk and Risk Governance. CSA collaborated with Google Cloud on the survey, which was designed to assess the maturity of public cloud and risk management within the enterprise and provides a deeper understanding of public cloud adoption and risk management practices within the enterprise.

The process of digital transformation involves adopting technologies that enhance operational and customer experiences. With an eye toward improving overall business risk management, the cloud is increasingly seen as a means to strengthen an enterprise’s risk posture, a move that is often accompanied by an upgraded approach to application, data, and infrastructure security. Accordingly, enterprise risk assessment processes must adapt the cloud model and take into consideration the implications of shared responsibility, where both the cloud service provider and customers have ownership in the delivery of services. Evaluating cloud and business risk together provides a better understanding of IT’s impact on an enterprise’s overall risk maturity, including adopting a shared fate partnership between CSP and customers.

“With enterprises continuing to add production in the cloud and the growing use of cloud services, managing cloud and digital assets will be critical in risk management and measurement,” said Jim Reavis, co-founder and CEO, Cloud Security Alliance. “While there is still work to be done as organizations mature their ability to manage cloud and multi-cloud security and risk mitigations, these issues are improved in the cloud when compared to current on-premise and legacy IT environments. This study confirms that an organization’s best path to viable risk management involves IT modernization into the cloud or cloud-like on-premise infrastructure.”

Among the survey’s key findings:

• As organizations adopt cloud, they are challenged to evaluate risk. There is no consistency of data classification across the use of cloud platforms and services – only 21 percent of users are utilizing cloud service data classification, and only 65 percent of those users are aligning with internal data classification schemes.
• Cloud risk evaluation faces challenges with growing business adoption of cloud. With cloud adoption numbers increasing, more than half (52%) of organizations reported that they did not evaluate the risk of their cloud services being used after procurement as product features or business environments changed.
• Tools for quantifying and measuring risk need to improve. Seventy percent of organizations reported less effective processes for assigning risk to cloud assets, with only 4 percent reporting having highly effective practices.
• Monitoring, measuring, and reporting is difficult. Thirty percent of enterprises reported that risk scoring systems are used as a directional guide to risk improvement for certain cloud solutions as opposed to measurements that can be relied on for comparison across all cloud services.

“Increasingly, cloud is becoming less of a risk to manage and more of a means to manage these risks. Continuously evaluating your risk status allows enterprises to properly configure and maximize the effectiveness of their security solutions, which in turn, protects their assets and improves business productivity,” said Phil Venables, Chief Information Security Officer and Vice President of Google Cloud. “This study has shone a light on the opportunities enterprises can take to manage and measure their risk, and will hopefully lead to improved risk management practices. And, whereas these practices impact many areas in the enterprise, modernizing the approach helps both businesses and providers improve their cloud adoption.”

The survey was created to add to the industry’s knowledge about enterprise risk, and was conducted in two phases. The data gathered in the first round of interviews, which were conducted by CSA, were analyzed and used to refine the question set for the second part, an online survey that received responses from more than 600 IT and security professionals from a variety of organization sizes and locations.

Download Measuring Risk and Risk Governance now.