Brevity, according to Shakespeare, is the soul of wit. When it comes to the language used to describe the current and future state of information technology (IT), brevity seems to be the soul of it as well. Consider, for example, how much of IT is encapsulated into a single word—Cloud. To cloud or not to cloud is no longer the question. The question is how to cloud, and its multiple choice answers are also single words: Public, Private, Hybrid. Cloud deliverables are encapsulated into another single word—Services. And even more single words are used to describe the most common cloud services: Infrastructure, Platforms, Software.
A recent survey of IT leaders found that another single word, the brevity of its discussion is the opposite of wit, encapsulates the biggest concern organizations have about cloud-based services—Security. The vast majority of survey respondents expressed concern that traditional security tools can’t adequately protect cloud services. Public cloud risks were the most commonly cited. And this included concerns that existing security policies may not protect data shared via public cloud services, especially data that is subject to data compliance standards (e.g., PCI, DSS, ITAR, SOX, GLBA, HIPAA).
This doesn’t mean securing cloud services is impossible, it’s just too often an afterthought. Or as Mike Vizard put it, there’s just not enough insecurity about security. “While demand for managed security services has never been higher,” Vizard explained, “the size of the overall market remains constrained by both a false of sense of the security expertise of the internal IT organization along with an apparent unwillingness of the senior leadership of most organizations to increase the size of the IT security budget itself.” Vizard cited a study that found less than ten percent of IT budgets are allocated to IT security. Oddly, this underfunding of security persists even with the increasing number of data breaches, and other security failures, being regularly reported.
With many organizations relying on managed service providers (MSPs) for cloud-based solutions, some, including Julie Hunt, recommend having MSPs manage all aspects of security, including securing cloud services, in order to free up in-house IT teams for other important tasks. Others, including Robert Covington, have suggested that it’s better to have a member of the in-house IT team whose job is entirely dedicated to security, as opposed to it being one task among other responsibilities as is more often the case. Either way, comprehensiveness needs to trump brevity in this instance. When it comes to cloud, services, and security, choosing two out of three isn’t good enough. Let’s encapsulate the future of IT with three words—secure cloud services.