The Security Leadership Series. Cloud Migration: The Sky is the Limit

To identify the key trends, issues and considerations regarding cloud adoption and to leverage local insight into the cloud adoption we chose to conduct a comprehensive study that gathered data and insight from approximately 30 influential Australian leaders in technology and security. 

Survey participants were chosen from a diverse range of large to small; Commercial and Government organisations, and from various industry sectors including, for example, financial services, education and healthcare. 

While these Leaders were given an overall structure from which to respond to key questions, an important aspect of the survey involved having an interactive conversation to capture views from their individual and organisation’s perspectives. 

We chose to base the questions broadly around the NIST Cyber Security Framework3 and more particularly its 5 main ‘functions’ of Identify, Protect, Detect, Respond and Recover. The NIST Cybersecurity Framework is a comprehensive set of ‘best practices’ in relation to helping organisations improve their cybersecurity maturity. 

The aim was to capture practical insight from various perspectives; to identify significant maturity gaps, and formulate constructive recommendations regarding what could be done to help Australian organisations to ‘shift to the cloud’ in the safest way possible. 

The top 4 conclusions from the synthesis of the survey inputs and results are: 

➀ Information security is a ‘leadership challenge.’ Boards and Executive Suites need to ‘lift their game’ by adjusting and realigning the organisation’s investments, priorities, policies and processes to be more reflective of the use of cloud technology and its unique risks. 

➁ Organisations must accelerate their security and cloud-specific risk awareness programs to improve ineffective policy compliance so the organisation can more sensibly adopt cloud technology. 

➂ It is essential that organisations go beyond the simple responses of ‘yes’ to critical questions on essential security processes or controls, and begin to seek evidence that controls not only exist but are effective. 

➃ Even when organisations know that the measures implemented by their Cloud Providers are effective, they shouldn’t rely on Cloud Providers’ measures ONLY, especially for Disaster Recovery. Each conclusion is described further on the following pages.