In a world of continuous change and disruption, Canadian organizations should embrace security from the start to accelerate business transformation and resilience.
The COVID-19 pandemic forced the world online – and as we enter year two of the new normal, we’re finding that the transformation is permanent. Workers want to work from anywhere, consumers want to shop from anywhere, and businesses are responding through investment in omnichannel retail experiences and hybrid work policies. The distinctions between online and offline commerce, work and life are blurring.
So it’s no surprise that over the last two years, there has been a dramatic shift to fast-track digital transformation plans and invest in cloud. And the growth in digital shows no signs of stopping. According to Deloitte’s latest research on the state of cloud adoption in Canada, 88% of the 200 organizations decision-makers from across Canada plan to increase their use of advanced technologies to create new market opportunities and 74% plan to increase their cloud spends over the next five years. But despite the optimism, surprisingly, the same respondents expect to shift only 5% of their workloads to private or public cloud in the next three years – with leaders stating privacy/data concerns as their number 1 barrier for achieving progress.
This is a problem.
Cloud presents an opportunity to drive business transformation and better enable agility, new products, and unrealized data strategies for organizations. But unless the security concerns can be addressed, organizations will be inhibited from adopting cloud as fully as they can. This leaves innovation and economic growth unrealized – a handicap for Canadian industry in a very competitive digital world.
In order to accelerate the adoption of cloud within Canadian organizations, the risks cloud poses must be mitigated.
Solving the security problem demands a mix of both cloud and cyber skillsets and strategies to achieve velocity. In fact, Deloitte’s research has shown that those organizations with mature adoption of cloud and cyber technologies “become more resilient and agile” (75% versus 53% overall) and are better able “to predict future trends, risks, and threats” (70% versus 49% overall). Perhaps this is why in a recent Deloitte global cybersecurity survey cloud was slated as the second top priority for CISOs and CIOs in their digital transformation efforts.
So, how can organizations affectively embrace an integrated cloud cyber strategy to maximize their digital potential?
The answer is security by design.
The security paradox
Cybersecurity, however, is still one of the most misunderstood areas of cloud. In Canada, our survey revealed that security is both the top barrier to cloud progress and the number one driver of cloud adoption. We also found that those who do understand the security benefits of cloud find it difficult convincing decision-makers that cloud is secure. 85% of respondents said they found persuading decision-makers that cloud is secure “challenging.”
New thinking for cloud security in a cloud-enabled world
In our view, the way organizations approach cybersecurity and cloud must evolve. Simply lifting and shifting old programs and procedures from legacy technologies into cloud environments is ineffective and can be a barrier to more wholesale adoption.
The most leading organizations start with a blank slate and embrace cybersecurity as a differentiator to promote greater stakeholder trust, and to better leverage cloud-native solutions – programs that are built specifically for cloud – that take advantage of cloud’s full potential. The alternative – migrating non-cloud native programs into the cloud – often results in more issues or lack of compatibility with one another in their new virtual environment.
So, where does one begin?
How to embrace cloud with security by design from the start
An organization’s view of security as a barrier or an opportunity may depend on their maturity. Less mature organizations point to security as a bottleneck to speedy enterprise cloud adoption. More mature organizations talk about ‘shifting left,’ with DevSecOps (development, security, and operations) and security by design cloud migrations that bring together cloud and cyber teams in centers of excellence. Finding the right talent to shift-left in a way that balances security and velocity is a challenge in the Canadian marketplace.
Our view: You should not lift and shift on premise controls to the cloud. Migration requires a mindset shift. Organizations need to shift their thinking from protecting their home with the biggest gate and security alarm to creating an environment where security is everywhere in a more federated way across every individual, access point, processes, and aspect of the network/application/infrastructure. Done right, organizations have the opportunity to dramatically enhance their overall cybersecurity posture.
We’ve also found that once senior executives and boards understand how security works in the cloud – in this more federated model – they realize it as an asset, not a liability. It’s a tool that helps organizations accelerate and not slow down. Organizations have a better ability to scale their security needs much faster and nimbler in the cloud than they can on-premises. Why? Because of the automation capabilities and the increased storage and data capacity. In the cloud, you can push infrastructure as code, which lets you fix a security problem in real time before it’s too late. You also no longer need to spend hours or days standing up a new physical server when your storage capacity runs out – that now happens automatically and within seconds. Continuing education is often needed to ensure this message is communicated across the organization to achieve board support and C-suite alignment.
As seen from our survey results, Canadian leaders expressed that there are still a lot of unknown unknowns, causing what we feel could be a plateau effect in response. Increased evangelizing and awareness are needed. A bolder vision and courage are required to push through the perceived barriers.
Security as a catalyst for velocity: Five considerations to take
Ultimately, cloud’s potential and what it can accomplish is too great. Those who have adopted know just how powerful the cloud can be. With the ability to act quickly, automate security features, and easily adjust your security needs along with your business, your organization will be ready for whatever comes its way. From our view and experience, we see these five areas as imperative to accelerating cloud and security by design strategies that drive business agility and resilience.
- Lead with strategy not technology: Cloud is an enabler of true business transformation, and business goals and objectives should be first. Organizations should look first to their business strategy and what it is looking to achieve. The technology itself should come second to help you get there.
- Embrace security with velocity: Keep security levels high, incorporating cloud native security capabilities and allowing you to rapidly iterate your shift to the cloud.
- Create a Centre of Excellence: Integrate your cloud and cybersecurity teams so you can transform both areas together.
- Be bold in your vision and leadership: For a transformation to work, C-suite and board alignment is imperative to facilitate faster adoption and scalability. Overcoming security perceptions of cloud will need to be tackled to make this happen.
- Develop shared governance models: With cloud, security duties can be split between the cloud provider and the company. Work with the provider to define who’s responsible for what.
To learn more about Deloitte Canada’s latest state of cloud research, download the full report: Accelerating to the cloud: Breaking through the cloud adoption plateau.
Robert Masse is the National Resilience Leader, Cyber Risk, Partner, Risk Advisory, at Deloitte Canada.