UK businesses are steaming ahead to become cloud-only companies, but establishing who is responsible for cloud security in an organisation is struggling to keep pace.
Research by cybersecurity firm McAfee found that 40% of large UK businesses expect to be cloud-only by 2021, with 70% expecting to be cloud-only at some point in the future.
Yet the survey of over 2,000 senior IT staff and employees in the UK, France and Germany found a lack of consensus as to who in the business is ultimately responsible for cloud security.
14% said the CEO should take responsibility, while 19% believe it should be the chief information officer. Just 5% said the chief information security officer is responsible for cloud security.
The role of IT manager drew the largest number of votes, with 34% believing them ultimately responsible for cloud security.
The findings echo those of a recent Big Data LDN survey, which found data responsibility to be “spread thinly” across the c-suite.
Cloud security responsibility needs to be “owned”
“What scares me about this is that the answers are, dare I say it, sort of all over the place,” said Nigel Hawthorn, EMEA director of cloud security business at McAfee, speaking at a media roundtable.
“And I think this is why cloud security is not necessarily being addressed in a holistic manner, because it has to have an owner and has to have a team who are led by someone to actually make sure that it’s being addressed.”
Hawthorne said that so-called shared responsibly models put forward by Microsoft and Amazon – the two largest cloud vendors – are “not enough”.
From the magazine: Mending leaky buckets: Overcoming the unsecured cloud server crisis
Drawing parallels with renting a car, he points out how manufacturers are responsible for safety features such as airbags, the rental firm responsible for oil and the driver for driving safely.
“There’s no point in saying ‘it’s your fault Ford’ when I drove the car at 100 miles an hour into a wall,” he said.
While 84% said the cloud improved their organisation’s data security, cloud computing provides a unique set of security problems.
Data repositories containing sensitive business or customer information can be misconfigured by businesses, providing easy pickings for cybercriminals.
Previous research conducted by McAfee found that 99% of misconfigured cloud servers go undetected.
“You can outsource the work, but you can’t outsource the risk,” said Raj Samani, chief scientist and McAfee fellow. “And the reality is [that] in cloud computing, we see organisations and people migrating and outsourcing over to cloud services with the belief that it absolutely absolves them of any risk or any concerns.”
So what’s the solution? Hawthorn and Samani believe that educating users at the right time in the right context about cloud security can help. But ultimately, an organisation needs to decide who is responsible for cloud security, give them adequate resources and allow their voice to be heard by the board.
“I think we’re in a dangerous place if we’re going to cloud as fast as possible, but we haven’t decided who’s responsible for the security,” added Hawthorn.