4 hidden risks of your enterprise cloud strategy
Blauner points out the many failed attempts for outsourcing data during the 9/11 attack, which he saw again during Hurricane Sandy in 2012 and again in the early weeks of COVID in the US. “It’s only going to work for the first companies” that make the move to push more of their data into the cloud.
Enterprises expect to be able to “recover into a cloud environment during a crisis. And then 9/11 happened and everyone declared an emergency at the same time. If you weren’t one of the first to declare, [the cloud vendor] said, ‘We’re full,’” Blauner says.
The solution to that, Blauner says, is for CIOs to establish their emergency minimal viable product (MVP) position. By that he means for enterprises to identify their most essential services — the ones “that your customers can’t survive without” — so that, when an emergency happens, just those emergent services are moved to the cloud. If all enterprises do this, the industry could survive the next crisis.
When Blauner worked at Citi, for example, that MVP was international funds transfers. “If we didn’t protect that, we could have had a global economic meltdown. You can’t do money transfers in South Korea without Citi,” Blauner says. “For every company in the world, there is some such thing.”
Self-inflicted security risks and inefficiencies
Charlie Winckless, a senior director analyst on Gartner’s cloud security team, agrees that scalability in the event of a crises is a concern, but he sees a different problem forming from IT leaders’ typical solution: covering their cloud bets by having agreements with a large number of cloud environments globally.
“CIOs believe that by using multiple cloud providers, they think that it is improving availability, but it’s not. All it’s doing is increasing complexity, and complexity has always been the enemy of security,” Winckless says. “It is far more cost-effective to use the cloud provider’s zones.”
Enterprises also often fall short on the financial and efficiency benefits promised by the cloud because they are unwilling to trust the cloud environment’s mechanisms sufficiently — or so argues Rich Isenberg, a partner at consulting firm McKinsey who oversees their cybersecurity strategy practice.
The enterprise IT “pushback is that they do not trust the cloud automation and technology. They want their own team to manage everything. The clouds include the cloud-native tools and automation but [the CIOs] are still gravitating to the old-school approach of using their team,” Isenberg says. These executives “are dependent on their security and access teams and they have their preferred tools from their preferred vendors.”
That means that many cloud tasks are being done twice and that is why the efficiency benefits sometimes do not materialize. Most IT executives “think that it will be the big breaches that will threaten their jobs, but the reality is that the threat is the [executives] not being digital tech forward,” Isenberg says. If executives “do not embrace cloud-native [tools] and automation, then, yes, it will become someone else’s job.”
Cloud is also so integrated in all enterprise systems today — whether it be IaaS, PaaS, and SaaS — that a cloud strategy needs to be the default assumption. Says Isenberg: “You’re in it whenever you know it or not or want it or not.”