Companies are increasingly moving business-critical workloads and sensitive data to the cloud, but confusion remains over cloud security responsibilities, according to a Wednesday report from Oracle and KPMG.

Cloud security is now a strategic imperative, the report found, as nearly half (49%) of the 450 cybersecurity and IT professionals surveyed said they expect to store the majority of their organization’s data in the public cloud by 2020. However, 92% said they are concerned about employees following cloud policies designed to protect this data, the report found.

SEE: Cloud Data Storage Policy (Tech Pro Research)

Confusion remains around the shared responsibility cloud security model, which has led to cybersecurity incidents, according to the report. Some 82% of cloud users surveyed said they have experienced a security event due to confusion over the shared responsibility model.

The CISO’s role in cloud security

CISOs too often end up on the cloud security sidelines, the report found. Business leaders adopting cloud services in a decentralized way creates a visibility gap for security leaders, it added. Some 90% of CISOs surveyed said they are confused about their role in securing a Software as a Service (SaaS) environment versus the cloud service provider. Another 93% of respondents indicated that shadow IT is a major concern.

“Many CISOs think that vendor security is actually a lot stronger than theirs, but ultimately they think that if a breach does happen at some of these vendors, they will still be liable for the fallout,” Daria Kirilenko, director for information risk research at Gartner, told TechRepublic. “That’s the major reason for their perception of the cloud as something that should be viewed with caution.”

CISOs should take the following steps to ensure a safer cloud environment in their organization, Kirilenko said:

  • Educate senior business stakeholders about the fact that cloud security is shared between vendors and the internal team, as many security issues arise when internal stakeholders make a mistake
  • Build a cloud security team with a portfolio of skills in different areas
  • Make adhering to cloud security guidelines easy for developers. Develop a common security platform that houses APIs and reference architectures that developers can use to quickly understand how to implement security guidelines in their applications.

For more tips on how to make CISOs more comfortable with cloud security, check out this TechRepublic article.