Cloud security risks: Who should carry the can?

Striking a balance between CFOs and CIOs on cloud cost savings and risk…

The lure of cost savings may be pushing businesses towards the cloud, but who will ultimately balance the financial arguments with the risk factors? Mark Samuels reports.

Pressure to look to the cloud, and its potential for cost-effective IT delivery, comes from all areas of the business. But who is more concerned about information security?

Is the CIO the executive who is most anxious about data moving beyond the corporate firewall and into the cloud, or is the finance director more worried about risk?

"There are multiple constituents," suggests Rebecca Jacoby, global CIO at networking giant Cisco. "By nature, a big part of a CIO's job is risk management and an understanding of specific security concerns. When it comes to the cloud, security is a real risk and the technology isn't necessarily at the right level for most organisations at the moment."

Cost savings are plainly providing some of the impetus for a move to the cloud but responsibility for risk may be less clear-cut

Cost savings are plainly providing some of the impetus for a move to the cloud but responsibility for risk may be less clear-cut
Photo: Shutterstock

Jacoby recognises that the broader technical architecture of business is changing quickly. But while the cloud is starting to gain momentum, substantial change could take as much as 10 years. Jacoby says security is definitely a key element in the development of the cloud and will continue to move up the executive agenda as on-demand becomes an organisational necessity.

"The pressure from the business will be for CIOs to deliver the cloud because it is seen as a lot cheaper," says Jacoby. "But while CFOs like you to be cheaper, they're even more concerned about risk. Whenever I talk to the board, it's always the finance guys that organise the risk and resilience meetings. There's different and conflicting pressure from executives across the business and the cloud is all about consciously managing the risk."

So, does that focus on risk mean the finance director is the executive who is most anxious about information security and the cloud?

Cloud security breach of concern to all senior management

Not according to Paul Hanley, director of information security at KPMG, who disagrees strongly with the premise that responsibility for the cloud falls on the CFO's shoulders and suggests a serious security breach is a concern to all senior executives.

"Each of these executives perceives risk, and the impact of a security incident, in subtly different ways," he says. "If there is a breach, the CEO's primary concern might...

By Mark Samuels

Mark Samuels is a business journalist and editor at IT leadership organisation CIO Connect. He has written for various organisations, including the Economist Intelligence Unit, Guardian Government Computing and Times Higher Education.