During our recent webinar, How to Spend Your Cloud Security Dollar, HOSTING product marketing manager, Tricia Pattee, reviewed four hidden cloud security costs and risks that organizations should avoid when planning their cloud security investments. Missed the webinar? You can view the on-demand version anytime. In the meantime, below is a quick recap.
Understanding your cloud security risk
In order to invest in an effective portfolio of cloud security services, it’s important for you to evaluate your companies risk as well as that of the organizations with whom you do business. The following questions will help with your evaluation process.
- How attractive is our organization to potential criminals?
- How dependent are we on the services of our partners, supplies, and other organizations. How integrated are they into our IT processes?
- Which processes or systems represent the greatest assets from a cyber security perspective?
- How much risk are we willing to take in relation to these processes? Tip: 100% security is not feasible.
- Do our partners have the same risk appetite?
- Do we have a clear business cases for our security investments?
People, processes and culture play a significant role in cloud security and risk management. As Tricia mentioned in her webinar, you can invest in the most advanced cloud security technology. However, if your organization doesn’t promote a culture of security and provide its employees with the necessary training on cloud security processes, that technology loses its value. This is where the rubber meets the road, so get brutally honest answers on the following questions:
- How does our culture contribute to or hamper good security?
- When was the last time one of our executives discussed the importance of security to our employees and stakeholders?
- Are we prepared to act in the event of a crisis or incident? How would we respond and who would be in charge of communications?
- Can we provide assurance to stakeholders on our current policies?
Understand how large your cloud security budget and where it’s being spent. As Tricia noted, several reports suggest that companies dedicate a minimum of 3 – 5% of their total IT budget to cloud security, however, the average spend is closer to 10%. Ask yourself:
- How much of our security budget is spent on solving past problems?
- How much is spent on structural investments?
- How much is spent on systems and tools?
- How much is spent on awareness and culture change?
Ideally, your cloud security budget should be spent across all four areas listed above.
4 Cloud security “gotchas”
Tricia also emphasized that prevention, detection and response are essential to an effective cloud security and risk management. She also listed four mistakes that prevent organizations from implementing a solid cloud security plan.
Purchasing cloud security services a la carte
While purchasing cloud services over time may seem cost-effective, it may prohibit you from getting bundled discounts from a cloud service provider (CSP). Ask your CSP if they can provide a bundled solution and how they can offer discounts for purchasing multiple products or services that relate to each other. Tricia also pointed out that basic security such as antivirus or malware detection isn’t always included in the infrastructure you purchase a la carte, so don’t assume it is.
Tricia cautions against companies purchasing solutions out of a box versus a custom solution. In some cases, you might end up paying for hidden costs or solutions that don’t apply to your environment. Investing in an out-of-the-box cloud security solution may also cause you to overpay for the size of your environment, or introduce security gaps by not having a particular service or product.
Investing in cloud security tools versus people and processes
As Tricia cautioned during the webinar:
“Investing in tools, and not people and processes will only introduce a lot of risk and allow a small attack to turn into something much larger. You could also spend way more on tools that you both don’t need and that are ineffective if you have the right people and processes in place.”
Assuming risk responsibility
If you plan to engage with a cloud service provider, do not assume that the risk responsibility is covered in your agreement. Ask for a Business Associates Agreement (BAA). A BAA ensures that both you and the CSP will appropriately safeguard data to meet compliance requirements. An effective BAA clearly outlines each party’s roles and responsibilities to ensure that compliance status is achieved. If your organization must comply with HIPAA regulations, the lack of a BAA is considered to be in violation of the new omnibus ruling for HIPAA/HITECH and implies negligence. Do not assume that your service provider will take any responsibility in the instance of a breach unless you have a signed BAA.
Finally, Tricia recommends that your CSP provides an audit assurance guarantee that says that not only are they covered for potential security risks, but that they will mitigate any aspect of an incident for which they are responsible.
Planning your cloud security investments? HOSTING can help. Contact our certified information and compliance teams anytime to review your specific needs. And view Tricia’s webinar on-demand for help in creating a comprehensive cost-effective cloud security plan.