by Cal Slemp
Managing Director and Leader of Protiviti’s Security Program, Strategy & Policy Practice
I’m concerned that recent articles might be giving the wrong impression about the risks that accompany data storage in the cloud. When I see headlines like “Cloud Security Concerns are Overblown, Experts Say,” I worry that companies may see “overblown” and perceive “non-existent.” Such stories are part of the news cycle. For example, the same question was posed in this Forbes article back in 2012, and was followed shortly thereafter by a number of very-high-profile retail and financial data security breaches.
Wherever there is risk, there are bound to be stories questioning whether the perception of risk is exaggerated. And while it is true that a few data security breaches do not an untrustworthy cloud make, it is also true that there’s no such thing as secure data storage. Offsite, and thus “out of sight,” should not equal “out of mind.”
Risk is risk. It doesn’t matter if you keep your data in-house or in the cloud; your responsibilities for data security remain the same. You can’t afford to leave anything to chance because you remain responsible for customer data loss – even if the data was lost by a third-party vendor. All the customer cares about is you and the trust he or she placed in your brand. And while you may have a financial recourse in the event of third-party data loss, the reputational damage will all be on you. That is the business reality.
In a Flash Report Protiviti published earlier this year, we summarized the federal government’s cybersecurity framework and how it will help organizations get a handle on securing their information. I feel it’s a helpful document for companies that haven’t spent much time and effort on information security; for those that have, it’s consistent with the efforts we’ve seen in our work in the security and privacy space.
Remember that whichever framework or approach you select, mitigating cybersecurity risk introduces new investment costs that need to be considered by management, and that insufficient data security mitigation plans can cause revenue and customer loss and severe reputation damage that can be detrimental to your bottom line.
The cloud’s vulnerabilities affect your vendor risk management efforts as well. My colleague, Rocco Grillo, noted recently that a company “can have all the security in the world inside its four walls, but all it takes is a compromise at one third-party vendor that’s connected to it. That creates a bridge directly into the organization.” And as our colleague Brad Keller from the Shared Assessments Program states, if you’re relying on a third party, “you can’t just shut the door and say it’s someone else’s problem. You can outsource the function, but not the risk. In effect, you ultimately own the risk.” That’s why Protiviti and the Shared Assessments Program developed the first comprehensive Vendor Risk Management Maturity Model. This model sets forth best practices for developing a comprehensive third-party risk program and allows a company to evaluate its program’s maturity against development goals. It’s worth taking a look to see how well your company stacks up.
Are cloud data security fears overblown? Maybe. Ripples on a pond do tend to grow as they travel outward from the source. But overblown does not mean minimal or nonexistent. The risks are real, and organizations need a solid vendor risk management policy and procedure in place to ensure that those risks are adequately considered and addressed.