At an accelerated pace, businesses are migrating legacy applications to the cloud to drive agility, innovation, and security. Although IT often gets much of the credit (and occasional blame), the fact of the matter is that digital projects are often driven by a company’s senior management, with CIOs and CTOs deputized to make it happen.
However, major changes to IT can be something of a gamble, and when the success and cost of technical implementation is at stake, the CFO must get involved. For finance leaders, the cloud may seem full of cost-saving opportunities, but the devil is in the details, which can include risk and potentially unforeseen expenses. Thus, it’s essential that CFOs understand both the upside and the liabilities.
One of the biggest potential liabilities comes in the form of cybersecurity. For CFOs, cybersecurity can be both worrisome and shrouded in confusion. They may have to dig into the details of a cloud implementation to effectively fund security initiatives.
Cybersecurity and the cloud
Every new tech project comes with potential security risks. For CFOs, quantifying the level of risk, and the costs associated with limiting risks, are quite important. It boils down to risk management, and CFOs can take some solace in the fact that major cloud providers are often more sophisticated about security than most business environments.
Even though cloud providers offer cybersecurity controls, it’s important to make sure that safeguards are in place. Establishing the appropriate controls, rules, and policies is a critical first step when moving to a cloud service. What’s more, cybersecurity requirements may be dictated by compliance regulation or other factors. Simply put, the CFO needs to be hands-on when it comes to assessing the risks to data security and privacy and will need to coordinate with legal, security, operations, and IT staff to ensure that the capabilities meet the business’s needs.
Compliance in a cloud environment can involve a range of regulations, such as Sarbanes-Oxley, HIPPA, and GDPR. In addition, there are industry-specific regulations to consider. Further complicating the issue is that a company may need to integrate or give some level of control with select vendors.
So, while moving to the cloud may promise all kinds of business benefits, CFOs must pay close attention to compliance and regulatory requirements. Because failing to adequately plan for those could turn benefits into liabilities.
Cost calculations
Many assume that the pay-as-you-go model indicates that it is easy to move from one cloud platform to another. However, in practice, that’s seldom true. Migrating an IT portfolio from one cloud platform to another can be fraught with challenges. On the cybersecurity side, the challenges include migrating users, applications, policies, rule sets, and entitlements—a process that can open a can of worms.
There is an additional risk with contractual “lock-in.” Watch out for contract terms with financial penalties for terminating services or requesting major changes.
The tangible value of cloud security
Business leaders understand that data breaches are a constant source of concern in today’s cloud-enabled world. And they know that it is almost always less expensive to defend the company’s data, systems, and assets than it is to fall victim to a breach. With that in mind, the risk management calculation should include the necessary funding to protect cloud resources.
Ultimately, CFOs are looking for return on investment, as well as total cost of ownership. When it comes to cloud cybersecurity, ROI may be hard to calculate, so a more holistic approach to funding may be needed. The bottom line is that CFOs must take the view that cybersecurity is an investment in the business and the basis for agility and enabling new services.
The advantages of cloud-native services
Many businesses are pursuing a cloud-first approach, where new applications are developed natively using cloud services and platforms. Because this is a way to consolidate services and applications, while supporting scalability, it makes sense to look at cybersecurity in these cloud environments from a different perspective.
For example, enterprises with on-premise data centers have long looked to integrate cybersecurity tools from a variety of vendors. The goal was to reduce the attack surface, while also gathering actionable information. However, the disconnect between those various products often meant that security staffers would have to roll up different logs and signals into some sort of centralized dashboard. That resulted in potential gaps, missed suspicious behavior, and alert fatigue.
The good news is that many cybersecurity platforms have evolved to become cloud-native, making it easier to combine the capabilities of multiple tools in a single offering. A cloud-native security platform brings together the many needed elements of cybersecurity into a centralized dashboard, making it much easier to monitor systems, detect anomalies, and deal with breaches.
What’s more, with the right system, costs can be significantly reduced and options, such as automation, can be incorporated. So CFOs may be able to breath a little easier—though it’s impossible to get overly comfortable amid the omnipresent threats.
