Skip to main content

How enterprises can lead the way on cloud data security

Security-savvy enterprises approach everything-as-a-service differently

As the demand for everything-as-a-service (XaaS) grows, it’s imperative that organisations focus on data security. Some security-savvy enterprises are already leading the way in choosing trustworthy XaaS vendors and establishing strong processes and policies to deal with data security.

Many technology companies are shifting to a service-based model for providing products and capabilities, with some major players planning to transition the bulk of their portfolios over the next few years.1 At the same time, many leaders across industries are moving from traditional IT to everything-as-a-service (XaaS) for improved agility, new capabilities, and better management of capacity and costs.2 They view XaaS as critical to their digital transformation and to creating new solutions and business models—with cloud as the preferred platform for enabling XaaS and spurring innovation.3

To understand how companies are adopting service-based IT, including their objectives, outcomes, and challenges, Deloitte surveyed 600 IT and line-of-business professionals responsible for XaaS at US organisations.4 Three-quarters of our respondents reported that their organisation already runs more than half of its enterprise IT as-a-service.5 According to these leaders, the biggest challenge to scaling up their use of XaaS involves data security and privacy concerns—the same obstacle that topped adoption challenges in our 2018 XaaS study.6

With so much IT shifting to the cloud, organisations could be wise to focus on security. According to a 2021 report, 73% of cybersecurity incidents involve external cloud assets (vs. on-premise assets), and there are signs that cloud security incidents are increasing.7 Cloud data breaches can have serious consequences, including regulatory and legal problems, response costs, reputational damage, and even erosion of market value. According to another analysis, the average cost of a data breach incident in 2021 was US$4.24 million, a 10% increase over 2020.8

Are any enterprises cracking the code for mastering data security with XaaS and cloud? Fortunately, yes—and others may be able to follow their lead. Our analysis suggests there’s a group of “security-savvy XaaS adopters”—companies that not only feel they have established adequate processes and policies to deal with data security, but have also chosen XaaS vendors that can satisfactorily deliver strong data security and privacy safeguards. Nearly one in five (19%) of the professionals we surveyed in our XaaS study represent these security-savvy companies, which are more confident about keeping a wide range of enterprise data—even highly sensitive data—entirely in the cloud (see figure).

Security-savvy XaaS adopters have a differentiated approach to managing XaaS security and compliance:

  • They assume more responsibility for security. Almost half of the executives from such companies (46%) reported that it’s entirely the responsibility of their organisation to manage and ensure data security of their XaaS initiatives (vs. 33% of leaders from other companies). They’re also more mindful about regulatory compliance: 56% strongly agree that their organisations have adequate processes and policies in place to deal with regulatory compliance for XaaS (vs. 39% of executives from other companies).
  • They’re more proactive about monitoring security. Two in three executives from security-savvy companies reported that their organisations continually monitor the security of XaaS IT applications and data (vs. half from other companies). Moreover, 65% of the security-savvy companies evaluate their XaaS providers regularly9 to ensure they're meeting data security requirements (vs. 57% of the other companies).

Considerations for TMT executives

To provide a differentiated, higher-value customer experience, cloud and XaaS providers should strive to help their customers become more like the security-savvy XaaS adopters.

  • Become a security partner. The complexity of securing cloud-based IT is likely to accelerate as many organisations turn to a hybrid, multi-cloud, multi-vendor strategy to increase access to best-in-breed technologies, optimise costs, improve resilience and reliability and minimise vendor lock-in.10 Tech providers can build trust by helping their customers rethink security models and capabilities and take a more integrated approach to cloud and security—for instance, by establishing a cloud security controls framework.11
  • Clarify security responsibilities. Managing the security risks of multi-cloud environments should be a shared endeavor between service providers and user organisations, yet nearly 6 in 10 cloud adopters cite establishing shared security models as a major challenge.12 Service providers can supply their customers and auditors with system and organisation controls (SOC) reports to help build risk assurance, but clarifying expectations and responsibilities is crucial.13
  • Continuously assess risks. Cloud providers can help their customers identify and use the right tools to continuously monitor cloud security. For instance, adopters can use comprehensive dashboards to track security of data and applications across several environments, thereby increasing visibility into risks.14 Additionally, advanced security tools based on artificial intelligence and automation can be helpful in sensing threats and responding to them in a timely manner.15

Technology, Media & Telecommunications

Deloitte’s Technology, Media & Telecommunications (TMT) industry practice brings together one of the world’s largest group of specialists respected for helping shape many of the world’s most recognised TMT brands—and helping those brands thrive in a digital world.

Learn more

  1. Jessica Lyons Hardcastle, “HPE partners with Google Cloud, pledges entire portfolio ‘as-a-service’ by 2022 ,” sdxcentral, June 19, 2019; Gina Narcisi, “Cisco CEO Chuck Robbins: COVID-19 forcing as-a-service transition  ” CRN, August 12, 2020.

    View in Article
  2. Susanne Hupfer et al., Enterprise IT: Thriving in disruptive times with cloud and as-a-service , Deloitte Insights, February 22, 2021.

    View in Article
  3. Ibid.

    View in Article
  4. Ibid. To obtain a cross-industry view of how organizations are adopting and benefiting from as-a-service enterprise IT, Deloitte conducted the Everything-as-a-Service (XaaS) Study, 2021 edition, surveying 600 IT and line-of-business (LoB) professionals from US-based companies in Q4 2020. All respondents were chosen from organizations that consume 15% or more of their IT as a service (i.e., all were XaaS adopters) and were required to have responsibility for enterprise IT and specifically for XaaS—for example, spending, strategies, deployments, and vendor selection and evaluation. Respondents were evenly split between IT and LoB professionals, and 89% were executives. Six industries were represented: technology, media, and telecom; energy, resources, and industrials; consumer, retail, and automotive; financial services; life sciences and health care; and education.

    View in Article
  5. Respondents were asked to consider their organization’s current enterprise IT products/services and estimate what proportion is being purchased and consumed as as-a-service IT vs. traditional IT.

    View in Article
  6. Gillian Crossan et al., Accelerating agility with everything-as-a-service , Deloitte Insights, September 17, 2018.

    View in Article
  7. The researchers noted that there’s nothing in their data to indicate that on-premise IT is more secure. The fact that so much IT infrastructure has moved to the cloud may be a contributing factor, as well as attackers targeting cloud credentials. See: Maria Korolov, Cloud security breaches surpass on-prem ones for the first time , Data Center Knowledge, May 20, 2021; Alicia Hope, “Almost all organisations suffered at least one data breach in past 18 months, the State of Cloud Security Report found ,” CPO Magazine , July 20, 2021.

    View in Article
  8. Chris Brook, “How much does a data breach cost in 2021? ,” Digital Guardian blog, August 4, 2021.

    View in Article
  9. Our survey defined “regularly” as annually or more frequently.

    View in Article
  10. David Linthicum, Want more multicloud success? Here are some key strategies , Deloitte, accessed November 9, 2021.

    View in Article
  11. Deborah Golden et al., “A controls framework for integrated cloud security ,” Wall Street Journal Risk & Compliance Journal , May 26, 2021.

    View in Article
  12. Dan Yachin, “State of cloud security 2021: More aware yet very exposed ,” Ermetic, July 1, 2021.

    View in Article
  13. Charlie Willis and Lining Ge, Assurance in the cloud: Don’t settle for a check-the-box approach , Deloitte, 2021; Curtis Stewart, Dan Zychinski, and Alan West, Third-party reporting proficiency with SOC 2+: An integrated approach gains traction , Deloitte, 2021.

    View in Article
  14. Doug Bourgeois and Sean VanDruff, Integrated multi-cloud management for the federal government , Deloitte, 2017.

    View in Article
  15. Satta Sarmah Hightower, “Want to avoid a multi-million dollar data breach? You need these three things ,” Forbes , September 21, 2021.

    View in Article

Thanks to Brooke AuxierGautham Dutt, and Shubham Oza for their support.

Cover image: Jaime Austin

Did you find this useful?

Thanks for your feedback

If you would like to help improve further, please complete a 3-minute survey

Related content