Cybersecurity remains a top priority in every industry—and it’s a priority that is growing as cloud technologies become more essential to driving business operations, innovation and value. Cloud technologies can come with inherent complexity. Increasingly, cyber must become a core component of a cloud migration to reliably support business value and give organisations the confidence to evolve as their needs change.
A panel of cloud transformation specialists from Deloitte and HPE share insights on how to enable a “cyber first” approach that embeds security into an ongoing journey of digital transformation—while positioning enterprises to evolve amid constant disruption.
Though cybersecurity is a top concern for companies moving to the cloud, there is a lag in how it is actioned as part of a transformation programme, which is exacerbated by outdated assumptions that previous approaches to securing assets will work. Often, however, it never works that way. Cloud presents its own inherent risk and complexities. The solution, offers Meer Hussain, managing director, Deloitte Consulting LLP, is to include cybersecurity in the business case for the migration. That way, he says “they can build in the security and regulatory elements as they go through the transformation.”
Privacy is another reason companies on a cloud journey should think about cybersecurity early in the process. Venky Rangachari, vice president global IT, HPE, offers as an example GDPR, General Data Protection Regulation and the core of Europe's digital privacy legislation. “When enterprises are acquiring cloud products, they need to be aware of the privacy terms and regulations that come with them.” Complicating matters is the hair-split of the cloud platform being complaint to GDPR and a company being compliant. Says Hussain, “An enterprise should always take additional measures to enable configurations that will ensure compliance.”
Moving through a transformation initiative, there are two areas where talent unknowingly increases risk, says Elvia Novak, managing director, Deloitte Consulting LLP. First, cloud migrations are often run in parallel with ERP projects and service providers, which increases the risk that key details will be missed as the teams attempts to learn and adjust to the new system. Second, a lack of clarity around the roles and responsibilities of the cloud service provider versus the organisation can lead to frustration within the team and a resistance to the change in general. “We must not lose sight of the fact that it’s the team – people – who will be responsible for the transition and the eventual new way of doing things.”
As Hussain sees it, a successful cloud migration will include core functions that are best delivered by the cloud service instead of the company’s own team. It also includes automation. “There will never be enough people. Organisations must ask how they can leverage RPA and AI technology to automate some of the routine tasks.” Once that is sorted, talent can focus on essential tactics like threat hunting – an area he recommends investing in training.
For Rangachari, because of the far-reaching and sometimes devastating impact, cyber-attacks – which he calls ‘cyber warfare’ – should be treated with the same level of criticality and import as a military attack, from funding, preparedness and proactive response, to the time spent gleaning an in-depth understanding of the enemy. “In cyber war, we are dealing with a sophisticated actor – it’s a machine. That requires a different type of response in terms of policies, proactivity, automation, artificial intelligence and even funding.”
Novak calls for enterprises to recognise the downstream impact they have on society as they contemplate their level of investment in and commitment to cybersecurity. As an example, she points to a May 2021 ransomware attack that took a major US fuel pipeline offline, ultimately driving fuel prices to highs not seen in years. A month later, consumers were still feeling the impact. “I think everybody needs to recognise the downstream effect an enterprise can have on the overall population and make the right investment in cybersecurity a priority.”
The Achilles Heel in the fight against cyber-attacks is the reaction time it takes to notice something is happening. “One of the problems we have as security professionals,” says Hussain, “is there are so many tools and so many point-in-time solutions.” He recommends companies start relying on smarter tools and processes, like AI and BL, to build in proactive and predictive capabilities.
No one tool is going to capture all the potential risks or threats, Novak notes and though we may apply machines (AI and ML) to fight machines and the known knowns, “the problem is the unknown … it is vital we invest to try and stay ahead of the curve and in front of the attacks.”
On what solutions – whether best-in-class or end-to-end – Rangachari advises companies to pick the right paradigm that fits your enterprise. “If you pick a tool set that's totally disparate that the tools can't talk to each other or your operations, your security operations teams can't stitch these logs or evidences together, then you're not achieving your end goal of protecting yourself.”
Want more transformation insights from enterprise leaders? Visit deloitte.com/SAP to download future podcast episodes or listen to previous ones.