10 questions to help boards safely maximize cloud opportunities
Phil Venables
VP, TI Security & CISO, Google Cloud
Nick Godfrey
Senior Director, Office of the CISO, Google Cloud
The accelerating pursuit of cloud-enabled digital transformations brings new growth opportunities to organizations, but also raises new challenges. To ensure that they can lock in newfound agility, quality improvements, and marketplace relevance, boards of directors must prioritize safe, secure, and compliant adoption processes that support this new technological environment.
The adoption of cloud at scale by a large enterprise requires the orchestration of a number of significant activities, including:
Rethinking how strategic outcomes leverage technology, and how to enable those outcomes by changing how software is designed, delivered, managed across the organization.
Refactoring security, controls, and risk governance processes to ensure that the organization stays within its risk appetite and in compliance with regulation during and following the transformation.
Implementing new organizational and operating models to empower a broad and deep skills and capabilities uplift, and fostering the right culture for success.
As such, the organization across all lines of defense has significant work to do. The board of directors plays a key role in overseeing and supporting management on this journey, and our new paper is designed to provide a framework and handbook for boards of directors in that position. We provide a summary of our recommendations, in addition to a more detailed handbook. This paper complements two papers we published in 2021: The CISO’s Guide to Cloud Security Transformation, and Risk Governance of Digital Transformation in the Cloud, which is a detailed guide for chief risk officers, chief compliance officers, and heads of internal audit.
We have identified 10 questions that we believe help a board of directors in a structured, meaningful discussion with their organization and its approach to cloud. We’ve included additional points with each, as examples of what a good approach could look like, and potential red flags that might indicate all is not well with the program. At a high level, those questions are:
How is the use of cloud technology being governed within the organization? Is clear accountability assigned and is there clarity of responsibility in decision making structures?
How well does the use of cloud technology align with, and support, the technology and data strategy for the organization, and, ideally, the overarching business strategy, in order that the cloud approach can be tailored to achieve those right outcomes?
Is there a clear technical and architectural approach for the use of cloud, that incorporates the controls necessary to ensure that infrastructure and applications are deployed and maintained in a secure state?
Has a skills and capabilities assessment been conducted, in order to determine what investments are needed across the organization?
How is the organization structure and operating model evolving to both fully leverage cloud, but also to increase the likelihood of a secure and compliant adoption?
How are risk and control frameworks being adjusted, with an emphasis on understanding how the organization’s risk profile is changing and how the organization is staying within risk appetite?
How are independent risk and audit functions adjusting their approach in light of the organization’s adoption of cloud?
How are regulators and other authorities being engaged, in order to keep them informed and abreast of the organization’s strategy and of the plans for the migration of specific business processes and data sets?
How is the organization prioritizing resourcing to enable the adoption of cloud, but also to maintain adequate focus on managing existing and legacy technologies?
Is the organization consuming and adopting the cloud provider’s set of best practices and leveraging the lessons the cloud provider will have learned from their other customers?
Our conclusions in this whitepaper have been guided by Google’s years of leading and innovating in cloud security and risk management, and the experience that Google Cloud experts have gained from their previous roles in risk and control functions in large enterprises. The board of directors plays a critical role in overseeing any organization’s cloud-enabled digital transformation. We recommend a structured approval to that oversight and asking the questions we pose in this whitepaper. We are excited to collaborate with you on the risk governance of your cloud transformation.