Hidden allies: CCOs are guardians for a secure and compliant cloud migration
Office of the CISO
Google Cloud Next
Registration is open for our flagship event August 29-31.Register
There are easier ways to do digital transformation projects, and harder ways. One of the keys to unlocking an easier path is to involve chief compliance officers early and often — they're vital to avoiding unnecessary regulatory headaches and costs.
When approaching cloud migrations, technology leaders often prioritize defining and implementing the IT architecture and security controls. This can leave certain regulatory compliance-related questions to be addressed only as the migration demands their resolution, causing needless friction within the organization and delays, especially if they require the revision of otherwise-mature plans.
That approach can be a missed opportunity to recognize compliance officers as hidden allies for digital transformation. Their participation in the organization’s cloud transformation strategy from the outset can help reduce an organization’s regulatory risk while modernizing how they manage regulatory compliance.
CCOs can be a true “value-add” to organizations when they are routinely included in the decision making and strategizing process, explained Peter Driscoll, Director of the SEC’s Office of Compliance Inspections and Examinations, at an SEC compliance seminar.
“By keeping up with regulatory expectations and new rules, they can assist in positioning their firms not only to avoid costly compliance failures, but also provide proactive compliance guidance on new or amended rules that may provide advisers with additional business options,” Driscoll said.
We recommend including compliance teams as early as possible in cloud strategy conversations so that chief compliance officers can support the organization’s overall approach to the cloud, and identify the rules and regulations that will be impactful. In partnership with IT teams and risk-management counterparts, compliance leaders can help define the necessary processes and controls to meet internal policy and external regulatory objectives.
A more holistic approach to Risk Governance of Digital Transformation in the Cloud, with engagement from compliance stakeholders and other second line of defense teams, typically yields better results and enables a more streamlined cloud governance process that incorporates various regulatory considerations. These include:
Outsourcing risk management
Business continuity, disaster recovery, and incident response
Data privacy and protection
Scalability, reliability and resilience
Ensuring risk is appropriately managed while also helping an organization modernize and grow is one of the primary tasks of the chief compliance officer.
Jeanette Manfra, Senior Director of Global Risk and Compliance for Google Cloud
Enabling compliance teams
Confronting questions about compliance requirements as an afterthought, rather than incorporating the compliance team early and holistically in the overall cloud transformation process, can cost an organization time and money. Mistakes in adhering to regulations such as the U.S. Office of the Comptroller of the Currency’s Outsourcing Guidelines, the EU’s GDPR, and the Security Standards Council’s PCI DSS can be costly — from financial and reputational perspectives. Choosing a cloud partner who builds compliance into every level of its technology and its guidance, will help ensure regulatory considerations won't be an afterthought.
While compliance questions can seem daunting, resolving them early in the digital transformation process can help organizations move faster and be more resilient, said Jeanette Manfra, senior director of Global Risk and Compliance for Google Cloud.
“Ensuring risk is appropriately managed while also helping an organization modernize and grow is one of the primary tasks of the chief compliance officer. Leveraging the expertise of the compliance team early in the cloud journey is critical to fully realizing the opportunities cloud presents,” she said.
A compliance officer’s role as an advisor is just the beginning of an ongoing partnership with cross-functional stakeholders throughout the organization. Comprehensively identifying all relevant requirements for cloud migrations is difficult. Guided by the types of data and applications that the organization plans to host in the cloud, compliance officers must juggle multiple jurisdictions, regulatory bodies, and risk-based analyses in assessing applicable regulatory requirements and related controls — in this complex, rapidly evolving environment, that can lead to costly mistakes.
Besides advising on the initial migration to the cloud, compliance officers should continue to support cloud initiatives by providing their insights and expertise on subsequent data and application workload migrations. They consider whether established controls are reasonably appropriate to meet regulatory requirements, and whether new or revised rules or regulations have been published that impact those controls.
Financial services firms, for example, often operate across multiple regions and jurisdictions, and are subject to a complex and dynamic patchwork of regulations. As such, it’s wise to consider identifying dedicated compliance officers for each region the organization operates in. These compliance experts should be well-versed in local requirements, and therefore best-placed to advise on their applicability, to articulate nuances that may impact cloud-related policies and controls, and to help guide the cloud controls framework.
A compliance officer’s role as an advisor is just the beginning of an ongoing partnership with cross-functional stakeholders throughout the organization.
Notably, this shouldn’t be a one-off exercise, but a continuous partnership throughout the governance process, where compliance officers can:
Serve as the subject-matter experts and central point-of-contact for compliance, guiding the transformation process regardless of organizational boundaries, and developing expertise in cloud by taking advantage of whitepapers and additional resources on topics including cloud security, privacy, and risk governance;
Understand how cloud adoption will impact the organization’s approach to risk management, and plan to update processes accordingly;
Help streamline future reviews of data and workload migrations by identifying the baseline requirements provided to cloud teams. While this may seem obvious to some, it can reduce the time and effort required to focus on any outstanding items once those baseline requirements have been met;
Ensure a clear understanding of the role of the cloud provider in compliance and the requirements on your organization to meet compliance obligations; and
Take advantage of cloud adoption to improve control implementation and monitoring. Cloud platforms can provide landing zones for regulated workloads that establish guardrails, enforce service restrictions, implement baseline controls, and automate other operational measures that help ensure that deployments are aligned to policy and regulatory directives.
Once agreed upon, compliance requirements can then be shared with the appropriate teams through policies and procedures that articulate the relevant security, privacy, and regulatory requirements; the implementation of controls; and training to promote knowledge-sharing throughout the organization that contextualizes and defines the overall regulatory requirements and corresponding control objectives.
Building more robust internal partnerships
We firmly believe that cloud computing will continue to serve customers, including financial services institutions, as a key enabler that provides the scale, reliability, and resilience that customers need. Cloud also will enable the controls and solutions customers need to accelerate their businesses by leveraging cloud-based efficiencies to drive digital transformation.
Empowered and informed compliance officers can be an invaluable resource who can help propel an organization toward achieving its digital transformation objectives in a way that’s secure and, of course, compliant. As with any large initiatives, it takes teamwork and partnership to achieve success. Be sure to engage your compliance officers early and often, as they can be valuable advisers who help the organization navigate in an increasingly complex regulatory environment to ensure all relevant requirements have been considered.
To learn more, visit the Google Cybersecurity Action Team site, check out our Compliance Resource Center, and guidance on Assuring Compliance in the Cloud.