How to convince your CEO that the cloud is secure

2D clouds on a circuitboard background
(Image credit: Shutterstock)

Convincing senior management that the cloud brings functional and financial benefit to the business is not a hard sell. The same, sadly, cannot be said when it comes to the security argument.

With so many media headlines painting the cloud as an insecure place for your data to reside, most often erroneously courtesy of a misunderstanding of the nature of the breaches involved, it's perhaps not surprising that something of a culture of cloud mistrust has crept into the boardroom. Most of the biggest data breaches which resulted in the loudest media reporting were enterprise system breaches and did not involve the cloud, yet there are fewer headlines proclaiming how insecure your network is than there are dismantling cloud trust.

Unfortunately, the consequences of this are twofold: organisations may miss out on the benefits of cloud migration and, ironically, data could be less secure outside the cloud rather than in. Convincing your CEO that the cloud is a secure place to do business is key, but how do you buck the cultural trend and do that?

Actually, it's not that difficult to argue the case for cloud security; you just need to examine the facts of the matter and convey these to the board in a calm and straightforward way. One of the best places to start is with how your organisational peers are thinking.

There's nothing like exposing a feeling of being a little behind the times and off-trend to get things moving in the right direction. A study of the enterprise cloud market across 2014 revealed that not only did 65 per cent of the business leaders asked state that they didn't think that use of the cloud compromised data security at all, but 36 per cent actually suggested that security was improved by it. This makes sense, especially when looking at the smaller and of the enterprise spectrum where SMEs are statistically unlikely to have either the budgets or, in many cases, the technical capability to provide the level of security that the cloud brings by default.

There's even an argument to be made that the bigger players probably have more expertise and certainly more budget to throw at the risk management equation than most enterprises regardless of size. You want statistics with that? OK, well a recent Alert Logic 'State of Cloud Security' report found that on-premises environments were hit by an average of 61.4 attacks per year, whereas for service provider environments such as the cloud the figure was only 27.8 attacks. Still think the cloud is generically more vulnerable than the enterprise network?

That said, you have to remain sensible and balanced in your arguments or they fall apart at the seams. Not every cloud scenario is going to be more secure than every on-premise scenario, that's a given just as much as the vice-versa statement. However, assuming that remote storage of data automatically means it is less secure than when stored within your own network boundaries is not correct.

Just because the average CEO may think this way does not make it fact. So explain how this perception is flawed, and ask if it were accurate why so many organisations have been making use of third party datacentres for so long without the same levels of hysterical concern. Sure, security is a prime consideration within the datacentre environment, but it hasn't been an insurmountable challenge and nor is it if that datacentre is a virtualised and cloud-based one. As with the 'traditional' datacentre marketplace, so the cloud has become a hugely competitive arena where in order to survive each player has to show it takes security seriously. This means going the extra mile to ensure the basics of firewalling, access authentication and physical security protocols are not only met but are surpassed.

The most convincing argument that can be aimed at the CEO, however, when it comes to cloud security is that it actually changes nothing. Yes, there are issues surrounding sovereignty and privacy, and there are privacy implications which can impact upon compliance regimes; these are the fine details that need to be applied no matter how your data is stored and processed, they are not the broad brush strokes of a secure environment. The truth is, and the driving force behind the 'nothing changes' statement, that data security is data security regardless of where that data resides and who owns the servers it sits upon. Thinking of cloud security, any security, in terms of a hardware dominated discussion misses the point: it's all about the data stupid.

If your data itself is properly secured then the storage endpoint becomes less of a risk factor, and simply being overly suspicious of the cloud because it is 'a server out of your control' is missing the point by a country mile. Your data in the cloud is as secure as you want it to be, provided you take data security seriously and make it your primary concern. If you can convince the CEO that determining the real value of data and securing it according to the true cost of loss is key, no matter its location, then all of a sudden the cloud becomes a less scary place.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.