Keeping data in your own data center feels like the right choice. After all, it’s your business on the line.
Yet the largest application cloud providers have even more at stake in terms of their businesses and reputations. They are responsible for protecting the information of thousands of companies, and that’s why they’ve invested in the best security money can buy. To earn the trust of their customers, they’ve hired the best people, deployed the best tools, implemented the best processes and collected the most comprehensive intelligence available on potential threats. Their brands depend upon their success at protecting their customers.
As employers, cloud providers offer security professionals a rare combination of intellectual challenge, high compensation, and sense of purpose. Most organizations cannot match that level of commitment to resources, training, and mission.
If you’re handling data security by yourself, you’re probably not as good as you think you are. Just ask a CEO whose company has suffered a headline data breach whether the company had felt protected prior to the incident. You’re likely to hear a “yes.” That’s the difficult aspect of managing security — all of your extensive preparations and defenses convey a sense of protection. If nothing happens, overconfidence sets in.
Recently, we’ve been working on cybersecurity remediation with a company that suffered a major breach. Before the breach, the company thought it was doing a great job. After the breach, the company ended up boosting its cybersecurity spending by a factor of 20, i.e., a 2,000% increase on a single line item.
What about next year, or the year after? Cyber threats, including targeted commercial attacks sponsored by hostile governments, are getting more and more ominous. Those threats indicate a growth path of inflating costs with no end in sight.
Do-it-yourself (DIY) security represents an open-ended commitment to spend whatever it takes to achieve an adequate level of protection, and “whatever it takes” can grow exponentially. That’s why, from a financial perspective alone, it makes sense to contain the growth of those expenses by outsourcing as many applications as possible to cloud providers.
We recommend that companies focus on creating and enforcing policies in such areas as mandatory encryption, location-aware access controls, data retention, and data usage. As for the technical details of defending web servers, networks, databases, and storage, for your critical applications, let someone else handle it.
Yet despite the benefits, company executives tend to resist moving critical applications and data to the cloud. Part of the problem is that nobody wants to change business processes. Moving to the cloud isn’t easy, as it may involve a loss of control or flexibility for some applications. Still, it’s better to work through this one-time adjustment than it is to accept a future of annual runaway increases in infrastructure security costs.
Even if it’s difficult, the transition to the cloud is well worth the effort. In addition to having better protection against cyber attacks, cloud providers also offer higher reliability and broader accessibility than organizations can deliver to customers on their own.
Further, we’ve found that companies in the cloud also execute better on M&A by virtue of having to untangle fewer messy IT integration challenges. With cloud infrastructure, you’re better prepared to make deals based on business value.
Cloud providers are already protecting important customer data for governments, financial institutions, and other holders of sensitive data. And unless you’re ready to spend without limit on your own private defenses, you’re better off under the protection of the most heavily fortified organizations in the world.
Chip Wentz is an executive director for Ernst & Young’s advisory services group.