McKinsey: Business-Focused Risk Management Balances Cloud Value
By Marie Lingblom
Pre-cloud computing information security typically focused on control via policies limiting access by IT managers and end users to reduce the likelihood of data loss, privacy breaches or noncompliance with regulations.
A new McKinsey & Company report by authors James Kaplan, Chris Rezek and Kara Sprague includes a section devoted to a shared belief that cloud computing has ushered in the necessity for a business-focused risk-management approach. And it should engage business leaders in making trade-offs between the economic gains that cloud solutions promise, and the risks they entail.
There are not yet any hard-and-fast rules, note the authors. Some rough principles for managing cloud-information risk, however, are emerging. In addition to the evolution of cloud models in McKinsey’s report is an underscore on the importance of implementing a business-focused approach.
A comprehensive risk-management approach for cloud computing, they say, must now move beyond technology solutions and the IT department. Design and implementation should cover the policies, skills, capabilities, and mind-sets required of the IT and risk-management organizations, as well as the operating units. Methodology should include several elements such as transparency, risk appetite and strategy, risk-enabled business processes and decisions, risk organization and governance, and risk culture.
Transparency about the risks of breaches of confidential business information, intellectual property, and regulated information is essential to protecting sensitive data, say the authors. Cloud platforms are centralized and the view of operational data available from these platforms is expanded. That allows managers to assess risks, discover breaches, design guidelines based on trade-offs between risk and value, and in many cases automate the enforcement of these guidelines.
The McKinsey authors say to a large extent, the rules for the data certain groups of employees are authorized to access and the data that must remain in the private cloud can be enforced by the cloud platform itself. That means data on the company’s quarterly financial results, for instance, can be automatically blocked from leaving the secure environment of its private cloud until results have been officially released.
At the same time, organizations involved in wholesale cloud migrations, roles and responsibilities require more significant organizational changes. For instance, some specialized roles, such as server or network managers, would necessarily transition to the broader role of, for instance, an integrated service manager.
McKinsey’s authors say these types of service managers will be well positioned to steward business risks. They say it’s partly because their perspective is more comprehensive than that of specialized managers, for example, when making judgments on when to use private- or public-cloud resources.
Nonetheless, the democratized nature of cloud purchasing and usage constitutes risks, caution the authors, that automated guidelines cannot fully address. For instance, wireless devices that can access cloud computing anytime and anywhere extends the reach of the information infrastructure, but by doing so, the information also becomes more vulnerable to breaches.
Noted among the risks: lost or stolen devices with sensitive data stored on them. So the mind-sets and behaviors of line staff and managers have great import on cybersecurity. In response, organizations must drive risk awareness across the organization and provide risk orientation for all employees. Linking compliance to compensation through clear metrics reinforces the culture shift, say McKinsey’s authors.
The heart of McKinsey’s message moving forward? Risk management with a balanced, business-wide focus is the best way for enterprises to protect data while taking advantage of the efficiency and flexibility of cloud environments.