CIOs, it is time to have a frank and open discussion with your staff. This conversation may be difficult or awkward, as it involves topics such as consent, privacy, and appropriate protection. Yes, you need to speak with your staff about the organization’s cloud strategy, and any deployment or security issues that they are facing.
Cloud First strategies are predominantly driven from the top-down, per McAfee’s 2017 cloud adoption and security report However, for many of the organizations involved in the study, there appears to be a slight disconnect between the C-suite and staff. Overall, C-level executives, such as CIOs, CSOs, and CISOs, displayed a more positive attitude towards cloud-based operations than the non-executive respondents.
Within your organization, it is important to uncover any gaps in perception and determine what is causing them. Are the reasons for a Cloud First strategy not getting clearly communicated down the chain? Are your staff seeing operational issues that are not making it to your office? Or is your staff concerned that cloud adoption is putting their jobs at risk.
The McAfee 2017 cloud study provides some valuable clues and discussion points for your staff meeting. Based on the survey results, 92% of execs stated that they are following a Cloud First strategy, but only 80% of staff agreed. There were also significant gaps in the number and types of cloud services in use, amount of sensitive data stored in the cloud, and plans for future cloud investments. An organization-wide inventory of cloud services in use, data types and locations, and budgets would be an excellent way to start the meeting. The results of this inventory will likely surprise most people in the room, and form the foundation for a discussion of operational and staffing concerns.
According to the survey, the biggest gaps in operational concerns between staff and executives relate to costs, compliance, unauthorized access, and Shadow IT. Staff were more concerned about costs than executives, which may be directly related to lack of information about budget plans, mentioned above. However, staff were also more concerned about unauthorized access to sensitive data and their ability to maintain compliance with regulations than the execs. These concerns should be the focus of a deep dive across the organization, to identify whether there are significant gaps in security and privacy controls. At the same time, executives were more concerned about Shadow IT than staff. When Shadow IT apps are found, staff were more likely to favor blocking access to unauthorized applications, while execs preferred data loss prevention tools. Depending on the results of y our discussion, clear communication throughout the organization about the risks and consequences of Shadow IT appears to be needed.
Finally, staff may feel that they lack the necessary job skills for a Cloud-First IT department. Over half of the executives reported that they have slowed their cloud adoption due to a skills shortage, and almost a third reported that they are continuing despite a skills shortage. However, the execs ranked this concern lower than staff did, which may be inadvertently sending the message down the chain that staffing changes are coming. Based on earlier research from McAfee, it is easier and more effective to invest in security training for existing staff than to find and hire experienced security professionals.
The transformation to cloud services is having a significant impact on the efficiency and effectiveness of organizations of all sizes, and the IT department is probably impacted more than most. Based on the results of this study, there are some small but possibly significant gaps between C-level executives and their staff, that should be addressed before they impact the organization’s security posture.
For more details on cloud adoption and security, download the 2017 McAfee cloud report, Building Trust in a Cloudy Sky.