Maksim Kabakou - Fotolia
Cyber leaders must make better use of risk experts
The Computer Weekly Security Think Tank considers how security leaders can help assure access to the new and innovative cloud tech while minimising risk and ensuring they do not fall foul of regulators.
Clients should have clear expectations of a cloud SLA, and if a provider falls short, they must be held accountable. Equally, clients have a responsibility to understand what the SLA does and does not cover, so they know exactly what they are purchasing.
Too often, disconnects arise when procurement teams negotiate contracts without fully understanding the operational requirements, leaving IT and security teams with an SLA that doesn’t meet their needs.
Outsourcing is sometimes approached purely as a cost-saving exercise, rather than a way of improving service quality. This mindset can lead to superficial comparisons across providers, chasing the lowest price rather than focusing on value. Inevitably, compromises follow.
To avoid this, buyers must carry out proper due diligence and identify the SLA’s true “must haves” versus “should haves.” Overloading the SLA with every requirement risks demanding a “gold service” that few providers can meet. On the other hand, accepting too many compromises increases risk, so organisations need a clear understanding of their risk tolerance.
Read more about cloud risk
- Geopolitics, data sovereignty and rising costs are driving a change in cloud thinking, but it’s slow progress.
- Familiar cloud concerns are being overshadowed by geopolitical volatility, pushing IT strategy into the boardroom. Organisations must now assess the full spectrum of cross-border dependencies to build true resilience.
- Opportunity exists for the channel to help customers struggling to manage their cloud and hosted environments.
It’s also critical to align the SLA with business objectives. What is the organisation trying to achieve with the new platform? What is the minimum viable product (MVP)? Everything beyond the MVP is a “nice to have.”
This requires decision-makers to not only understand risk but also to articulate it effectively and plan how to manage it. Risk management doesn’t always need to be technical—non-technical controls and governance can also play a major role.
Often, this process highlights an organisational disconnect: procurement may be expected to eliminate risk, which is unrealistic. Eliminating risk is not the same as managing it.
By definition, adopting new, innovative, or untested technology carries risk, but it also carries potential benefits. Organisations must weigh the risk against the possible upside: improved efficiency, better client service, enhanced staff support, or greater agility.
When advocating for innovative platforms, IT and security leaders should reframe the conversation. Instead of only asking, “What is the risk if this fails?” they should also ask, “What is the reward if this succeeds?” This balances the discussion and helps decision-makers see the potential value alongside the risks.
To successfully adopt new technology while minimising regulatory exposure, IT and security leaders need to work closely with risk managers.
Risk professionals can help define the organisation’s risk appetite and tolerances, ensuring risks are managed, not simply minimised. Too often, risk management in cyber security is framed around risk reduction at all costs, which stifles innovation.
By integrating risk managers into procurement and decision-making, organisations can strike the right balance: enabling innovation while staying within acceptable risk boundaries.
The Computer Weekly Security Think Tank on cloud risk
- John Bruce, Quorum Cyber: Bridging the SLA gap: A guide to managing cloud provider risk.
- Aditya K Sood, Aryaka: SLA promises, security realities: Navigating the shared responsibility gap.
