Security Think Tank: CISOs should be first stop on the way to cloud

Hybrid cloud environments provide the most flexibility, but how can businesses decide when public or private cloud is more appropriate?

The most compelling reason for any business to look towards the cloud is cost, with security and privacy usually way down the list. Whether or not a business opts for a public or private cloud depends on what companies are willing to spend.  

Followed by cost are usually concerns around availability. Businesses typically opt for a private cloud scenario where they want tighter controls around service level agreements and uptime guarantees, as typically public cloud arrangements cannot offer the five or six nines that larger businesses mandate.

Once business executives have made up their mind how much they are willing to spend and what service levels are acceptable, they will either just go ahead and purchase a cloud solution or, if in a good mood, might run it by their chief information security officer (CISO).

It has to be said that most CISOs get somewhat annoyed about being left out of the loop and having to make snap decisions on whether or not businesses should really be venturing into the cloud, especially at the last minute. 

In terms of security and privacy for deciding whether public or private cloud is more appropriate, the best approach is for businesses to involve their CISOs at a very early stage so that the time and effort put into researching the best possible cost and availability options is not wasted and that businesses make a sound, balanced decision that embraces cost, availability and security.  

With regards privacy, engaging a cloud provider means giving a third party your data. If your data is really that sensitive and you are selling nuclear missile components, then please do not put your blueprints in the cloud.

Tim Holman is president of ISSA-UK and CEO at 2-sec.

Read more on Cloud security