Security testing: why are cloud customers loath to be proactive?

Opinion Davey Winder Jan 21, 2013

Companies have been reluctant to test their cloud setups before deployment but retrospective action can be expensive

When IT recruitment consultancy Robert Half Technology surveyed 250 senior IT decision makers at the end of 2012, it revealed one of those all-too-often unspoken truths: most CIOs choose a cloud vendor without bothering to put their security systems to the test.

This despite, according to the very same survey of the very same people, 84 percent of those asked insisting they were either 'concerned' or 'very concerned' about the risk of a security breach. The fact that 55 percent of the CIOs questioned simply haven't actually tested the security procedures supposedly put in place by their cloud vendor should be something of a wake up call.

Nobody, least of all me, is going to sit here and smugly say it's a no-brainer and these CIOs are guilty of incompetence. The business reality is a lot more complex than that. With budgets being stretched more than trackie bottoms on a fat bloke, something inevitably has to give. The results of this research, however, suggest that what is being broken is an understanding of the true cost of insecurity on the bottom line.

55 percent of the CIOs questioned simply haven't actually tested the security procedures supposedly put in place by their cloud vendor

CIOs have to juggle a lot of things, not least the trade-off between making the cost savings that a speedy migration to the cloud can achieve and the potential risk of not ensuring that the security concerns of those in the know are thoroughly investigated. Unfortunately, I think that all too often during this juggling extravaganza CIOs are dropping the cloud security ball. A cursory glance at the claims of a cloud vendor is not enough, and those who maintain that security is part of the service contract have obviously not been to SpecSavers recently.

It is short-sighted in extremis to believe that the damage done by a data breach can somehow be mopped up by triggering some contractual compensation clause, assuming that such a clause even exists of course let alone is enforceable.

Forget the oft-claimed reasoning that the Information Commissioner's Office (ICO) powers to fine business half a million quid for data breaches is the main cost to a company following such a breach.

For one thing the ICO might have (virtual) teeth but it rarely gives anyone more than a nasty suck truth be told. And anyway, the true cost hits the business bottom lime in terms of recovery. Restoring systems after a breach and maintaining business continuity, recovering the security upper hand to ensure it doesn't happen again and, arguably most costly of all, recapturing the trust and goodwill of those you do business with following the reputational tanking a breach quite rightly brings with it.

What CIOs should be doing is placing a higher priority on security assurance rather than insecurity insurance. They need to be managing the IT security risk before the migration to the cloud happens, not being retro-active after a breach reveals any holes in a cloud vendors approach to securing data. 

I'm pleased that the research I mentioned earlier reveals that 45 percent of CIOs are testing cloud vendors' security systems and procedures, that some kind of auditing is taking place, but that number has to rise if the risks of a cloud-based breach are to fall. With 11 percent of the CIOs questioned admitting to taking no proactive security risk action, and only 13 percent engaging an external audit provider, I fear that this is not the last time I will be writing about this subject...

Davey Winder

daveywinder (2).jpg

Davey Winder has been covering the IT security beat for the last 20 years. Along the way he has won the 'Information Security Journalist of the Year' title no less than three times, and in 2011 was bestowed with the Enigma award for his lifelong contribution to information security journalism.