Just a few short years ago, cloud seemed like a far-away thought for businesses, a “nice to have” rather than a “need to have.” Now, cloud is becoming the new normal. Organizations of all sizes are seeing the benefits of cloud. However, as businesses move to the cloud, they must do so safely, and with a well thought-out plan in place. To achieve a safe cloud environment, however, the IT industry needs to enforce rigorous cloud strategies around the protection of policy, information, people and infrastructures. This includes implementing security metrics.

According to the Symantec 2013 Hidden Costs of Cloud survey, rogue cloud deployments are one of the pitfalls of the cloud. It is a surprisingly common problem, found in more than 77 percent of businesses within the last year. It also seems to be an issue experienced more by enterprises (83 percent) than SMBs (70 percent).

We have seen dozens of businesses pop up to help users store information in the cloud, both personal and business. The inherent benefits to data storage in the cloud are obvious: virtually limitless storage, no required maintenance or upgrades, and little to no administration overhead required. But what about the risks? You simply can’t ignore the security of the data you store in the cloud, particularly as the heat of constant cyber attacks intensifies. How can businesses trust that their data is safe when stored in third-party data centers?

Several factors play into the business decision to use cloud storage solutions today. One of these concerns the actual physical location of the stored data. This is especially relevant in today’s world of increasing government and industry regulation. Closely related to this is the need for privacy, which is itself an impetus for stricter regulations. Cloud providers deliver varying levels of service level agreements regarding the security of the information they store, and this information may need to be produced as part of legal proceedings. And yet, businesses can no longer afford to ignore one of the most significant drivers of cloud adoption – cost. The cloud can make storage far more cost-effective and workers more productive.

With every New Year brings new beginnings and the opportunity to start fresh. While most feel this on a personal level, it fits our work lives as well. Risk managers in an organization (a role normally taken by CISOs) will not only face the plethora of regulations they must follow, but also the effect of employees who bring their own devices into the workplace and utilize virtualized technology assets, big data and cloud computing. With ever changing rules and technology, a typical CISO has their work cut out for them.

As we look forward into 2013, here are some of the risk management trends CISOs will face in the New Year:

• A company will be breached despite passing compliance requirements. This will cause practitioners to focus their security programs on risk management rather than only compliance.

A recent announcement by a large technology company that they’re not allowing use of iPhone Siri capability due to privacy and data loss concerns got me thinking about how far voice recognition technology has advanced the ability to use our voices, instead of typing, in a more fluent way to get technology to do something for us.  Voice technology, while it’s been around quite a while, has been a long time coming in a usable and seamless way. And technology like Apple’s Siri takes it to the next level by making it more ubiquitous. In this next instantiation of voice-driven workability, we now have a blending of mobile capabilities and cloud capabilities.  This combination offers a greater degree of flexibility and fluidity by extending the technology into the cloud and taking great advantage of honing the calibration of voice recognition on a dramatically large scale.

Organizations now have more choices available than ever before when it comes to outsourcing information management and IT resources to third party vendors.  Cloud computing and everything-as-a-service is becoming more popular, and business units in an organization are choosing to conduct more projects with third parties.  In an environment where third party services are seemingly easy to use and quick to deploy, an organization’s liability and risk landscape can increase rapidly and with limited oversight.

Governance of third party vendors, assessment of risk, and remediation of unacceptable risks is critical to protecting an organization’s reputation, business, and customers.  IT Security, Legal, and Finance all play an important role in identifying third party vendor projects involved in accessing and managing an organization’s sensitive data.  IT Security has a responsibility to assess the risk of third party vendor projects and to ensure that the highest risks are addressed.

Can data breaches be stopped, really? This was the question posed by Larry Ponemon, chairman and founder of the Ponemon Institute, at the start of a panel discussion I attended at the RSA Conference last month. Experts on this panel seemed to agree on one answer – No.

The tongue-in-cheek response from James Christiansen, Evantix CEO and CISO, brought a room full of laughter when he said, “Yes, you just need to put the computer in a safe and bury it 30 feet underground.”

Jon Oltsik, an analyst at Enterprise Strategy Group, equated the situation to the war on drugs, “Border control may be able to capture some on the borders, but the problem continues to escalate and keeps getting bigger.”   John Townsend, Manager of Information Protection and Security, DTE Energy commented, “If we use the wall analogy, rather than having a brick fence what we now have is a chain link fence. While we have made some inroads, people are still not taking security seriously enough.”

It is time for information security to leave the nest of the data center. Consumerization and the cloud in all its forms and definitions have moved critical and sensitive information beyond the traditional system level security controls with which we are all familiar. How information is managed is no longer solely decided by information technology and system admins but the business as a whole. In order for information security to remain effective we must have a seat at the table for these business decisions. We must be able to speak in terms that the leaders of the business understand. We must speak the language of risk.

Usually when the topics of security and coffee are raised in the same sentence, one of two thoughts comes to mind:

1. Very late nights in the past resolving a security incident
2. Stalking (i.e. hackers breaching free Wi-Fi hot spot services at local coffee shops)

I strongly believe there should be a third:

3. Leveraging a simple cup of coffee as a mechanism for breaking the ice and building a relationship with the leaders of business units within your organizations

Too many times I’ve walked in early to a customer meeting to find the IT Security group introducing themselves to the leaders of other departments within their own organizations for the first time.

This event is typically driven by an upcoming project to secure item “XYZ” which involves a new application or process.  Although this is a less than perfect situation, it is better than the alternative where the business does not consult IT security until the organization suffers a breach, possibly from this new project.

(Cross-posted from Symantec Connect)

Technologies such as virtualization and cloud computing offer the potential to reduce costs and improve operational efficiency – benefits organizations can’t afford to ignore. The shift to a cloud-based IT infrastructure is a goal for many, with 75 percent of enterprises at least discussing the implementation of these technologies. Whether you are just beginning to implement virtualization and private cloud computing or are already in the process, here are a few recommendations to give you the smoothest transition possible, based on the results of our 2011 Virtualization and Evolution to the Cloud Survey.