Cloud Strategy Challenges

Robert Brzezinski
Author: Robert Brzezinski, CISA, CISM, CHPS, Microsoft 365 Security Administrator, Azure Security Engineer
Date Published: 8 January 2021

I have had the privilege of working with organizations that adopted cloud strategies and were able to improve productivity for end users and optimize IT operations and cybersecurity. I have also worked with organizations that stepped into the cloud world, but struggled and ended up in a limbo that kept them from maximizing the potential and benefits of the cloud. So, what makes a difference? Why are some organizations more successful in cloud adoption than others? From my perspective, there are 2 factors that make a significant difference: clear, understandable strategy, and commitment to strategy execution. In other words, it comes down to leadership and management.

Successful cloud adoption can be defined in many ways and through many metrics: user productivity, system availability for business users, intuitive interface, better end user experience; better, more reliable IT service delivery, less system outages; automated systems deployment, management and maintenance; better, integrated security, easier monitoring, automated incident response minimizing incident’s impact; lower risk exposure, integrated audit and compliance capabilities minimizing time and effort needed to meet regulatory obligations, etc.

Every organization will use slightly different sets of success metrics and indicators, but at the end of the day, leadership will want to know the answers to the following questions:

  • Can the organization deliver its services or products and serve its clients and constituents without interruptions?
  • How resilient and how competitive is the organization?
  • Has the organization’s transition to the cloud resulted in lower or higher IT, security and compliance costs?
  • Was the organization’s investment in the cloud a wise decision in context of improving resiliency and competitiveness?

Executive leaders in organizations experiencing success with cloud adoption seem to understand and support the IT and cybersecurity leaders developing and implementing their respective strategies, which should be communicated clearly using business terms and without jargon. Chief information officers (CIOs) and chief information security officers (CISOs) are trusted to provide a supportive nudge in the right direction when needed. They also understand that cloud is a game changer; it transforms how they do business and, as such, it may require process changes to deliver better outcomes.

Executive leaders in organizations experiencing success with cloud adoption seem to understand and support the IT and cybersecurity leaders developing and implementing their respective strategies.

Other key success factors in these scenarios include inclusive decision-making about technology adoption and business solutions, effective 2-way communication that involves educating one another about business, technology and security needs. What this boils down to is hiring the right people for technology leadership roles: people who are familiar with cloud technology, are able to differentiate between business needs and wants, understand business constraints (e.g., prioritizations, performance indicators, budgets) and are not afraid to say no as needed. A successful technology leader should not be afraid to challenge the status quo and can put together and present a cohesive strategic plan to meet their organizational objectives.

You may be familiar with the balance scorecard (BSC) management concept. The 2008 book The Execution Premium discusses linking strategy to operations and emphasizes the importance of strategy execution for creating competitive advantage.1 The success of your cloud adoption will depend on your organization’s commitment to the chosen cloud strategy. For some organizations, cloud-only or cloud-first strategies will make the most sense, while for others, hybrid-cloud and multicloud environments will become ultimate goals or a transitional reality in their journeys to cloud optimization. The ISACA® white paper Managing Security Impacts in a Multicloud Environment expands upon this idea.

Regardless of your final objective, it is important to:

  • Stick with the cloud adoption plan/road map and obtain a written commitment.
  • Periodically communicate progress and challenges to leadership and update the road map. Commitment is about sticking with the strategy when implementation projects do not go as planned.
  • When leadership changes are imminent, it is important to select technology leaders who can support your strategy. Continuity of strategy execution is as important as continuity of business operations. It is also important to select vendors and contractors who can support your strategy instead of allowing managed service providers (MSPs) or vendors to drive your organization’s strategy–organizations of all sizes must own IT, cybersecurity and compliance.
  • Most important, when discussing challenges and options and seeking second opinions from outside advisors, include all interested parties in those conversations as things can get lost in translation, especially for nontechnical individuals.

There are several principles you can use to help identify and develop more effective cloud strategies:

  • Simplify—A “good-enough” solution with less complexity is better than 5 of the best solutions that create significant integration complexity or cannot be integrated at all. Integration is challenging for many systems, including operations and security. Using native cloud service provider (CSP) solutions focusing on built-in capabilities shifts many integration and interoperability challenges to CSP.
  • Less is more when it comes to IT environment and systems architecture—While I believe that less hybrid, more cloud assures better functionality, operations and security, this approach relies on Internet connectivity, which may be a weakness for certain systems or organizations as private Internet connections may be not affordable for smaller organizations, and some systems may require total isolation.
  • Focus on identity-driven security and access controls—Identify a reliable, single source of truth for managing and securing assets. All cloud resources have identities (i.e., users, applications, storage, virtual machines [VMs], application programmable interfaces [APIs]).
  • Select a strong, dominant CSP and build a cloud strategy around its baked-in capabilities—Strong CSPs’ modern technology, security and compliance capabilities should be verified by independent sources to meet your organization’s security and compliance requirements. Keep an eye on modern CSPs’ technologies that can improve hybrid environments.

Cloud may not be for everyone, and it may not address all of your organization’s challenges. However, cloud provides access to modern technologies that were either not available or not affordable in the past, without heavy infrastructure investments, and cloud service can provide the benefits of economies of scale for operations, security and compliance. So select CSPs wisely, implement skillfully and optimize continuously.

Endnotes

1 Kaplan, R.; Norton, D., Execution Premium: Linking Strategy to Operations for Competitive Advantage, Harvard Business Press, USA, 2008

Robert Brzezinski, CISA, CISM, CHPS, M365 Security Admin, Azure Security Engineer

Is a security professional focused on cloud productivity and cybersecurity technologies. He specializes in Microsoft Cloud technologies such as Microsoft 365 and Azure security tools. He helps organizations understand and take full advantage of Microsoft security architecture to effectively and efficiently protect their users; to streamline and automate IT operations; integrate security across different environments (e.g., on-prem, Azure and other clouds such as AWS); improve and de-duplicate security, compliance and auditing efforts; and execute better cybersecurity, compliance and IT strategy. Brzezinski also provides subject matter expertise for information security, privacy and regulatory compliance (e.g., the US Health Insurance Portability and Accountability Act [HIPAA]) for small- and medium-size organizations. In addition to fractional CIO/CISO services, he creates comprehensive risk assessments and implements risk management plans and cloud-focused IT and cybersecurity strategies to manage organizations’ risk exposure more effectively.