Approaching Cloud Security from a Business Systems Perspective
One of the biggest conundrums facing cyber security policy makers is the puzzling question as to why the issue is not self correcting. If it is true that enterprises are losing, or at least apparently at risk for losing, so much due to poor cyber security, why are they not increasing their investment in security practices and technologies sufficient to solve the problem?
A number of recent articles have attempted to address this conundrum pointing out that there is a comparatively low value placed on security by consumers.  The interconnected nature of cyber systems dislocates the harms for vulnerabilities from the source of the vulnerability  that some attacks, such as those perpetrated by state-sponsored groups may be unresponsive to commercial economic concerns  as well as other variables.
However, one argument that may have particular relevance to the case of cloud computing is that many enterprises are structured on a 20th century model that is inconsistent with horizontal nature of modern cyber based enterprises. These advocates, such as the Internet Security Alliance  and the American National Standards Institute, suggest that these structural flaws may lead organizations to underestimate the true economic nature of the cyber threat because they see cyber security as primarily an “IT” issue wherein the appropriate metrics for measuring the effect of cyber failures are things like “downtime” and IT repair costs. In many cases downtime and repair costs are minimal compared to the the real economic threat due to loss of corporate IP and brand loyalty and other factors not generally considered as part of the “IT” security conversation.
Moreover, the single biggest category of cyber attacks are not hackers breaking in from the outside, but insiders who may have access to the technological controls. As a result human resource management may be as important as software upgrades in enhancing cyber security, but such countermeasures may well be underappreciated in a security model presumed to be primarily technical. In addition legal, purchasing, finance and procurement departments may place cyber security at lower priority in completing their jobs since it is “IT’s problem” and thus may unwittingly undermine otherwise sound policies.
In truth, cyber security is not really an “IT” issue, but rather an enterprise wide risk management issue that needs to be managed not by the CIO or CISO (although obviously they need to be central to the discussion) but by a cross organizational team, complete with a cross organizational budget. In addition to representation from IT and finance, this team needs to include contributions from the HR, communications, legal/compliance as well as risk management departments. Moreover, the group needs to be headed by someone with cross organizational authority such as the CFO, the CRO or even CEO, or at minimum someone reporting directly to these senior – enterprise wide – officers.
Research conducted by ANSI and ISA over a two year period illustrates that these disparate portions of the organization not only have substantial impact on the strength of the cyber system they all use, but have clearly different perspectives on the issue and roles to play in analyzing it. Only if the full organizational system which uses the system is involved in the enterprise protection strategy with a full understanding of the issues will appropriate solutions be realized .
In a recent article, Claude R. Baudoin illustrates the problem created when the business units drive to adopt cloud strategies in order to achieve their narrow, though valid, departmental goals, and the complications this creates for organizational governance:
While IT itself may not fully understand these architecture issues, there are definitely things that the business overlooks when they read about how easily they can now procure services in the cloud…. and the very organization that should arbitrate between the business, IT, and the suppliers may lack the knowledge to do so well…The executives should help IT ‘sit at the adults table’ in order to help govern the entire enterprise, not just because IT holds the critical asset—information. For example, issues with serious legal and financial impact such as data resiliency, can become uncontrollable if cloud sourcing is done improperly. Therefore, the CFO and the legal counsel cannot just tell the CIO to go away and make it happen. Instead this should be a collegial management effort.” 
The ISA-ANSI model goes beyond even Baudoin’s suggestion that IT needs to be part of an isolated discussion arguing that the issues generated by adopting a cloud option need to be considered on a enterprise wide system basis. The strategic model laid out in The Financial Management of Cyber Risk  suggests a six step process:
- Cross-departmental officers “own the problem”
- Appoint a cross-departmental cyber risk team
- Meet regularly
- Develop and maintain a cross-departmental cyber risk magement plan
- Develop and adopt a total cyber risk budget
- Implement, analyze, test, and review feedback
Happily there has been a substantial increase in the number of firms that are beginning to look at these issues in following the enterprise wide model. In 2008 a Carnegie Mellon study reported that only 17% of enterprises have a cross organizational cyber risk team. However when that same question was asked in 2010 the results jumped up to 65%.  And the 2011 Global Information Security Survey noted increases in the number of CFOs and COOs taking leadership roles in cyber security (up from 11% to 15%) . However even with these gains, about a third of studied enterprises lack a cross organizational security team and the vast majority are still not led by senior managers with financial impact to justify broader security investment. Only when we look at clouds from both sides – indeed all sides – will we see through clouds illusions and make decisions on an enterprise wide risk management basis.