Is Cloud Security Training Critical?
In a recent survey 86% of the respondents
said that security concerns about protecting their organization’s data is the
leading factor in driving them to seek Cloud security training.
86% … Wow! That is an impressive percentage; clearly indicative of a vigorous and active concern for effective security in the Cloud.
Regrettably it is not that straightforward. The Symantec / Cloud Security Alliance survey (reported by Marcia Savage in her article “Cloud Security Training”) also discloses that only 48% of the respondents have or plan to attend Cloud security training. The size and shape of the anomaly continues … 58% of the people who replied say that their teams are ill-prepared to secure their data in a Public Cloud environment. In the article Marcia Savage says that the statistics “were a bit curious.”
A Symantec and the Ponemon Institute joint survey of IT professionals conducted in April 2010 evidenced that “Despite security concerns and the expected growth in Cloud Computing; only 27% of respondents said their organizations have procedures for approving Cloud applications that use sensitive or confidential information.” Clearly one consistent pattern is emerging … there is clear and present awareness of the severity of the issues. This unmistakably supports and takes the earlier Symantec / Cloud Security Alliance statistics far beyond “curious.” It is a severe issue; and an imperative every business will have to address and resolve in the immediate future … strong words; so why do I say “every business?” This is why …
- “Technology experts and stakeholders say they expect they will ‘live mostly in the cloud’ in 2020” (Pew Internet / Pew Research Center)
- “60% of CIOs view Cloud Computing as critical to their plans” (The Essential CIO Study: May 2011)
- “Organizations must embrace the cloud and treat it as something real. Soon 20% of businesses will no longer own IT assets” (The Gartner Group)
- “Cloud Computing will balloon up to $241 billion by 2020, up from just $40.7 billion in 2010” (The Forrester Organization)
- “The economic benefits of Cloud Computing make it an “irresistible force” that will become the default standard over the next 2 to 10 years (Brian Walker – Managing Partner KPMG)
- “By 2015, about 24% of all new business software purchases will be of service-enabled software with SaaS delivery being 13.1% of worldwide software spending” (The IDC Organization)
One of the stated objectives in my company’s Cloud Security Essentials training course is … Providing the essential knowledge for a secure transition to Cloud Computing thereby guaranteeing these three critical attributes of your data:
- Confidentiality – Only those people who are supposed to see the data can see it
- Integrity – Only authorized processes are allowed to modify data and only in very specific ways
- Availability – The data is accessible when needed
All of this is vividly captivating … what my friends in sales like to refer to as a “compelling event.” So why have only 48% of the respondents attended or plan to attend Cloud security training? Survival and success in today’s marketplace dictates that we cannot continue to provide and offer IT resources like we have for decades; so why the hesitation?
If these statistics (or worse!) are indicative of the situation in your company then you need to investigate the prevailing thinking, policies and practices. There is no way that a “C”-level executive can allow such a situation to prevail for much longer.
Possible problem scenario 1: You are not alone; this is fairly common.
The senior management, CIO, IT leaders and the other business leaders and stakeholders are behind the curve in the burgeoning growth of knowledge and awareness about how Cloud Computing will become the “irresistible force” and the “default standard” for business in the future. This is a really resounding reason to reset the training budget’s spending priorities. The “Human Capital is not just a number theory” seminar in Miami or the “Creating a blooming team karma” course on the big cruise ship may have to be sacrificed for the cause of business success … rather spend the money on Cloud business and security training.
Possible problem scenario 2: A problem we encounter routinely.
The CIO and his team have an all too natural and instinctive reluctance to upset the status quo. They have an excellent performance record which they stand on and quote often. These folk need to be made aware of a compelling event and a harsh bottom line. The business winners and survivors in the future will focus on operational efficiency more than their rivals. The burgeoning growth in spending on IT must be controlled; businesses must cut costs to survive today, but still invest for tomorrow. There must be an accord to invest in technologies that help the bottom line … like Cloud Computing. On consulting engagements and during our training courses we use this phrase often … “You will only arrive at Cloud Computing success when the business decisions drive the technology decisions!”
Possible problem scenario 3: We are beginning to see this one emerge more frequently.
It is the “We are using a Cloud Service Provider (CSP) and they will be responsible for security” response. This is totally flawed thinking. A recent Ponemon Institute survey reports that a “significant majority” of CSPs subscribe to the belief that it is their customer’s responsibility to secure the Cloud, not theirs! Again, vividly and clearly, the training budget needs to be applied to courses on effectively selecting and negotiating with a CSP … and yes; security training! I quote Andrew Schrader of the firm AppRiver; “When it comes to security the buck stops with you!”
Do you want to grow your business!? Then rapidly ensure that you and your organization learn where and how Cloud Computing can help and understand the risks and benefits of the Cloud. Research and then put a plan and schedule in place to find and timeously provide you and everyone in your organization with the Cloud business and security training they need. Exclude no one, from “C”-level executives and other decision-makers to the IT professionals who will influence, execute and secure the Cloud’s deployment; ultimately leveraging its significant benefits to your business.
An additional resource
A White Paper I wrote in February 2011 … “Selecting the Right Training for Business Success in the Cloud” will provide you more practical steps and information on how to select the most time, cost and learning effective training for your organization.
Please use this link Training White papers / or paste this link into your browser: http://www.purposefulclouds.com/home/Cloud-Resources/white-papers#Training
I then asked a follow-up question, “Would you pay to participate in a training course in which a significant measure of the content was a direct sales pitch for a specific product or service?” The responses were the same … “No!”
Let us move from realm of the generic and make the question business related. “Would you pay a salesperson to sell you their company’s product or service?” Again, I was on the receiving end of a reverberating chorus of “No!”
In today’s uncompromising economic times no one should argue against the belief that their organization’s training budget must be spent wisely and effectively. So why would you pay for a training course that limits itself to delivering knowledge on only one potential solution, approach or product to solve your business issue?
Let me enrich and further illustrate the point I am trying to make with a graphic example.
When the topic of Cloud Computing was raised at HayBeeSea Corporation’s 10:00AM Strategy Team meeting, the committee’s chairperson, John Forthright declared, “Before we start; all the decision-makers will need all the facts right up-front. We must have all the latest decision criteria and collective wisdoms available. Only then can we make informed and effective plans for a possible transition to Cloud Computing as a tool for reducing cost, and gaining the agility we so desperately need to grow the business.”
One of the attendees said that he had read a quote that stated quite emphatically, “We will only arrive at Cloud Computing success when the business decisions drive the technology decisions!” There were nods of consensus for all in the room.
Another attendee said that he knew someone at a Cloud Service Provider or CSP that offered courses on how to get started on a Cloud Computing journey. There was an instantaneous buzz around the table, and someone boldly exclaimed, “George, get your buddy on the phone today and set up a course for us!”
The customarily quiet woman who represented the CFO’s team suddenly sat upright in her chair and interjected, “A few moments ago Mr. Forthright said that we need all the latest decision criteria and collective wisdoms available. Only then, he said, can we make informed and effective plans. How do we know that is what we will get from one CSP? Can we guarantee that the course will not be a thinly disguised masquerade or infomercial for their proprietary solution? Our initial training course needs to be from someone who is ‘business-Swiss’ … another way of saying vendor neutral.”
John Forthright applauded softly and then wrote the following on the whiteboard:
- Need to understanding of all the critical business criteria and components that encompass the effective choice of a CSP
- Must have systematic guidance to an all-encompassing and logically sequenced process that will greatly improve the outcome of our Strategy Team’s CSP selection to the benefit of company
- This will undisputedly be one of the single most important business decisions we will need to make … and get right!
Let us examine the implication and consequence of the last bullet more closely. In this example where the ultimate goal is a business-effective Cloud Computing transition. I echo the words of my friend and colleague, Walt Lapinsky … “The Cloud is not a product. The Cloud is a technology. The Cloud is not simple”
In a research paper published in December 2010 Magic Quadrant for Cloud Infrastructure as a Service (IaaS) and Web Hosting the Gartner organization warned everyone to be deliberate and systematic in creating the list of potential vendors for their Cloud Computing strategy and business needs; as the services they offered “are all unique and evolving rapidly, and vendors must be chosen with care.” Yes! Every CSP will offer a different set or “smorgasbord” of services. Get the wrong set and your business can lose traction in the marketplace or even fail. The greater the knowledge base and decision matrix the better the odds of making “one of the single most important business decisions we will need to make … and get right!” This is why “business-Swiss” or vendor-neutral training is the logical start point.
Was George’s suggestion in the meeting out of line? No, it was just out of sequence. Prudent use of the training budget to get “guidance to an all-encompassing and logically sequenced selection process” and “critical business criteria” will help the Strategy Team make the right business decisions. The CSP’s solution specific training will be invaluable once the team is certain that they have made the right choice.