Expedited Digital Transformation Amidst COVID-19 Requires Companies to Manage Cloud Security Risks

Keeping up with regulatory IT compliance and managing cyber risks are challenges when migrating workloads to the cloud.


The COVID-19 pandemic brought undeniable disruptions for organizations across the globe. For many, digital transformation initiatives were expedited in a short time. According to a recent Gartner survey, 74% of organizations expect to permanently shift to more remote work post-COVID-19. Additionally, 40% of all enterprise workloads will be deployed in cloud infrastructure and platform services. The move to the cloud is a necessary part of digital transformation, allowing organizations to serve customers better, faster and bring new products and services to market more readily and more frequently.

Business leaders realize the value of moving to the cloud, especially in light of the global pandemic. Nonetheless, a significant risk that cannot be ignored lies in cybersecurity. When migrating workloads to the cloud, keeping up with regulatory IT compliance and managing cyber risks are challenges, especially with the lack of measurement, visibility, and real-time accuracy provided by existing services.

Organizations Struggle to Manage Risk and Compliance Across Cloud Environments

Cloud providers often leverage externally facing compliance teams and consulting organizations to help with risk and compliance for their cloud instances. Some have even built tools for customers to use to implement fundamental risk and compliance management in-house. Still, monitoring and meeting security, privacy, and compliance controls that span people, processes, and technology for cloud environments, especially when aiming to manage that posture in the enterprise’s broader context, is complicated. This problem leads to systemic issues such as lack of measurement, visibility, and accuracy being three of the most common. The majority of assessments remain point-in-time and qualitative. The point solutions that currently support most cloud instances don’t elevate cloud environments’ posture to that of the enterprise risk posture.

IT security standards are filled with requirements that were created before the cloud became a commodity. For example, in the energy sector, cloud security is rarely considered into account because regulators and industry leaders couldn’t fathom cloud platforms being as pervasive as they have become. After all, on-premise was standard to the industry. On-premise installations are still a mainstay in energy, power, and utilities. For those who have become more comfortable with cloud migration processes, there is a clear and pressing need to leverage their human capital, processes, and technologies to implement robust risk management practices.

Beyond regulatory compliance lags, many distributed organizations opt to have multiple cloud providers in place, requiring a multi-cloud approach to compliance requirements and risk assessment. As more organizations consider cloud migration risks and begin their cloud migration strategies, some innovations address risk management and compliance in the cloud, but not many. Measuring, managing, and reporting on compliance frameworks, making the shared responsibility model actionable, and getting a view into risk are all serious challenges. Cloud providers will continue to mature and bring new innovations to their services, but there hasn’t been a lot of anticipatory work done in this area to date. The focus has largely been on creating solutions in response. In heavily regulated countries, the challenges only become greater.

Leverage AI Automation to Get Measurement, Visibility, and Accuracy for Compliance and Risk Management Across Cloud Environments and Beyond

There is a shift occurring in cyber and IT risk management. For years, data has been aggregated manually and analyses performed on out-of-date information – think about it, an assessment is void the moment it is complete, especially in digitized organizations. This shift calls for the dramatic disruption of the legacy IT GRC and demands a re-evaluation of how we manage compliance and risk in this digital age. With the increasing availability of automation, the five functions of the NIST Cybersecurity Framework – Identify, Protect, Detect, Respond, and Recover – are becoming more continuous and shifting into real-time management, from assessment to reporting and more. Leveraging this technology in the cloud is no exception. Still, those who look to reinvent their approach must look for solutions beyond the siloed capabilities of cloud security posture management solutions and similar markets.

Ultimately, this next-generation approach’s actual test comes when organizations can roll all of this data up to risk. With risk metrics supported by drill-downs, trend reports, and risk profiles, executives can get the visibility they need into their posture with the most up-to-date data, informing their crucial business decisions. Organizations will finally get visibility into cloud posture in the greater context of their enterprise posture, informing business decisions and increasing cyber maturity in any cloud-based organization.


Padraic O’Reilly is Chief Product Officer and Co-Founder at CyberSaint, where he leads product innovation and development. His experience as a Harvard-trained economist, IT risk and compliance consultant, and his rapid exposure to Cybersecurity led him to seek out CISOs, CIOs, and Boards of Directors at global organizations to pursue the answer to the question – how can cyber be managed, measured, and understood like any other business function? Padraic’s current activity spans working directly with organizations from public agencies to private companies across the globe to understand how to measure cyber risk, especially amidst the global pandemic which is fueling massive digital transformation projects around the world. Padraic was a key member of the group providing feedback on the NIST Cybersecurity Framework during its development, and is an expert in regulatory standards both in security and privacy, including the NIST Risk Management and NIST Privacy Frameworks. An expert in Artificial Intelligence (AI) and economic modeling, Padraic works with members of the Global 500 to research and deploy risk quantification, risk intelligence gathering, and risk reporting and communication strategies. Padraic also holds a patent entitled, “System And Method for Monitoring And Grading A Cybersecurity Framework” which has inspired much of his work on cohesive IT and cyber risk management approaches.