As a CIO in a large, publicly owned financial services company I held the responsibility of keeping our client's (and our organization’s) data safe and secure. As the economics of cloud services became compelling the largest hurdle to adoption was "potential security risks", by a large measure.
Let me explain what I mean by "potential security risks". Recently Ben Fried, Google's CIO, made a remark about Dropbox:
“The important thing to understand about Dropbox,” Fried said, “is that when your users use it in a corporate context, your corporate data is being held in someone else’s data center.”
It's a problem just because your data is in someone else's data center? That doesn't sound good for Google's business model. Fried and Google now say that he misspoke. Fried says he meant that the real concern about Dropbox is more around security:
“Any third-party cloud providers that our employees use must pass our thorough security review and agree under contract to maintain certain security levels,”
Reading Between the Lines
The second statement is the "politically correct" one. However, the first statement is much closer to the truth in many organizations. What Fried was saying is that Google doesn't trust Dropbox as much as they trust themselves. Most organizations share this same intrinsic bias.
The reality is that security standards are slightly fuzzy. Internal IT organizations potentially see third party services (or "the cloud") as a threat to their livelihood so they highlight possible security risks of external providers while sweeping their own under the rug. Internal auditors, compliance staff, and risk staff like to look at things, interview people and document stuff. When a service is external they feel a bit left out. As a result many companies have higher standards for third parties than what they hold themselves accountable.
Clearly both Google and Dropbox are businesses that depend on trust. Consumers and businesses are willing to use, and pay for, IT services from these organizations as long as their information is protected and secure. Without this level of trust neither business would be viable (although one could argue that Google could still rely on it's advertising business).
Trust is also a key ingredient in making a financial services business viable. Why would I ever buy insurance, banking services or invest my savings via a company that I didn't trust? When the financial markets were impacted by the sub-prime debt crisis in 2008 the public view of financial services took a nosedive. Companies that were created to help you buy a home, save for college, your retirement, or protect you from loss were suddenly the bad guys. The result was Occupy Wall Street.
It became clear that to succeed in the future the financial services industry would need to rebuild it's image. Companies would need to zealously rebuild their brands as "trusted advisors". From an IT standpoint it is crystal clear that client and corporate data must be guarded and protected to prevent any loss as well as minimize the potential for damage to an organization's reputation. Additionally it is clear that movements like Occupy Wall Street and Wikileaks were targeting large financial services companies.
The response to this need for trustworthy computing by many companies runs along the same view expressed by Google's Ben Fried, namely we can't have our data "out there" in someone else's datacenter, under someone else's control because it's too risky.
There are some legitimate reasons for this view:
- Concerns regarding legal discovery
- Concerns regarding the ability to respond to regulators
- Lack of clarity from the regulators
- Lack of clarity regarding liability for lost of stolen data (or no liability!)
However at the end of the day these are issues that can be addressed if we really want to capture the economic benefits.
Capturing the Benefits - The Contrarian View
This is where it gets interesting. I have made the argument that I think using tools like Google Drive or Dropbox responsibly is actually likely to be more secure than managing our data ourselves.
- Data security and trust are at the heart of the business for companies like Google and Dropbox - therefore it is funded properly.
- More transparency. Many, many businesses are looking for holes or reasons not to use the service - in order to overcome this resistance the data security has to be really good, and well documented, and well audited.
- It is tested daily by thousands of hackers.
- It is "usable" security - meaning it is baked into the usability of the products rather than "bolted on" corporate IT security. This is important because users won't actively try to circumvent it. In the corporate world if you put too many restrictions in place people start emailing documents to their Gmail account so they can work on them at home. Not good.
- Your reputational risk is lower. I will explain further below.
No amount of security in the real world is perfect. Therefore Dropbox, Google and your organization will get hacked. It's inevitable, and no matter where your data resides you will need to tell your clients and/or your employees if any personally identifying information was potentially accessed. You may also need to notify your regulators and others - so no real difference here.
But what will the headlines say? "Dropbox Security Breach" or "
Your Company Here Security Breach"? I'd rather not see the headline with my company's name.
I believe the public is more understanding because they use these services too. If you had corporate data at Dropbox or Google and they were breached and you had to send notification to your clients you could explain that while you did your due diligence a security breach still occurred at one of your service providers. Further, you will scrutinize their response and switch providers and/or bring the data back internally if necessary.
I would also argue the economics of scale-based cloud services are even more compelling than people realize for large companies:
- Less internal IT cost (the most obvious savings)
- Less IT oversight cost (internal audit, risk, compliance, external audit, etc.) These are significant costs in large, regulated organizations.
- Less "prevention" cost - i.e. tools to prevent installation of Dropbox, audit or removal of the software, etc.
- Higher productivity and a better overall user experience with leads to less user training and higher adoption. Imagine a user with an iPad grabbing a document for a meeting from Dropbox or Google drive vs. an internally cooked up solution that requires a VPN connection, less polished software, etc.
So it's even less expensive than you think and potentially even more secure. Therefore I am in strong agreement with Ben Fried's second, clarified statement.