When it comes to cloud security and compliance, we keep seeing how everyone in a company wants the same thing, but they struggle to achieve it. Why? Because they don’t speak each other’s languages. The technicians focus on the ins and outs of cloud orchestration and architecture. The auditors fixate on best-practice control frameworks and the letter of the law. The salespeople keep tracking bottom lines and ensuring the contracts will reflect the responsibilities. Well-meaning though they are, departments rarely put their heads together and, if they do, they don’t understand each other. Unknowingly, many companies bring the chaos from non-communication or downright miscommunication upon themselves.
The cacophony grows louder as companies invite in third parties to advise them without realizing that they too have differing languages. On top of this there is the complication of the cloud, which is off-premise and thus excludes the possibility of physical security while demanding new technology and a different way of communicating with the provider. And last but not least, there’s the pressure of expanding legislation and regulations – the General Data Protection Regulation (GDPR) and the Schrems II judgment on data transfer, to name just a couple. This can lead to insecurity, non-compliance, and therefore lost time, money, and reputation.
So how can a company seeking security and compliance in the cloud break these language barriers? One sure way is to find an experienced IT partner who understands and can speak the discourses of tech, business, compliance, and regulation.
Getting the whole system in the room
Many companies still work within a hierarchical organization or at least aren’t yet as horizontal as they hope to be. An old-fashioned work culture like this makes it hard for a company’s various experts and departments to know what the other is up to and really grasp that. Seeing things myopically or staying siloed in their solution-seeking, people can’t see the forest for the trees – or for that matter, the sky for the clouds.
That said, companies can’t be blamed entirely because supervisory bodies actually discourage whole-system-in-the-room collaboration by strictly separating business from risk management and internal audit. When an IT partner is at ease communicating in the languages of all these three lines, it can essentially read everyone’s minds and anticipate solutions to satisfy each. Then all the experts can come together for systematic thinking and seamless working. Schuberg Philis insists on having the whole system in the room because it means the company’s cloud operations will take flight even if, on the ground, its organization is still strolling.
Really reading third-party statements
Nowadays, since cloud providers can’t just fling open doors for visitors to inspect their datacenters, companies must rely on third-party statements. But to get the most out of them, companies should do more than reactively read the statements. Proactively, they should ask questions to ensure the statement’s scope is sufficient and the proper controls are included as well as to determine if the controls are evolving over the years based on new insights and customer needs.
Schuberg Philis may historically be known for its mission-critical infrastructure, but security and compliance have always been part and parcel of every single solution. For example, a deep dive into a company’s encryption technology or how its sub-outsourcing works in real life might be the best way to uncover how to meet requirements from regulators or auditors. This is hard to do without an IT partner that is not only used to working hands-on with technology, but also reading the fine print and, put simply, challenging authorities.
Navigating heavily regulated markets
For financial institutions, regulations seem to increase by the day. Last year alone, the extended European Banking (EBA) Authority Guidelines on outsourcing guidelines mushroomed from 29 to 119 articles. Moreover, relying on a third-party statement is simply not enough anymore to execute financial institutions’ oversight. This type of company needs to watch for changes in laws and applications like a hawk, immediately translating them into its own context and staying up to date.
Although banks were not among the first movers to the cloud, they were among Schuberg Philis’ first customers. That means some of our relationships in this industry are over 15 years old, so we are highly experienced in regulated markets and have been a steady partner to banks through the ever-changing tech world. One reason we could tap into this specialized industry early on is because of our own company’s habit of hiring people who thrive at solving complexity in contexts where having the wrong or too late of a solution has heavy impacts, socially and financially. An IT partner that has long worked in heavily regulated markets has experience in navigating the industry’s changing seas and can chart a company through any choppy waters.
Real-time auditing
When Schuberg Philis developed its own public cloud landing zone with 60 key best-practice controls built in, a main priority was enabling auditing in real time. This is critical because any delay in response can lead to security issues and findings in audits, which can lead to excessive costs and/or losses. In a hypothetical scenario, if a customer’s AWS region in Dublin suddenly switched to Frankfurt, this might not be a big deal for a bank in Amsterdam. However, if the switch were to Seattle, it would be. Every second of the bank’s ignorance about the move outside the EU would drive up its risks. Another example is the real-time alerting on identifying unencrypted storage buckets. In issuing such real-time alerts, our landing zone facilities our customers in getting issues solved instantly or prevents them from even occurring.
Relatedly, our landing zone also serves as a financial control measure by categorizing workloads in distinct accounts and labeling all resources. Having an IT partner that is so well-versed in cloud platforms therefore doesn’t just get a company in the cloud, but also boosts its financial health through cost management.
Adding value to business
Companies do best when an IT partner also understands their business objectives. This means knowing their day-to-day processes and, as a result, the form and function of the technology needed to add value to the overall operation. As a case in point, our colleagues who work with transport and logistics companies were given on-site training in logistics methods to learn how these physical movements and complex supply chains run. That level of concrete knowledge enables us to bring concrete improvements to steps in our customers’ processes through smart use of technology in their supply chains, such as IoT and data modeling.
In fact, we’ve enjoyed such close work with our various customers about their various types of business that several large cloud vendors are now starting to pitch Schuberg Philis to their own clients. These vendors also see the value in an IT partner who is not just fluent in tech, but also business, compliance, and regulation. No doubt we welcome these referrals. Each provides an opportunity to help companies achieve and maintain security and compliance soundly, quickly, automatedly, and profitably. Each provides an opportunity to break down the language barriers, if not stop them from going up in the first place.
Interested in partnering with us? Get in touch.