Dive Brief:

• Cloud-related threats are the top cyber concern for organizations that have adopted the technology, according to a PwC report published Tuesday. The accounting and consulting firm surveyed 3,876 senior business and technology executives.
• Security concerns intensify for organizations with multiple clouds or hybrid infrastructures, the report found. More than half of respondents in this category cited cloud as their most pressing cyber concern and more than one-third said their organization prioritized cloud for security investments over the next year.
• Despite the focus on cloud security, nearly every organization had risk management lapses. Nearly one-third of respondents had yet to address disaster recovery and backup with their cloud service provider and more than 2 in 5 pointed to in-house cloud skills gaps as a lingering risk factor.

Dive Insight:

Migration to public cloud offers the promise of enhanced security, as workloads shift from legacy systems to modernized infrastructures where risk is shared.

But cloud security isn’t automatic. A robust defense requires a level of planning and coordination that may be overlooked in the rush to adopt the technology, especially as ecosystems grow beyond the reach of IT.

“Overall, cloud is more secure, if done right,” said Matt Gorham, Cyber & Privacy Innovation Institute leader at PwC. “But then you need to parse out securing the cloud versus securing your instance in the cloud, which are two separate things.”

Cultivating the in-house knowledge, tools and governance needed to manage cloud deployments requires investments of time and resources many enterprises have yet to allocate. Large companies, where the stakes of a breach are highest, tend to perform better in these areas, Gorham said.

“The top performers are likely to be more optimized and simplified in their tooling and approach to security,” said Gorham.

Instead of deploying multiple best-in-class security solutions, enterprises are better off settling on one integrated system that can be more easily mastered, according to Gorham. 

“Having a simple environment allows you to invest in other things,” he said. “It gives you a better view of what’s going on in your system and allows you to prosecute alerts in ways that aren’t always clear when you have a collection of various tools.”

Streamlining has already begun. While 15% of respondents indicated no current plans to simplify cyber operations, 44% said their organization already uses an integrated toolkit and another 39% are moving in that direction in the next two years.

Less mature organizations are also less likely to use off-the-shelf security features available from their cloud provider, Gorham said, or to have a tech leader with C-suite clout.

“If you’re a CISO or CIO and you’re reporting up high, and you’re having frequent interactions with the board, there’s going to be a much greater focus on cyber risk,” Gorham said.