Layer 8

Like I was tweeting before, I recently engaged in discussions with a cloud vendor.  We chose very carefully since we have strict security requirements - our bread and butter is financial PII.  That immediately narrowed down the list of which cloud we could talk to.  All of them tossed up their fancy certifications - SAS-70, PCI, ISO, Webtrust, even a few certs I’d never even heard of. Comments like “We’re secure and we can prove it.” Lots of interaction with their tech team who talked a real good game about all the cool things they do.  Even I was impressed and felt some warm fuzzies of assurance.

Then ever so nicely, we asked how much liability they’d assume if their actions caused a breach of our data.  Basically we know we’d get our pants sued off by our Very Large Banking Customers, so we needed to put some skin in the game for the cloud vendor.  Should be a no-brainer if half those security certs mean anything.

At that point they shut up and ran away.

I agree with a road you sort of headed down. I don’t like all this marketing crap about the magical cloud (my phone provider is in the cloud because I beam my cell signals to OUTER SPACE!), but I do agree that it will take hold over time. If nothing else, I think we’ll see IT get really sick and overburdened with the cost of all the damn homegrown apps we all have churning away and keeping the business kicking and getting older and not maintained. It will actually make sense to use cookie-cutter tools as businesses realize they’re just not adding the IT piece to their competitive advantage list any faster than anyone else in their market.

Of course, not only does this mean IT needs to let go, but business as a whole needs to let go as their power to customize stuff dramatically drops.

It’s a silly dance between what business thinks it needs and what IT can deliver efficiently. It works great when a product plugs into a need! It’s just fast food mediocre if it’s not adding anything new or the business has to adjust to use it properly.

Certainly, over time we’ll go to the cloud, get our cookie-cutter apps for about 5-10 years, then start getting fancy ideas that we can pull some of this back in-house again and customize it how it will really maximize our business, and enter the centralized/decentralized cycle all over again…

Side note: Business in general sucks ass with security. I don’t care what audits say, I think extremely few businesses are honestly doing things well (and being honest about it!). Cloud providers are still businesses. I’ll say again, business in general sucks ass with security. Hopefully at least cloud providers have less on their plates such that they can devote proper resources to it.

You sound like such an optimist in this post.

Liability, as if any computer company has ever heard of that.

Oh, and I will add that I expect “cloud providers” themselves to make this market ugly, like a choppy storm rolling in with 30 boats still trying to fish.

Some will die, others will move to something else, others will be bought and consolidated. And where will that leave those people depending on the solutions and APIs? Screwed.

At best, I think we will see a couple niche providers but otherwise 2-3 dominant fish, kinda like Microsoft, Apple, *nix, in computers. The world can’t otherwise handle tons of cloud providers. (Depending on your definition of cloud).

What I believe has been missing in our industry (okay, one of the many things) is an effective way of measuring an organization’s ABILITY TO MANAGE RISK.  Like so much of how we’ve approached our problems, to-date we simply break out a checklist (pick your standard) and start evaluating whether the subject org has certain policies defined and communicated, whether they’re security org is engaged in the technology lifecycle process, whether and how often they test/review their security practices, etc., and whether they’ve undergone someone else’s similar checklist approach to looking at the same stuff.  But that’s like picking a doctor by looking to see if they finished medical school (and asking for evidence that other people also have looked at their diploma.  Unfortunately, a diploma (or security certification) doesn’t tell us a thing about their judgment and their actual effectiveness over time. 

Yes, it’s reasonable to assume that an organization that has “adopted” an ISO (or other relatively well-considered) standard is somewhat less likely to make as many mistakes as those that haven’t, but if I’m to entrust someone else with stuff that ultimately I’m still responsible for, I want to be able to measure their risk management capability in a meaningful way.  In fact, I’m perhaps more interested in understanding their risk management capability than their current risk, because risk management is a leading indicator of what their future risk exposure (and mine if I engage them) is likely to be. 

So, how do you measure an organization’s risk management capability?  Well, I’m not going to open the kimono all the way, but a great place to start is by measuring their current risk.  Huh?  Yeah, I know, I said above that I was more interested in understanding what their risk management capability is than their current risk, but if you think about it, their current risk is a lagging indicator of their previous ability to manage risk.  In other words, the decisions they made in the past, and their ability to execute against those decisions led them to where they are today from a risk perspective. 

So, bottom line—when I’m in the position of having to trust another organization with my valuables, I’m going to be looking hard at risk information.  More importantly, I’m going to be interpreting it through the lens of how it portrays their ability to manage risk.

Cheers,
Jack