How to close the gap between plans and protection − and build a secure future in the cloud

PwC’s Digital Trust Insights 2021 survey reveals contradictions that Swiss companies will have to resolve to make their ambitious cloud plans a reality. While they’re keen to shift more and more of their business and security arrangements to the cloud, they also need to approach new challenges– and may not yet be investing enough in the people, skills and technology necessary to counter these threats. What can organisations do to close these gaps and consume services securely from the cloud in the future?

Companies in Switzerland predict a digital future: a full 50% of the Swiss respondents to PwC’s Digital Trust Insights 2021 survey see accelerated digitalisation as the most likely impact of the Covid-19 experience in their industry. That’s a significantly higher percentage than in the global (40%) and Western Europe (37%) samples. This digital change can also be linked to the recent availability of the latest datacentres from the main hyperscalers such as Microsoft, AWS and Google. For many organisations, digital acceleration involves rapidly moving operations and security to the cloud, abandoning static, inherently insecure legacy systems in favour of more dynamic, nimble integrated cloud or network systems that are secure by design. These legacy systems are insecure because they are reaching the end of their life cycles. 

Danger lurking in the cloud

So far, so good. The problem is, the survey also indicates that companies see some of the most likely cyber-threats, and those with the biggest potential impacts, in the cloud. Of those surveyed in Switzerland, 63% believe a cyber-attack on cloud services in the next 12 months is very likely or somewhat likely (versus only 58% and 54% in the global and Western European samples respectively). Even more strikingly, 75% of Swiss respondents believe such an event will have a significantly negative or negative impact on their organisation (versus 61% and 59% respectively in the global and Western European samples).  

But investment in protection lags

What’s most concerning is the survey findings on the proportion of Swiss companies that have invested or are planning to invest in improving the way they manage cybersecurity risks. Organisations in this country consistently lag behind the global and Western European samples in terms of already having implemented measures in a whole range of cybersecurity-critical areas such as skillsets, collaboration, quantifying cyber risks, advanced tech, reporting, real-time processes and reducing the costs of cyber operations. In some of these categories, more than 10% of Swiss companies even say they’re not planning to invest in improving the management of cyber risks in the next two years. The survey paints a similar picture of Swiss organisations’ adoption of new cybersecurity approaches and thinking, and of their plans to increase their cyber budget in 2021: again, the statistics suggest that Switzerland is lagging behind other parts of the world. 

Why the gap?

Does this mean that the cyberspace over Switzerland is inherently more secure than elsewhere or that Swiss companies already have a higher maturity? Hardly: in a globalised world nobody is naïve enough to believe that some countries are less vulnerable than others. Could the figures mean that Swiss companies are basically more reckless and don’t feel the need to step up their protection? Again, unlikely: Switzerland is famous for high levels of insurance in just about every area of life. The discrepancy between ambitious plans, awareness of threats and actual investment in protective measures may simply indicate a lack of understanding of what’s at stake and what modern cybersecurity actually involves.

What needs to be done?

The good news is rather that cybersecurity vendors are getting more and more mature, and consuming cybersecurity capabilities from the cloud is becoming easier.The caveat here is that it’s not just a matter of buying and installing preventive technology (although this still plays a role). Business leaders may be failing to understand that modern cybersecurity has to be a fully integrated part of the business. With rapid digitalisation across the board, a business-driven cyber-strategy is the single most important step. 

This approach places demands on everyone concerned. Boards and CEOs need to take the lead and make chief information officers and their teams a key component of business strategy and value creation. CISOs have to be up to speed in terms of their own skills and understanding, and they have to recruit people with not just the right digital technology know-how, but also business acumen and the soft skills to interact with people throughout the organisation. This might not be as easy as it sounds: while cloud solutions architects are among the most sought-after cyber experts, research suggests that cloud security is among the skills that are in the shortest supply. This is also something which we are seeing in a number of Swiss engagements and projects. 

Last but not least, cloud security depends on the data types stored and processed in the cloud and a realistic threat assessment to identify risks and apply the appropriate protection measures. In the cloud as elsewhere, protection measures alone are not sufficient. Monitoring to detect early and capabilities to effectively respond and remediate are essential. The Zero Trust Architecture approach is a good starting point.