{{item.videoDuration}}
{{item.title}}
{{item.text}}
{{item.videoDuration}}
{{item.title}}
{{item.text}}
Dominic Straub
Manager Technology & Data, PwC Switzerland
We interviewed decisionmakers at three large corporations in Switzerland to find out where they stand in terms of understanding the risks of operating in the cloud – and whether they have a contingency plan if things do go wrong. We came up with some interesting findings.
Processing mails. Entering orders. Holding virtual meetings. It was a normal working day until suddenly nothing was working anymore! A cyber-attack? No, the cloud is down! How can something like this happen? Do we have a contingency plan? Were we aware of this risk?
Situations like this raise countless questions. What are the interdependencies and how do you position yourself as an organisation to recognise and address them holistically? Why is it suddenly so important to deal with risks in connection with the cloud?
For the simple reason that a holistic view of risk is part and parcel of the journey to the cloud. According to Gartner, 75% of companies are currently taking a cloud-first approach. The resulting hybrid use of cloud services and legacy systems leads to more complexity. Business-critical processes that are still delivered on-premises to a large extent are increasingly shifting to the cloud, also through the use of more and more powerful SaaS offerings.
There’s a broad consensus that anyone who wants to benefit from future developments must go to the cloud.
The good news is that all the companies surveyed gave the hyperscalers they used very good overall marks for basic security and the service offered. In contrast to the past, data security is apparently no longer a knockout criterion for not going to the cloud. There’s a broad consensus that anyone who wants to benefit from future developments must go to the cloud. While we fundamentally agree with this, we also believe that hyperscalers are an increasing target for cyber-attacks. Although hyperscalers are making huge investments in basic security and actively defending against attacks, each hyperscaler’s cloud set-up is individual, which means that specific hyperscaler knowledge is needed to properly secure cloud estates. All the companies surveyed admitted to having catching up to do in this respect.
A big concern for our interviewees is the storage of personal data.
Here companies’ priorities differ because legal and regulatory requirements can vary from industry to industry. A big concern for our interviewees is the storage of personal data, which in the past was a huge hurdle because hyperscalers didn’t have dedicated data centres in Switzerland that would have allowed companies to store this type of sensitive data within Swiss borders. In the meantime, all hyperscalers have reacted to this need and built huge data centres in Switzerland. The interviewees currently see more of a risk in special compliance requirements such as GxP which require customised solutions that have to be coordinated and implemented individually with each hyperscaler.
The fact that the data inflow to the hyperscaler is cheaper than the data outflow favours this risk, which is a concern for those interviewed at both the operational and steering level.
They also point out, however, that there is a precedent for this situation: this type of dependency already existed in the past, for example, in the choice of the mainframe computer in the server room, the operating system, or in outsourcing to third parties. Various approaches are being taken to counteract this risk, including using several hyperscalers (multi-cloud) and containerising. In extreme cases, with enough time and resources, a complete switch to another hyperscaler is possible.
Availability is also a known risk because this already played a role in the past (and still does) with in-house IT.
It’s not only about the data (e.g. backups) but also the services (redundancy). From PwC’s point of view, special attention should be paid to creating fail-over scenarios for the core processes. In this context, the interviewees are also concerned about the current geopolitical situation. The restrictions limit the choice of possible providers and favour the formation of an oligopoly. The question of which way to turn has to be clarified individually.
Another risk factor is the cost, because the change to the cloud does not per se lead to lower prices.
For example, with a lift & shift it might end up costing a company the same or even more. Our interviewees also mention the additional costs that arise in connection with a multi-cloud approach given that not everything comes from a single source and duplications are possible. Companies accept these additional costs because a multi-cloud approach minimises the vendor lock-in effect.
The lack of skilled workers was also mentioned across the board. Finding the right skills for an internal team is a major challenge.
Architects are particularly sought after, ideally with an understanding of legacy systems and the cloud. Knowledge in the application environment is also very much in demand. There is less demand for infrastructure knowledge, as the infrastructure services can be obtained from the hyperscalers. As SaaS solutions are increasingly adopted, companies are inevitably going to be reducing their internal IT capabilities. From our point of view, however, it’s important not to create a “shadow IT” function and to make sure that internal IT always remains in the lead. Topics such as infrastructure as code (IaC) and architecture as code (AaC) are highly topical and, in PwC’s view, clearly belong to the remit of internal IT. However, cloud transformation is leading to a new level of abstraction for internal IT. We also see the current change in the hyperscaler environment as an opportunity to counteract the shortage of skilled workers.
Who’s responsible for overseeing the risks?
In addition to the various risks, we also wanted to know from our interviewees at which corporate level these are discussed. Depending on the industry and focus area, this varied, or the topics were addressed at different levels. This confirms to us that risk assessment, no matter what stage of development a company is in, is a central and important topic that needs C-level attention and management from the very beginning.
Reasons for moving to the cloud despite the risks
Why do the companies surveyed go to the cloud despite these risks? The answer is clear: there is added value for the company. One of the reasons is scalability. Every year sees the addition of more data that requires storage space and has to be processed, increasingly in real-time. Another advantage is that new technologies can be tried out and used immediately. This is particularly interesting when it comes to research and development. The easy availability of services is also seen as a booster of transformation. Interviewees also mention the professionalism of the hyperscalers, which engenders trust and is one of the reasons for moving to the cloud.
Key Take-Away
Interestingly, our interviews showed that the risks associated with the cloud are not new. It therefore makes more sense to look at the service from end to end rather than necessarily differentiating between cloud and on-premises.
Despite all the challenges and risks, our interviewees and we agree: the benefits outweigh the risks, and the cloud is necessary for any company hoping to be competitive. However, the risks must not be neglected and must definitely be considered holistically.
Reach out to us at PwC if this has become a pressing item on your agenda.
{{filterContent.facetedTitle}}
{{contentList.loadingText}}
{{contentList.loadingText}}
Contact us
Partner and Technology Strategy & Transformation Leader, PwC Switzerland
Tel: +41 58 792 1148