More on cloud GRC from SearchCompliance
Cloud computing risk management handbook
Is data safe in the cloud?
In the beginning, CIOs and security teams were hesitant to implement cloud-based software and services, with considerations ranging from data loss to asset protection to governance, risk and compliance (GRC) ramifications. Even as cloud computing has surged in popularity during the past decade, IT managers continue to weigh the risks of cloud against its benefits, and in doing so, must contemplate how existing and emerging regulations fit into the GRC matrix.
In our March #GRCchat, @ITCompliance asked participants, "Is security and compliance becoming more of a priority for cloud providers? Why or why not?" SearchCIO senior news writer Nicole Laskowski kicked things off with this hopeful remark:
A4 Security is still seen as an obstacle to the cloud, so I certainly hope it's a priority. #GRCchat— Nicole Laskowski (@TT_Nicole) March 27, 2014
A4 How can they not be a priority, in an age where news of every major breach immediately spreads, sullying major brands/providers? #GRCchat— RachelTT (@RachelatTT) March 27, 2014
A4 Market is becoming very crowded while customer demand for compliance/security more insistent. What are they gonna do, ignore? #grcchat— betsy kosheff (@betsykosheff) March 27, 2014
Our tweet jammers are right: In a market crowded by a demand for better compliance and increased security, cloud-based software and service providers risk driving their own businesses into extinction should they ignore customer pleas for GRC assurances.
For IT organizations, choosing cloud-based software that fits business needs and carries an appropriate level of security is but one part of the battle. The next challenge is establishing GRC protocols around company assets stored in or accessed via the cloud. We asked our followers, "Who is responsible for security and maintaining GRC of data in the cloud: the company, provider or a combination of both?"
SearchCompliance site editor Ben Cole responded with a firm "both":
A5 Definitely a combination- Ultimately company though because that's who will be fined, face legal repercussions, etc. #GRCChat— Ben Cole (@BenjaminCole11) March 27, 2014
Other participants chimed in, insisting most -- if not all -- of the GRC responsibility lies with the organization whose assets are on the line, not the cloud provider providing services to it:
A5 The company. Customers will place blame for risk-related events on companies they do business with -- not service providers. #GRCchat— Nicole Laskowski (@TT_Nicole) March 27, 2014
A5 company needs to be up-to-date on its own GRC requirements, and ensure cloud provider is meeting these GRC needs #GRCChat— Ben Cole (@BenjaminCole11) March 27, 2014
Has your company ever had a disagreement with a provider of cloud-based software or services over GRC responsibilities? Let us know in the comments section below. For more from our #GRCchat, search the hashtag on Twitter. Our next tweet jam will be held on Thursday, April 24, at 12 p.m. EDT.