Cloud first - Compliance second?

Diverse and promising offerings on the part of hyperscalers, the availability of more and more "cloud only" applications and services, and the pandemic as a driver of digitization: All these factors mean that sometimes short-term decisions are made in favor of cloud offerings and, unfortunately, already established GRC processes (governance, risk and compliance) are often softened in favor of rapid implementation without really being aware of the subsequent consequences.

But what does a good GRC process include when significant portions of your own IT are outsourced to the cloud? Treat major shifts of your IT landscape to the cloud the same way you would treat an outsourcing of personnel and business processes to a service provider and ask yourself the following questions:

What legal and regulatory hurdles do you have to overcome? Examples such as the DSGVO, the new supply chain due diligence law, or industry-specific regulation such as MaRisk, Bait, and Dora in the area of finance must be taken into account when making a decision - in advance.

Which processes do you actually want to move to the cloud? Even if you pursue a cloud-first strategy in the future, it may not be advisable to transfer critical or sensitive processes from locally hosted systems into the hands of a third party. The issue of legally compliant data migration and data storage in the cloud is often underestimated. Data classification can help here, and remaining risks must be dealt with using technical and organizational measures (TOM) such as proprietary encryption.

What risks do I face? Make a conservative assessment of the possible costs, but also of the actual dependence on the respective service provider. Do performance times and availability fit your needs and your customer contracts? Often, hybrid use or a multi-cloud model proves to be a more sensible and secure alternative.

Are my employees fit for the cloud? Training and education are necessary to ensure that the transition runs smoothly. Internal bodies such as the staff council, IT security officer and data protection officer must also be consulted in advance.

Who bears the responsibility? As a general rule, outsourcing does not relieve you of your obligations with regard to data protection, data security and risk management, for example. The term shared responsibility often comes up here: the cloud provider is responsible for the security of the cloud, but the cloud user is responsible for the security of his processes and data in the cloud. Make sure that your understanding of the responsibilities coincides with that of the cloud provider and is contractually secured accordingly.

What do I do if things go wrong? Mistakes happen, and that also applies to digitization. If cloud services are discontinued, data centers fail, costs increase or the "new world" does not meet your expectations, an exit strategy must be in place: Can you onboard your processes and data locally again at any time or switch to another service provider? Play out these scenarios and document the corresponding steps, similar to your business continuity management (BCM).

The step into the cloud is a step into the digital future. To ensure that this step is taken on a solid foundation, outsourcing to the cloud must be accompanied by an established GRC process and a cloud strategy right from the start. The GRC process must be adapted to the scope of the desired outsourcing in order to act not as an impediment but as an enabler of the digital transformation.