Cloud security: The cost of getting it wrong and the advantage of getting it right

The cloud: You can’t touch it or see it. But almost everyone’s on it, whether they know it or not. Your employees are probably using software as a service (SaaS) applications for payroll or financial management, and your customers, without doubt, rely on cloud-hosted services. It’s everywhere. But you can’t afford to have your head in the clouds when it comes to cloud security.

The truth is, attackers are on the cloud too. They go where the data goes, and right now, that’s the cloud. They’re smart and sophisticated. And their attacks often evolve more quickly than traditional defenses can keep up with. On the opposite side of the coin, many organizations still rely on traditional, on-premises security processes and technologies — leaving gaps wide open.

It’s no wonder cloud security is now front and center for CISOs everywhere — and it will remain at the top of the agenda for the foreseeable future.

Who owns security when anyone can spin up a service?

The cloud has changed everything. Before cloud, deploying a new service could take months of work by a team of people, each specializing in a different aspect of deployment — procurement, installation, configuration and security. It may have been slow and process-heavy, but it also meant every stage was carefully monitored and checked. 

Enter the cloud, and you can spin up new resources in seconds. It’s great for speed but terrible for security. When you bypass the structured processes that were common in traditional IT, you create blind spots for the security team. And if they don’t know a new resource exists — well, you can’t protect what you can’t see.

This is why visibility is the foundation of security in the cloud era. By closing visibility gaps, you deal with fewer blind spots and take back control, keeping your cloud environment secure, compliant and resilient.

Make visibility a priority

The first step is to gain a real-time, unified view across all your cloud resources — spanning multiple providers, workloads and services — so that nothing slips through unnoticed. Automated discovery and continuous monitoring are critical here, helping your security team identify shadow IT, unmanaged assets and misconfigurations before attackers do.

Cloud security posture management (CSPM) tools play an essential role. Platforms like Palo Alto Networks Prisma Cloud, Wiz, Cisco Cloud Protection, FortiCNAPP and others  provide centralized visibility into complex, multicloud environments, flagging risks such as exposed storage buckets or overly permissive access policies. They also enforce compliance with industry standards and internal policies, and many offer automated remediation to correct issues at scale.

With the right tools in place, you can transform visibility from a reactive measure into a proactive defense that strengthens governance, reduces operational risk and enables you to innovate securely in the cloud — especially when combined with automated checks that will identify misconfigurations and blind spots errors before they go live and cause lasting damage. It’s why CISOs should treat visibility and automated detection and remediation as nonnegotiable.

Cloud disruptions caused by geopolitical events raise tough questions

However, even the best configurations can’t protect against global disruption. And unfortunately, there is no easy answer to managing geopolitical risk.

The best you can do is to treat it as just that — risk that should be managed. Keep contingency plans and watch global developments and ensure your data and workloads are portable. With portability, you can shift workloads between providers — from a hyperscaler to small local providers — or back on-premises as the need arises, giving you flexibility when costs, risks or regulations change. It’s not a perfect solution, but it is one that will help you maintain a level of resilience.

Digital sovereignty

This is also why digital sovereignty matters. It’s about two things: Keeping your business running if services are interrupted, and staying in control of your own data. Many assume cloud data is automatically backed up, but it’s not — availability is still your responsibility. And when data is stored outside your jurisdiction, compliance obligations follow. The safest bet is to test your backups and adopt bring-your-own-key (BYOK) encryption so that you control access and remain the true owner of your data.

Clearing up the “shared responsibility” confusion

There is often some confusion around who takes responsibility for security once workloads have moved to the cloud. The name says it all — the responsibility is shared. It’s a bit like road travel: the cloud provider takes responsibility for keeping the road safe and well maintained, but you’re still responsible for your car and how you drive it. In this instance, your responsibility covers applications, user identities, access permissions and, most importantly, your data.

Understanding this division of responsibility is critical. All too often, organizations don’t know or understand what their responsibilities are, leaving workloads unprotected until it’s too late.

CISOs need to make this crystal clear to their executive peers. Misunderstanding where accountability lies can create dangerous false assumptions. And in cloud security, such assumptions often lead to breaches.

Understanding the hidden value of cloud security

In one sense, security is about survival. The ubiquity of the cloud means that a major breach can take your business offline and damage your reputation beyond repair, which could cost millions of dollars.

But security is also an enabler. With strong controls in place, you can release new applications faster, safely adopt emerging technologies at the click of a button and enter new markets without putting your customers or data at risk. It safeguards your revenue and reputation while unlocking the agility that the cloud was designed to deliver.

Done right, it’s what allows your business to innovate, grow and turn resilience into revenue. It’s an investment, not an overhead. For CISOs, the challenge is to frame cloud security in those terms — not as a sunk cost, but as an investment in growth. When the board sees security as a revenue enabler and a resilience builder, it starts being recognized as core to business strategy.

Keep your data secure with NTT DATA

Cloud adoption isn’t going to stop, and neither will its associated risks. By closing visibility gaps, embracing automation, adopting a zero trust mindset and planning for sovereignty, CISOs can protect their organizations while continuing to innovate and grow.

At NTT DATA, we simplify the complexity for you through our integrated Cloud Native Application Protection Platform (CNAPP) approach, which brings together visibility, workload protection, identity and access controls, SaaS security and continuous monitoring. Here, automation becomes a force multiplier, reducing the burden on stretched teams and cutting the time between detecting and fixing issues.

We also prioritize zero trust security, with a simple philosophy at its core: Trust no one, trust nothing, verify everything. The model recognizes that breaches are inevitable, but what matters is that when attackers gain a foothold, they can’t progress. Zero trust makes lateral movement much harder, confining threats and protecting sensitive data even if one layer is breached.

For CISOs, “trust no one, trust nothing, verify everything” should become a mantra and daily practice. Identity checks must be embedded, least privilege enforced and zero trust made part of the corporate culture, not only an aspect of the technology. 

This leaves CISOs with fewer tools to manage, stronger protection across hybrid and multicloud environments and more time to focus on strategy rather than firefighting.

Are you ready to turn security into your growth advantage? Let’s make it happen.

This article was co-authored by Renjith Philip, Capability Lead: Cloud Security and Endpoint at NTT DATA.