• United States




Developing a multicloud security strategy

Nov 10, 20203 mins
Cloud ComputingCloud SecuritySecurity

Multicloud environments can work to organizations’ advantage, so long as there is an overarching strategy in place for cloud security.

cloud security ts
Credit: Thinkstock

Even before the COVID-19 pandemic, many organizations were operating in a multicloud environment. Indeed, eighty percent of 150 Federal IT decision makers surveyed by MeriTalk in 2019 said their agency already uses multiple cloud platforms. In the post COVID-19 era, as organizations adjust to a more decentralized workforce and recalibrate their business models, this reliance on multiple cloud platforms will increasingly become the norm.

Beyond the pandemic, main drivers of multicloud adoptions include mergers and acquisitions, and cost and capability differences among providers that might require a more diversified approach. Yet, as with most every technological advancement, the move toward multiple cloud environments, which brings added flexibility and scalability, can also pose new, and often unanticipated, risks. And maintaining multiple cloud providers can create confusion if mature enterprise governance is not in place.

A recent white paper from ISACA (where I am a board director) on the security impacts of a cloud environment provides context around why the multicloud security landscape is becoming prevalent and what organizations need to do to adapt. As the white paper indicates, “Implementations can be driven by different groups: One business team may employ a different cloud provider from the one strategically selected for broader organizational use.” By the time IT is aware of the usage, several business processes may have been set in motion that are dependent upon it.

Developing a multicloud strategy is a security imperative

Proper multicloud governance comes with benefits, including cost advantages, lowering initial investments in an OPEX vs CAPEX model, and better integration with existing security processes.

The key is cultivating a sound multicloud security strategy, beginning with a discovery phase that includes an inventory of current cloud providers in use and how they are being deployed. As the ISACA paper indicates, “To develop a multicloud strategy, it is important for an enterprise to do more than simply recognize that multicloud is occurring. Instead, the enterprise must align its tools, processes, monitoring capabilities, operational mindset and numerous other elements of its security plan to consider that multiple providers are in play. Compliance requirements and risk tolerance must also be considered. The enterprise must have a solid business case driving multicloud usage—one that identifies risk impact, whether that risk is increased or decreased).”

The strategy should also seek to ensure the IT department is well-informed and connected to the organization’s cloud usages and that there is an ongoing mechanism in place to monitor cloud relationships. This includes the ability to drive forward any needed changes to those relationships based on regulatory changes, the organization’s internal business environment and other factors that necessitate flexibility.

For enterprises that choose to pursue a multicloud environment, the success of that approach will be dictated by whether a holistic strategy is in place and executed to ensure value is being added while mitigating the related security vulnerabilities. To do so, organizations need a clear understanding of their current state and then should align any additional cloud usages with foundational elements of their overarching enterprise security and vendor management plans. Multicloud environments can play a big part in enhancing enterprises’ ability to optimize technology, provided they are intentional about the way their cloud services are deployed and secured.


Experienced leader and board member, international authority in cybersecurity, with a proven track record in developing and managing strategy, programs and initiatives. Innovative thinker, with several international patents to his name, proven successful communicator and consensus builder across borders and cultures.

Chris is Director and Past Chair of the Board of ISACA, an international non-for-profit association with more than 200 Chapters, serving more than 160,000 IT, Cybersecurity, Information Security, Audit, Risk and Compliance professionals, in 180 countries. He has served ISACA as Chair of the Board for 2 consecutive terms (2015-2016 and 2016-2017) and as director of the BoD for 9 terms (2010-2014 and 2015-present).

Chris is also a Board Member at INTRALOT a leading gaming solutions supplier and operator active in 42 regulated jurisdictions around the world. Prior to his role he has served as Group CEO, Group Chief Services and Delivery Officer, Group Director of Technology Operations and Group Director of Information Security.

He has also served as a member of the Permanent Stakeholders Group (PSG) of the European Network and Information Security Agency (ENISA) from 2012 to 2015. Chris has been working in the area of information technology for 20 years, he holds 3 patents, 6 awards and has authored more than 150 publications.

He holds a degree in Electrical and Computer Engineering and a Ph.D. in Information Security.