make a good business better

Blog Information Security

Print Divider Print Divider Branding

PODCAST: Making the Cloud Your Company's Secure Information Technology Program

09/27/2016  |  By: Sese Bennett, CISSP, CISM, QSA, ITIL, HITRUST CSF, Senior Manager, Information Security


Social Logo Social Logo Social Logo Social Logo

Transitioning to the Cloud can be a complicated process for organizations looking to upgrade their secure information technology programs: identifying the right option, deciding on a vendor and implementing software can be stressful. Following a few easy steps, however, can simplify the process and foster a satisfying and beneficial installation.

The primary planning stages for Cloud installation must identify the requirements of what the information security should be, involving a team that can give accurate definitions of the company’s needs. Ideally, IT, security and executive administrators should be all be involved in the conversation and satisfied by the provisions made by the Cloud, defining clear expectations for how the change will affect organizational information and what services best meet those needs. These conversations should reveal whether Cloud-based applications may do the trick or if broader services like infrastructure or virtualization are necessary to meet organizational goals.

“Cloud is just not an IT initiative; it’s a company initiative,” senior manager for LBMC’s risk and security services Sese Bennett said.

Then, the search begins for a Cloud-based solution that meets the identified needs by prioritizing “wants” and “must haves” in the search requirements, based primarily on the organization and its purpose. For example, companies dealing with secure data may prioritize encryption or dual-factor authorization and a US-based data center, while companies that don’t deal with sensitive information may only want these features. By prioritizing features in advance, companies can more easily identify and connect with vendors selling relevant products.

This is often where organizations make a dangerous mistake, however, by “falling in love with a vendor” and not examining a wider range of options that may better suit the company’s purposes. The established relationship keeps those considering Cloud installation from considering the critical points that were previously outlined. Consultants can often help to keep companies focused throughout the process.

“It’s like going out and buying a new car. You see that bright shiny red new Corvette and you’ve just gotta have it. It doesn’t make a difference that you’ve got four kids and you know that not everybody’s going to fit in that car. You kind of overlook the shortcomings of that vehicle,” Bennett said. “It’s the same thing with Cloud service providers and Cloud vendors.”

Once a vendor and service have been chosen, implementation can happen quickly because there are no purchased hardware or data centers necessary for installation. For small services, this can happen as soon as the next day; larger services could take up to six months. While speedy implementation can be a convenience, it can also be a pitfall for organizations that have rushed timelines that don’t allow for proper set-up.

“This is where LBMC can come into play because we have that un-objective view of what’s actually going on. We’re not purchasing the service; we have the visibility across the industry to look at all different types of services and opportunities, and even look at some of the security pitfalls of some of the different services that are out there,” Bennett said. “So we can bring that opinion to the client and give them some visibility and get them thinking about some things they may not have thought of on their own.”

If considering implementing Cloud-based systems, organizations can learn more about best practices with the Cloud Security Alliance and its Cloud Controls Matrix. For more information about implementing Cloud solutions, visit LBMC online at or contact Bennett directly at or by phone at 615-309-24200.