More enterprises are taking a multicloud approach as part of their digital transformation efforts to support distributed teams working in hybrid and remote models. And just as hybrid work environments are here to stay, the multicloud approach has taken hold. Gartner predicts global cloud revenue will reach $474 billion in 2022, with 90% of enterprises already working toward a multicloud strategy.

When leveraged correctly, a multicloud strategy can make many processes more efficient. It also offers greater resilience to outages and more vendor flexibility than a single-cloud strategy. Additional advantages include:

However, these advantages come at a cost. It can be challenging to ensure data and cloud infrastructure is secure and aligned to your obligations and controls when disparate environments are hosted through multiple providers. Telling a unified story around the data, configuration, and security within those environments can be nearly impossible.

CISOs who are embracing a multicloud data approach must focus on two main security concerns: managing risks posed by vendors and their different cloud operating models, and demonstrating the value of their security controls and strategies in the face of increased costs of operating in a multicloud world.

Managing Risk Across Clouds

The impact and frequency of cyberattacks has grown in parallel to the escalating focus on multicloud strategies. Ransomware attacks, data breaches, and major IT outages topped the Allianz Risk Barometer this year for only the second time in the survey's history, with executives ranking them as more worrisome than supply chain disruption, natural disasters, and the pandemic. Companies are right to show concern: Organizations worldwide experienced 50% more weekly cyberattacks in 2021, compared with 2020.

Business leaders are catching up on the importance of cyberattacks, but most are underinformed about risks posed by their vendor partners. In PwC's "2022 Global Digital Trust Insights Survey," 57% of business leaders said they anticipate a jump in attacks on cloud services, but only 37% said they understand cloud risks. The approach and operating models of security vary among cloud providers, and protecting against risk is a shared responsibility that only gets more complex as you add common cloud services that use different approaches, such as identity and access management (IAM) or virtualized servers.

For example, different cloud vendors have their own approach to role-based access. Amazon Web Services handles identity by attaching IAM policies directly to a virtual server, which grants the server the ability to take actions. Google Cloud's offering, in contrast, focuses on creating service accounts (users) and then attaching those accounts to the server so it can interact with another resource. These small differences add up at enterprise scale, driving security complexity to ensure least privilege and other security requirements across both clouds.

Because cloud services aren't designed to integrate with their competitors, learning how to use security tools for each cloud provider is just the beginning. IT teams will need to centralize their security monitoring with a security information event management (SIEM) tool, along with other third-party tools to increase interoperability of cloud services. These added systems require additional training and resources and perhaps even additional IT staffing to ensure expertise in each cloud platform and how those platforms work together.

In addition to these in-built differences between their services, most cloud vendors prioritize their own specifically tailored security offerings. This drives a host of complications that plague cloud security. For one example, a cloud Web application firewall (WAF) can be used to protect your network, but it will only work with a specific cloud service provider and cannot be expanded across multiple cloud offerings. Duplicating these functionalities for different providers requires either duplicating teams to support and manage these key security tools or buying a cloud-agnostic service — which adds yet another vendor to the mix.

This additional risk and cost, typically not discovered until late in the deployment of a multicloud model, can push out timelines, increase cost, and trigger audit findings. Failure to plan for and mitigate these risks can leave a company susceptible to financial loss, regulatory action, litigation, and reputational damage.

Communicating Value With Risk Quantification

Gartner estimates that by 2023, 30% of CISOs' effectiveness will hinge on their ability to demonstrate value. As multicloud data strategies become the norm and the cost of security controls within that strategy increases, risk quantification can help leaders communicate their value consistently by expressing the multicloud risk posture in clear monetary values.

According to PwC, organizations that reported the most significant improvement in data trust outcomes had two things in common: They predicted an increase in their cybersecurity spending, and they incorporated business intelligence and data analytics into their operational models, including risk quantification.

To assess the financial risks of a multicloud strategy, CISOs must take into account the costs of each platform weighed against their perceived risks. Those considerations must include the data management and cybersecurity practices of all the cloud providers you're considering, along with any cloud-agnostic tools and platforms you'll be using for joint monitoring.

With so many factors at play, you can't afford to rely on imprecise, gut-feel measuring scales like "low, medium, high" and "red, yellow, green." Expressing risk data in financial terms is a powerful tool because it offers a common language to communicate changing risk priorities, improve alignment between CISOs and the board, and facilitate better-informed risk management decisions.

Here's an example: A CISO is looking at the financial value associated with the various risks of multicloud architecture. By comparing tactics for mitigating a cybersecurity incident, they find that better controls over administrative privileges reduce the financial cost of the event far more than implementing a cybersecurity training program. While the CISO understands the technical details of cyber-risk within multicloud architecture, the rest of the C-suite will benefit from the clarity of monetary values associated with each risk and mitigation tactic. By empowering CISOs to make their case to their colleagues and the board, risk quantification brings more transparency to the many moving parts of a multicloud strategy.

According to Gartner, more than 85% of organizations will function as cloud-first by 2025, and they won't be able to fully realize their digital strategies without using cloud-native technologies. A Gartner leader put it this way: "There is no business strategy without a cloud strategy."

It's imperative that business leaders pursue strategies to safeguard their data and communicate their multicloud priorities, aligning across the organization with a common language of value.