Don't Delegate Security Responsibilities

CUs have a tendency to 'hand the keys over' so they don’t have to worry about cloud computing.

September 15, 2013
There’s no way to eliminate all risks involved with cloud computing, says Rick Roy, senior vice president/chief information officer for CUNA Mutual Group. But they certainly can be mitigated.
For starters, get to know the cloud provider: Is it a startup business or does it have a proven track record? Has it invested sufficiently in the security measures needed to protect sensitive data?
“Many companies have aspirations to be cloud providers of something—they might be software or hardware companies that feel the need to transform their own businesses because of this trend,” Roy says. “Don’t get into an arrangement with someone who aspires to do this but doesn’t have a clue how.”
Also, don’t delegate responsibility for the relationship. Sometimes, Roy says, credit unions have a tendency to “hand the keys over to someone else so they don’t have to worry about it. But you still need to worry and pay attention. There aren’t too many autopilot solutions out there; they tend to need care and feeding.”
This is where ongoing due diligence comes in. Roy compares vendor selection to dating, when “everyone has their best foot forward. But once you’re in the relationship, make sure, through ongoing dialogue and audit discussions, that the security standards continue and the vendor continues to protect your information.”
Equally important, he adds, is making sure the vendor continues to invest in its infrastructure so it provides a high level of service and availability.
CUNA Mutual conducts a “formal business check point” each quarter with its cloud providers to examine the relationships, investments in infrastructure, new product releases, and other elements, Roy says. “It’s definitely a business conversation, and security is part of that conversation.”
The company also administers a security-specific review and questionnaire annually to make sure all parties “are doing what they signed up for,” he adds.
“It’s a two-way street. The vendor must do certain things in its data center to protect everything. But we also need to make sure we’re maintaining the security of that data as it’s leaving us and certainly as it comes back to us. We’d do this more often if we thought it was needed.”
Even a contract doesn’t absolve credit unions of the need for ongoing due diligence.
“When it comes to data privacy, you’re getting at the core of a trust issue between yourself and the member,” Roy says. “It’s the difference between a financial risk and a reputational risk. Don’t underestimate the reputational risk of something bad happening because your business is built on a foundation of trust. There’s not enough contractual language on the planet to overcome that.”