Applying the proper risk and controls lens is essential to successful cloud and technology investments. In a rush to deploy new technologies and retain a competitive advantage, some companies overlook these considerations. But a lack of strong risk management can potentially lead to unforeseen consequences, including cybersecurity breaches, business disruptions, regulatory violations and fines, plus costly budget overruns. Drawing on our research and our significant history working alongside Fortune 1000 companies, we’ve identified four key risk and controls success factors and what you can do to get more from your cloud investments.

1. Use the shared responsibility model with your CSPs for greater transparency

In our survey, less than a quarter (23% of Top Performers and 24% of other companies) cite inadequate or a lack of cyber and privacy controls as a top-three barrier to achieving measurable value from their cloud technologies. A shared responsibility model can help delineate the distinct security and management responsibilities between cloud service providers and their customers. For technology and business executives navigating the transition to the cloud, understanding this shared responsibility model is important for laying a foundation of reliable security, risk management and compliance. While it seems intuitive as a concept, many companies struggle to confidently understand where a cloud provider's responsibility ends and the consumer's responsibility begins.

Variations of the shared responsibility model exist based on the CSP used, the family of cloud services consumed (e.g., compute, networking, databases, machine learning), whether you employ a managed service or serverless options, and a myriad of other factors.

Both business and security executives should understand the cloud services their organization uses, including the platforms and technologies, along with the recommended industry leading practices, configurations and controls to be applied. Only 52% of surveyed executives who use CSPs say they are monitoring and managing compliance with their CSPs. Are you part of the nearly half leaving that on the table?

To help identify control gaps and opportunities for enhancing existing controls responses to relevant risks, use an industry-accepted controls framework to evaluate your cloud environments for areas where new or enhanced controls are needed. As new cloud services and AI models are adopted, update your risk register and controls library accordingly. Inventory your resources and assets in the cloud — appropriate risk and control treatment can't be performed without identifying what resides in your cloud estate.

You also want to understand what controls your CSP has in place for their side of the shared responsibility model, and whether those controls have been tested and operate effectively. Currently, just 37% of companies in our survey say they conduct regular audits of their CSPs. If you require more clarity in your CSP and its controls posture, consider adding a right-to-audit clause during contract negotiations and working with your CSP to provide greater transparency.

To further help build confidence, obtain your CSP’s third party-issued reports on internal controls, referred to as system and organization controls (SOC) reports. Review these SOC reports to better understand the services your organization uses, whether they’re cloud- or AI-specific services provided by the CSP. Those services would be listed in the SOC section that details the services covered within the scope of the report.

2. Establish a strong governance program for multi-cloud environments

With the number of services and offerings from CSPs continuing to grow rapidly — especially new AI offerings — cloud customers want to take advantage of industry leading capabilities, and that often manifests in a multi-cloud strategy. Many organizations — 72% according to our survey — embrace a multi-provider model that leverages the top capabilities each CSP has to offer.

Despite unprecedented growth overall, increased competition between these CSPs has made it difficult to keep attracting talent with a broad range of technical acumen and deep cloud knowledge. Additionally, there are no all-in-one software solutions to adequately evaluate cloud and AI ecosystems. Cloud providers often introduce new features and capabilities, while application programming interfaces (APIs) change frequently — making it even more challenging to develop a unified view to help identify misconfigurations, where and when patches should be applied or where missing controls are required.

Given these challenges, an effective governance program is essential when workloads are distributed across multiple cloud providers. Governance can give structure and stability to a constantly changing environment, allowing organizations to realize greater return on investment and avoid missteps. A strong governance framework can help cover domains such as asset and configuration management, financial operations, data management, and security and compliance.

One way to assist with driving governance across the organization is by establishing a cloud center of excellence (CCoE). The CCoE is a cross-functional team with business, finance, operations, security and technical departments working together to help drive uniformity and consistency in adopting industry leading practices, standards and guidelines throughout the organization. It can also identify inconsistencies in tooling, processes and architectures, providing insights to help risk management teams identify, document, course-correct and apply any necessary remediation strategies. The CCoE should also work in close alignment with governance teams to achieve a unified approach to strategy and leading practices, particularly around managing technology risks and controls. This collaboration is crucial, especially as technologies are increasingly deployed within cloud environments.

3. Build and develop trust with security compliance and risk management

Eighty-seven percent of survey respondents say they’ve implemented controls to confirm that relevant risks posed by AI solutions have been addressed. Far too often, though, it’s not until workloads are production-ready that security, compliance and risk management get involved. Control gaps and unmitigated risks are then identified, causing technology and business teams to address these findings by re-engineering processes that were already laid out during requirements and design planning. As a result, go-live dates may be pushed out, causing strain, incremental cost increases and unnecessary frustration.

A better way is giving security compliance and risk management an active role during software and system development, serving as value-added contributors integrated from the onset and consulted throughout cloud migration and modernization life cycles. Building trust entails open and clear communication in the development process, as well as weaving security control and policy requirements into the fabric of applications and their underlying infrastructure from the earliest stages. This also allows audit and compliance teams to evaluate workloads sooner, which in turn helps improve deployment speed, produce quality engineering and reduce burdensome redesign later in the development process.

Trust also entails embracing a culture of curiosity and developing technical fluency, allowing security, compliance and risk management teams to serve as trusted advisors to technology departments — a relationship that, at many companies, is strained or nonexistent. Such an environment can lend itself to ongoing collaboration, resulting in new opportunities to help bridge the gap with engineering and development, working together as a cohesive unit. Trust should also extend across every facet of your technology ecosystem, as a principle integrated throughout your transformation journey and covering all software and system development.

4. Adopt strategies for continuous compliance with controls automation

Navigating cloud and related technologies for numerous internal and external audits, especially in heavily regulated environments, has proven to be incredibly challenging. The growing number of regulations and compliance requirements has left many teams exhausted from audit fatigue: countless hours spent manually reproducing audit evidence and artifacts to satisfy regulators and assessors, as well as internal and external auditors. Organizations need the ability to identify gaps in real-time and respond to them just as quickly — something automation can readily provide.

Continuous compliance as a strategy leverages the automation capabilities within cloud to help reduce administrative overhead, outputting tailored reports on a recurring basis and alerting teams to issues as they arise. Compliance-as-code solutions can even use configuration settings and standard templates to automatically deploy solutions as needed. Cloud-native and third-party tooling are commonly used to evaluate cloud estates for any gaps in controls and, often, have the ability to fix issues or rollback to previous settings if new configurations stray from security requirements.

This type of automation can allow auditors to inspect configuration settings applied throughout their environments and move away from arduous, sample-based testing. This can significantly free up your technology team from audit support tasks, allowing the group to focus on more strategic, higher-priority items.