Former Wall Street CIO Answers the Cloud Risk Question

Recently, Phil Venables, my friend and former colleague, published a blog on how to more effectively represent digital (technology) risk to a board of directors. Phil is currently a senior advisor to Goldman Sachs and a member of the Goldman Sachs Bank USA Board of Directors. He’s also an advisor to Concourse Labs. While Phil offered a number of astute recommendations, I wanted to repose his combination question, but with a focus on cloud risk management and provide some additional insights from my own experience.

Why the focus on cloud risk management? Because cloud is becoming the de facto infrastructure for facilitating a new remote workforce, creating immersive customer experiences, accelerating innovation, and providing a more resilient operating system for businesses to run. To that end, cloud is not simply a location for workloads and data, but a fundamental shift in how organizations design and operate their businesses.

Phil’s questions, now refocused on cloud: “What are the most significant risks to our most critical cloud assets and business services, what controls mitigate those risks, and who is continuously assessing whether those controls are in place and effective? What residual cloud risks remain, and who at what level of the organization deemed those acceptable with what compensating factors or risk transference? What executive management group regularly monitors the measured outcome of this process?”

On the surface, these questions seem straight forward and simple enough. Some organizations may be able to articulate all or some of these answers based on their ability to identify and assess risk, implement ongoing visibility and controls, monitor effectiveness and risk appetite, and establish accountability. However, far fewer can generate a report for their board that illustrates precisely how they manage the multi-dimensions of risk that public clouds create.

For most organizations, answering these most basic cloud risk management questions is exceedingly difficult. It requires the involvement of many people across siloed teams, and it leans heavily on manually manipulated policies and controls that often rely on fragmented and incomplete data. This raises serious questions about the degree of confidence in the results, and the situation is only getting worse.

Business is Complex

The number and variety of people, processes, and technology within an organization and across their value chain, their interrelationships, and the rate at which these attributes change can be complex. Mapping risk management roles and responsibilities to business operations is essential for creating the necessary scaffolding for effectively managing cloud risk.

Change is Accelerating

While change is inevitable, the velocity of change has accelerated, especially with the ongoing global health crisis. With the rapid shift to remote work, IT and security teams moved fast to change policies and controls, while cloud service providers continually add new and diverging services. In this environment, speed will trump best practices, increasing the probability for human error. To compensate, cloud risk management best practices must be designed for agility to account for this faster, continual change.

Cloud Usage is Growing

Organizations are expanding their cloud footprint in response to the global pandemic. While Gartner estimates a decline in overall IT spending over the next twelve months, they forecast public cloud-as-a-service spend to grow by almost twenty percent. With this increased usage comes greater risk associated with cloud misconfigurations. Organizations must have the capability to directly map their cloud applications to the cloud services they rely on, including the ability to validate run-time cloud configurations against their control objectives.

How can organizations manage these new realities and confidently and continually answer the combination question related to cloud risk? Here are two key takeaways that I learned from the many years I led Goldman Sachs’ global technology division and my time there as Chief Information Officer.

Automated Governance

When Goldman Sachs started shifting applications and workloads to the public cloud, we immediately recognized the need to also shift our thinking around governance and risk management. For on-prem resources, we typically reviewed policies and performed control verifications annually. However, using public cloud resources, with an agile development model, demanded we maintain continuous control to properly mitigate risk and understand our ongoing cloud risk posture. This required continuous attestation, through automation, which, at the time, required investment in an entirely different type of architecture that traditionally had not been used at scale, particularly within a large and highly regulated institution.

Enterprise-Grade Control

Next, we realized that the pace of change would be faster than we had imagined. This is partly because cloud computing allows you to ‘get it wrong until you get it right’ – triggering a continuous stream of application and service iterations. User rights and entitlements change more frequently as well, as cloud projects are frequently spun up and down. But change, especially rapid change, is the sworn enemy of enterprise risk management. Therefore, we knew we needed to ensure we had the right permissions and controls matched to the right users, applications and services, and the ability to know — at any point in time — who authored them, which required Goldman to invest in a new architecture.

The Bottom Line

At Goldman, our ability to fundamentally shift from human-centric to automation-centric controls, coupled with our capacity to know and prove our enterprise compliance posture at any point in time, enabled us to securely move 90% of Goldman’s applications to the cloud. This resulted in a significant reduction in overhead, and it allowed my 8,000+ developers to focus on innovating for the business instead of managing infrastructure. If you are responsible for managing cloud risk across your enterprise, and you’ve automated the deployment of software and infrastructure, isn’t it time you automated your cloud governance to keep pace?

Concourse Labs was founded to help businesses transform at the speed of public cloud, without requiring them to build their own modern governance infrastructure to manage cloud risk. Using novel technology and deep expertise, Concourse delivers a unique SaaS platform that automates every aspect of cloud governance, enabling security and risk management teams to have the visibility and control they need, while freeing developers to innovate at cloud speed and scale.

Jump start your cloud governance strategy by reading The Six Steps to Effective Cloud Governance – a framework for observing and managing cloud risk. Concourse Labs is the innovator in automated cloud governance. We’re accelerating digital transformation for enterprises by helping them move to cloud safely and securely, while operating at speed and scale. Concourse brings a new paradigm to the market, automating the process of establishing and monitoring controls, identity and cloud usage data. Founded and led by cloud industry luminaries with previous executive positions held at Goldman Sachs, Red Hat, Google, AWS and Rackspace, we have been trailblazing the move of large enterprises to cloud from the beginning. Backed by ForgePoint Capital, with additional investment from 83North and Capri Ventures and Workbench Capital, the company is headquartered in New York.

For more information, visit: or follow us on Twitter @ConcourseLabs

Automate Cloud Governance. Secure Visibility. Reduce Risk.

Related Resources

Learn more about one policy architecture and Concourse Labs.