In this episode of the Security on Cloud Podcast, we’re joined by Dr. Larry Ponemon, the Chairman and Founder of the Ponemon Institute who is also considered by many to be a pioneer in privacy auditing, to talk more in-depth about the findings of our latest report, The Post-COVID Cloud Boom.
There has been much speculation that the global COVID-19 pandemic sent many IT departments into a scramble and forced the issue of numerous cloud application migrations, often way earlier than planned, to support ongoing business operations. But to what extent and to what benefit has always been a guess, until now. Anitian and Ponemon Institute recently teamed up and implemented a study — The Post-COVID Cloud Boom — to help quantify exactly this. And today, we’re taking a deep dive into the findings.
We sat down exclusively with Dr. Larry Ponemon to discuss topics like…
- What it was like being a data privacy and integrity advisor for the Department of Homeland Security. [03:05]
- What we were trying to figure out with The Post-COVID Cloud Boom study. [04:05]
- Who we surveyed to gather our insights. [05:22]
- The big aha moments that stood out to Dr. Ponemon from the report. [07:26]
Scott Emo: Hello, everybody and welcome. You’re listening to the Security on Cloud Podcast live on Anitian Radio. And I’m your host, Scott Emo. You may notice that this episode sounds a bit different than past episodes. My co-host, John Vecchi, has moved on to pursue other passions of his. And for all of us here at the podcast, we wish him well in his future endeavors. But, not to worry. We plan on keeping the Security on Cloud Podcast information flowing to make sure that you have the latest on what’s going on in the world of cloud security. And so we don’t miss a beat on that information flow, we have a great topic for you today. There has always been speculation that the global COVID-19 pandemic forced many IT departments into a scramble and forced the issue of many cloud application migrations, often way earlier than planned, to support ongoing business operations in their companies. But to what extent and to what benefit has always been a guess. Well, until now.
Scott Emo: Anitian and the Ponemon Institute teamed up and implemented a study to help quantify exactly this. And with that, let me introduce our guest for this episode. He’s the Chairman and Founder of Ponemon Institute and is considered a pioneer in privacy auditing. He was appointed by the White House to the Data Privacy and Integrity Advisory Committee for the Department of Homeland Security. He was appointed to the advisory committee for online access and security for the United States Federal Trade Commission. He was also appointed to two California State task forces on privacy and data security laws. He earned his Ph.D. at Union College, a master’s at Harvard University, and attended the doctoral program in system sciences at Carnegie Mellon University. Coming to us from Northern Michigan, I’d like to welcome our guest, Dr. Larry Ponemon. Welcome, Larry.
Dr. Larry Ponemon: Thank you, Scott. What a wonderful introduction. Really appreciate it.
Scott Emo: Oh, it’s great to have you here today.
Dr. Larry Ponemon: Thank you.
Scott Emo: Larry, before we get started on the whole report and everything, I have to figure that most of our listeners have read your research at one time or another in their careers.
Dr. Larry Ponemon: Think so.
Scott Emo: I’m pretty sure. I bet that’s a pretty good guess. And I’m sure that they’ve heard of the Ponemon Institute. But they likely have never heard from you directly. So you have a ridiculously impressive background, and I didn’t even scratch the surface in that intro. If I could just take one thing out of that whole thing, could you share with our readers and our listeners here, what is it like being a data privacy and integrity advisor for the Department of Homeland Security?
Dr. Larry Ponemon: Well, to be honest with you, I’m not a politician, so working for the government had its good days and bad days. On the bad day side, there would be points of disagreement with the professional politicians. And a good day, you would basically get through it with a smile on your face, find a nice pub, usually, to enjoy yourself after a day from hell working on all sorts of issues. But there’s always something interesting. And our government is shifting and changing right now, and a bunch of issues that affect privacy, data protection, and security… We’ll see what the country looks like in a couple of years.
Scott Emo: Yeah. Well, that’s politics, isn’t it?
Dr. Larry Ponemon: That’s politics.
Scott Emo: Well, you know what? Instead of talking politics, let’s get to it. Let’s go and get to the report that we published together.
Dr. Larry Ponemon: Sure.
Scott Emo: It’s called The Post-COVID Cloud Boom. Can you tell us a little bit about the concept of the study and what we were trying to find out?
Dr. Larry Ponemon: Exactly. Well, we wanted to study what’s referred to as a “cloud boom” during the pandemic because it was our belief that organizations were hit pretty hard with COVID-19. They didn’t really know exactly how to respond and what controls they needed to have in place from an IT security perspective. And the general theory was that just the changes that required made organizations grossly inefficient. And our hypothesis was actually pretty bold because we said, “That’s malarkey. Why would an organization decrease its security and privacy and other activities in IT?” And in fact, we believed in our proposition or hypothesis that some organizations, the good organizations, would see this as an opportunity to shift and change in a very positive way and have better security as a result. That was our main hypothesis. And you’ll see later in the conversation that that is, in fact, what we found.
Scott Emo: Great. So the boom part refers to the growth in cloud services on multiple fronts. And I think we’re going to probably cover those. But before we go into it specifically, who did you survey to try to get all these insights? What are some of the demographics and titles we talked to before we get into it too far?
Dr. Larry Ponemon: Sure. Well, the study was pretty complex. It contained actually two independent samples or groups, one about 643 individuals in IT and IT security. Most of these people had experienced more than 5, in fact, mostly 9 or 10 years on average. So we had people who were really experienced in IT as well as in security, and security being a little bit more broad than IT. But in general, we had some people who really knew this stuff. The other sample, a much smaller sample, involved Chief Security Officer (CSOs), people who are C-level executives in most cases, within their organizations who lead security, and IT, and cloud, and a whole bunch of other activities. So the combination of these two samples gave us insights into what was really going on.
Scott Emo: That’s great. And so, we actually hit multiple levels in a company. Those that were actually doing the work and getting their hands dirty, and the folks that were making the decisions.
Dr. Larry Ponemon: Exactly. These were people who weren’t afraid to step up and do what was right for the organization. We do a lot of studies, and politics, again, in IT and IT security can be pretty severe. And the people who lead IT and IT security, they know what needs to be done, but they’re afraid if they bring it to their boss, they’re going to get into trouble or be a whistleblower in their own company. They don’t see a lot of forward movement, positive movement. But this was a different story or scenario just because the consequences were so significant. Everyone was potentially getting sick. The organizations didn’t know about quarantine, or if they did quarantine, how can they ensure that it was being done properly. All these things made most people very sick mentally, as well as probably physically, with the virus itself.
Scott Emo: Yeah. And these things were changing every day, right?
Dr. Larry Ponemon: Every day.
Scott Emo: The information coming out was every day and they had to react, but, in many cases, they didn’t know how to react.
Dr. Larry Ponemon: Exactly.
Scott Emo: It was a very interesting time the entire world went through. Given the report, were there any big ahas! that stood out to you in the report?
Dr. Larry Ponemon: Sure. Well, we found that business growth actually increased better and more sophisticated uses of cloud technologies occurred over the period of almost a year and a half during the pandemic years, at least overlapping pandemic years. And so, the theory that this is going to cause businesses to suffer and decline did not bear out. In fact, we see the opposite that business growth actually increased pretty significantly during most of the pandemic year. So that was, I think, an aha moment where we were looking at the data, we said, “Let’s run the survey data once or twice in our technology.” And we got the same result that business growth actually increased.
Dr. Larry Ponemon: Also business risk, which is the analog to business growth in our model, actually did not significantly increase, which is you always worry that we have a higher mean, but a much higher standard deviation. And the reality is that organizations were doing a good job on growth and also a very good job on risk containment. The combination of the two actually changed the perception that this is a nightmare forever and most companies are going to suffer as a result. There was no evidence of that, at least, in our survey.
Scott Emo: I think I heard three different overall findings in there. 1.) Increased business growth, 2.) business risk or improved security posture, and, actually, 3.) financial strength for some companies.
Dr. Larry Ponemon: Right, exactly. On the financial side, we estimated a high worst-case scenario of the cost of the event at about $13 or $14 million. But if they were doing this in a cloud environment, rather than on premise, the savings would be about $4.3 million. So, there was actually cost savings in some cases by allowing organizations primarily to work from a home office or a remote location. And that in and of itself made the organizations much more efficient and much, much more likely to invest in cloud technologies. We saw that across the board, in all the 14 different industry sectors in the study.
Scott Emo: Wow. Well, so let’s back up for a minute and start to drill down on those findings.
Dr. Larry Ponemon: Sure.
Scott Emo: So, you actually took the last one first and kind of dug down a little bit more about the greater financial strength.
Dr. Larry Ponemon: Right.
Scott Emo: I mean, that’s pretty amazing, that improved financial strength of a lot of the businesses out there. Was there anything else that was interesting in that section of the aha?
Dr. Larry Ponemon: Sure. The other part of that was that organizations, because they realized that they were operating more efficiently and effectively in many cases, are making more and better investments in cybersecurity technologies, specifically encryption, tokenization, and other tools that protect data specifically were being made by organizations that they would… Because they ended up having a surplus. At least, they thought they had a surplus as a result of cost efficiencies. And we saw this across the board. But the primary focus was to protect data, and that data would be normally in encrypted mode and would include intellectual property. So organizations were very sensitive that during this time you wouldn’t want bad guys hacking into your systems and doing damage that could happen to any organization, especially during the cloud boom.
Scott Emo: That’s really good. So improved financial strength and it drilled down to a number of different areas. And we’re weaving in and out of the three areas because they really are interconnected. It’s hard to piece out the three takeaways that you got because they are so interrelated.
Dr. Larry Ponemon: Yeah.
Scott Emo: You mentioned business risk did not necessarily go up and you could do the inverse of that and just say companies had improved security posture. You gave some good examples of that, like improved encryption and other pieces of the puzzle that they may not have had before, but they implemented, which is… That’s good news for the entire industry.
Dr. Larry Ponemon: Yeah, absolutely true. A lot of organizations were maybe a little bit shy and didn’t actually feel like they wanted to make big investments during this period because of the risk, that by being too open about what you’re doing from a security perspective could be dangerous, that you’re tipping your hand to the bad guy. Which is true, not during the cloud boom, but this is probably true for any organization with any technology and especially those that are focused on cloud. But we basically found that the whole idea of risk management changed because we’re dealing with people who are operating in a completely different environment, working from home and not necessarily having the training or policies make that a safe situation. So, there were cases where the system was broken a little bit, it had to be repaired.
Dr. Larry Ponemon: But in general, as I said before, business growth, up, business risk, down, technology investments made at a much higher rate than expected. And this was true across the board, across 14 different industry sectors. So, we really looked at it from every different angle. Sometimes the gem is not the direct finding, but the interrelationship. So, we ran more than 100, I’m sure, across tabs. And I was starting to cross tabs, but it resulted, I think, in some very interesting findings that we will continue to write about in the future.
“Sometimes the gem is not the direct finding, but the interrelationship.”
Scott Emo: Well, you also mentioned in there, and I know in the report that there was increased not only security but increased remote worker productivity. Because, well, you were forced remote, right? I mean, because the pandemic forced people inside. And so, we were able to increase… And I think that showed up in the report as well. Be able to increase work productivity by X percent. I don’t know what the percentage, but we did find that that was helpful as well.
Dr. Larry Ponemon: Exactly. We did a derivative study to this one, but we were looking at, again, the efficiency that organizations experience where they migrate to the cloud environment, not just the pandemic. We found that this home workplace scenario has greatly improved the efficiency of individuals in the workforce. There’s no question about that. In this study, our study alone looking at one of the cross tabs, we estimate that the productivity went up by as much as 37% in some industries. Worker productivity went crazy, and still is, if you look at it, dollar for dollar, it’s still higher than what happened in the olden days where we went to an office, especially a stodgy office, wearing a business suit and a vest. And nowadays, with communication, very few people came to work with gym shorts. So productivity did change because we could do wonderful meetings like this, without having to get in a car or take a plane somewhere.
Scott Emo: Which both of us may or may not be wearing gym shorts right now.
Dr. Larry Ponemon: I am wearing gym shorts right now.
Scott Emo: That’s awesome. And that makes a lot of sense too, because commute time, my commute was downstairs to the right, right? I mean, that was the limit of your commute.
Dr. Larry Ponemon: I love it.
Scott Emo: So all that commute time is gone. Part of worker productivity might be just the time that you save from simply the commute. Really interesting stuff. This is great. So I think it’s probably safe to say that we’ve definitely been able to quantify that there was a cloud boom due to the COVID pandemic. Would you say?
Dr. Larry Ponemon: I would say that, and it’s an interesting finding, maybe a little weird for some people, but the general idea is that you could have a crisis that’s enormous problems for an organization, or country, region of the country. And people are smart. They figured out how to make this work, not in every case, but in many cases. And it’s the hats-off organizations that do this that are brave enough to step out and do it better than… or first in line. And we see some organizations are really clever and very smart at dealing with these issues.
Scott Emo: Well, and we found out in the report that more folks, more companies were on that positive side than on the negative side.
Dr. Larry Ponemon: Yeah.
Scott Emo: Hence, the name of the report.
Dr. Larry Ponemon: Right.
Scott Emo: So, after the crazy years of COVID-19, and we’re not quite done, I think…
Dr. Larry Ponemon: I hope we’re done.
Scott Emo: I sure hope we’re done, but, boy, there is truly a silver lining in that cloud.
Dr. Larry Ponemon: There is. Yeah, there really is.
Scott Emo: And by the way, pun intended there.
Dr. Larry Ponemon: It’s a good pun, by the way. That’s very good.
Scott Emo: Well, Larry, are there any other pieces in the report that you would like to bring up? Because we covered a lot of the pieces there, but I know you did a few other offshoots. Are there anything else that our listeners might be interested in hearing?
Dr. Larry Ponemon: Oh, that’s great, Scott. We have a report that we think is pretty neat. And we’d like to give you a copy of it if you don’t mind. So, Scott, if you can help us share the report out to the people listening, that will be great. One last finding is: be cool, enjoy life, and don’t necessarily follow the fear factor. I think that one thing that the organizations that did as well, basically, did better than any other organization, was because they were confident and they basically implemented security in a way that was more effective and efficient. So, we want organizations and people in the companies to be brave and not to be afraid of pandemics, even though we’re most likely to see that happen again if we’re unlucky.
Scott Emo: Well, you heard it first here. Larry Ponemon saying, “Be bold. Be brave.” Go out there and do that cloud security thing to the best of your ability.
Dr. Larry Ponemon: Thank you.
Scott Emo: Well, Larry, great discussion. Thanks so much for joining us today. If our listeners want to find the full Ponemon Post-COVID Cloud Boom Report, you can download that at www.anitian.com/ponemon. And, Larry, if our listeners want to get in touch with you or look at any of the other reports, many thousands of reports that you’ve done either recently or in past years, where could they go?
Dr. Larry Ponemon: Well, probably email@example.com. Ponemon is not Pokemon. And we’re very lonely here in Northern Michigan, so when people request a telephone call or meeting, we are very happy to accommodate. Thanks, Scott.
Scott Emo: And with the remote workers, it’s easier this time than before. Well, remember, the Security on Cloud Podcast is brought to you by Anitian, the leading cloud security and compliance automation provider, delivering the fastest path to security and compliance in the cloud. Thanks again to our guest, Dr. Larry Ponemon. And until we meet again, I’m Scott Emo. See you next time on Anitian Radio.
About Our Guest
Dr. Larry Ponemon – Founder & Chairman of the Ponemon Institute
Dr. Larry Ponemon is the Chairman and Founder of the Ponemon Institute, a research “think tank” dedicated to advancing privacy, data protection, and information security practices. Dr. Ponemon is considered a pioneer in privacy auditing and the Responsible Information Management (RIM) framework. Security Magazine named him one of the “Most Influential People for Security.”
Dr. Ponemon is a member of the National Board of Advisors of the Eller College of Business and Public Administration, University of Arizona. He served as former chairman of the Government Policy Advisory Committee and co-chair of the Internet Task Force for the Council of American Survey and Research Organizations (CASRO). Dr. Ponemon is also a veteran (Vietnam War era) of the United States Navy. He is married, has two sons, and is also an instrument rated private pilot.