Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

The CFO and Cloud Adoption: 101

Published 12/13/2021

The CFO and Cloud Adoption: 101
Written by Jeffrey Westcott, CPA, Chief Financial Officer, CSA.


Introduction to the Cloud

I always find it interesting to ask people where their organization is at on their cloud journey. Everyone reading this post already has some cloud presence, but one question is where are you on this path to cloud adoption? The immediate follow-up to the first question is what is your plan or roadmap for cloud migration?

The costs of cloud adoption are increasingly compelling to substantiate this decision, as well as time efficiencies. What may take your organization weeks or months to implement can be established in minutes using outsourced cloud services. Furthermore, technology is moving ahead at such a rapid pace, and the cost of attracting and retaining qualified and competent talent in this ever-changing environment is an increasingly daunting challenge for any organization. An oft-quoted statistic is that there is currently a shortage of 3.5m cybersecurity professionals globally, and I would gamble that the other facets of information technology also experience these similar deficits, putting further demands on the existing talent pool, including increasing wages.

Being an officer of the Cloud Security Alliance, I will not offer an unbiased opinion of cloud adoption and its benefits: The CSA’s objectives include “defining and raising awareness of best practices to help ensure a secure cloud computing environment.” (The Cloud Security Alliance is a global not-for-profit that has produced over 350 vendor-neutral research white papers on secure cloud migration.)

“Secure” is the key word here. Migrating to the cloud can be seemingly seamless, but there are many components of cloud computing that should be considered during your cloud journey. There are risks and decisions that need to be addressed and the ultimate responsibility and impact this could have on your organization rests on the shoulders of C-level managers.

What is the Cloud?

My simple explanation of the cloud is that it’s basically someone else’s servers. Data once was stored locally on your company’s premises – whether desktop, local servers or other mainframes. Data is now stored in a similar fashion, although it is contracted out and stored offsite. These cloud storage providers include familiar names such as Apple, Google or Amazon (AWS).

The National Institute of Standards and Technology (NIST) defines the cloud as being composed of these five characteristics (and my notes):

  • On-Demand Self-Service – Unfettered access to each service provider
  • Broad Network Access – Can be accessed by standard mechanisms (e.g., phones and tablets)
  • Resource Pooling – As the name suggests, shared tenants, offering economies of scale
  • Rapid Elasticity – Scale quickly and on-demand; any quantity at any time
  • Measured Service – Usage con be monitored, controlled and reported

Furthermore, the cloud utilizes these four deployment models:

  • Private Cloud – Single organization, on- or off-premises
  • Community Cloud – Specific community of organizations with shared concerns; it may be privately owned or third-party, on- or off-prem
  • Public Cloud – Provisioned for open use by the general public; it exists on the premises of the cloud provider
  • Hybrid Cloud – Composed of a combination of the above-referenced cloud infrastructures, as the name implies

The Next Steps

We have only started down this path by defining the cloud and its fundamental characteristics.

The next step in the process requires planning. Similar to any project management, you need to ask the fundamental questions:

  • Who are the stakeholders?
  • Is there a strategic plan? What data and applications will be moved to the cloud?
  • What are the budget and cost estimates?
  • Do we have the resources/skills or do we need outsourced contractors?

Your objective is to securely and seamlessly transition applications and data currently on-premises to offsite Cloud Service Providers (CSPs). The questions above encompass the logic that needs to be addressed not only before migrating applications and data into the cloud, but upon the initial implementation, as well as the continued cloud journey. We will continue the dialogue in forthcoming articles, but this should provide a reasonable foundation and raise additional questions to be addressed in your cloud migration.

The journey can seem daunting, but asking rudimentary questions now can prevent headaches down the road. Stay tuned.


Jeffrey Westcott is the Chief Financial Officer of the Cloud Security Alliance and joined CSA in 2014. He can be reached at [email protected], or www.linkedin.com/in/jwestcott/.

Share this content on your favorite social network today!