CIOs are responsible for preparing their companies for new technologies, which should mean they are comfortable with change. And yet cloud has proved to be such a transformational technology that many companies have lagged behind the adoption curve to the detriment of user productivity and security. In this week’s CIO Corner, we look at how companies are adapting to cloud – or their failure to do so.

For every CIO at the forefront of cloud evangelism, there are those who have stayed on the back end of the adoption wave. Cloud requires a different approach from IT and security perspectives, so initial confusion is understandable. At this point, however, CIOs in every industry should have a cloud strategy. Much of the confusion comes from vendors who market “cloud” solutions without the true “as-a-service” model. CIOs will want to make sure their “cloud” vendor, whether a business application or security solution, actually delivers the usability and scalability of a true cloud offering.

At least one principle remains true from traditional software to cloud applications: configuration is a key aspect of a secure platform. Although cloud providers may ease infrastructure security concerns, solutions are never completely secure out of the box. The way employees use a service can put sensitive information at serious risk, even if they don’t harbor any malicious intentions. St. Joseph Health learned this lesson the hard way when a file sharing application’s default setting exposed patient data to Google and other search engines, affecting over 31,000 patients. File sharing applications serve as powerful collaboration tools, but with a few clicks data can be exposed in ways that create serious legal problems. Companies with sensitive data consider governance a key feature for file sharing applications. Box recently supplemented their governance capabilities with data classification.

Enterprise IT vendors like Microsoft have taken a position in the driver’s seat to shepherd customers into the cloud. In addition to heavily marketing cloud solutions, Microsoft packages cloud products with other software licenses to nudge customers towards the cloud. Vendors like Microsoft have seized on the business opportunity of offering cloud services: Amazon’s cloud service has singlehandedly catapulted the company to the upper echelon of enterprise IT providers.

Similar to other IT environments, the first step to address cloud security is to quantify risk in the cloud. Without a definition of baseline risk, a company cannot determine whether cloud security improves or gets worse as they take action. While individual cloud providers offer native security capabilities, industry analysts recommend a central control point for managing risk across all cloud applications. Analysts like Gartner’s Neil MacDonald also recommend companies prepare to spend a percentage of their overall cloud budget on additional cloud security tools.

IT security teams are already bombarded with security alerts, and cloud opens the floodgates to new threats. It is not enough for detection tools to flag every instance of anomalous behavior. Almost a third of IT professionals say they ignore security alerts from monitoring tools. The key is to narrow the pool of alerts from “anomalies” to actual probable threats. At first, detecting threats in the cloud may seem like a needle in a haystack situation. On the contrary, the vast amount of cloud usage data actually provides machine learning algorithms with a rich data set to analyze and accurately detect threats. The key capability is to correlate threats across services rather from within any single service – another reason security teams opt for a single pane of glass for cloud security.