The use of cloud computing technologies and managing increasingly complex regulatory requirements pertaining to data have emerged as persistent themes in corporate boardrooms and on executive agendas. Cloud computing technologies that brought promises of convenience, flexibility, reliability, cost reduction, and security advantages, have had a transformational impact on organizations regardless of size or industry. As is often the case, the regulatory landscape globally, but particularly in the United States, has been slow to develop and is lagging behind the rapid pace of technological advancement. Just as the United States witnessed major development in the regulatory landscape governing banking and financial markets in the 20th and early 21st centuries,1 the next frontier of regulatory development will be in regards to data and the rights of data subjects.
The Future of Cloud Computing and the Rise of FinOps
While the term “cloud,” in reference to distributed computing, is thought to have been coined in 1994, it became widely used by 2006 when the first cloud services began to appear.2 Although cloud computing has existed for some time, technological improvements to cloud technologies and a shift in corporate technology strategies and norms were necessary prerequisites to broad cloud adoption. As a result, large scale cloud adoption remains a notable and persistent trend: between 2015 and 2022, the percentage of corporate data hosted in the cloud doubled from 30% to 60%,3 and 47% of organizations across all industries follow a cloud-first strategy when deploying new applications.4 Not only are organizations demonstrating a clear preference for cloud technologies they are also turning to the cloud as part of a strategy to confront uncertain economic conditions. 41.4% of leaders are planning to increase their use of cloud-based services and products, 33.4% are planning to migrate from legacy enterprise software to cloud-based tools, and 32.8% are migrating on-premises workloads to the cloud.5 Perhaps most importantly, nearly half of organizations are trusting cloud providers to store “their most sensitive data”.6
Along with the proliferation and adoption of cloud technologies comes challenges that are almost categorically tied to increasing costs. Increasing cloud expenditure has been a consistently developing concern amongst executives in recent years as 2020 was the first year in which enterprise cloud computing costs exceeded on-premise related computing costs.7 As a result, many organizations are taking tangible steps to address this concern: nearly half of organizations “are either hiring new staff or re-training existing staff to better optimize their cloud spend”.8
The rise of FinOps demonstrates the salience of cloud computing costs in corporate board rooms. Put simply, “FinOps is an evolving cloud financial management discipline and cultural practice” which enables organizations to maximize business value and reduce costs, by helping relevant teams “collaborate on data-driven decisions” per the FinOps foundation.9 FinOps emphasizes taking ownership of cloud usage and encourages best practices to drive optimization of cloud computing. The simple reality is very few organizations currently have well established FinOps functions, per the FinOps Foundation only 19.5% of organizations are at the leading edge of maturity where FinOps processes are well understood and business as usual.10 That means the majority of organizations are still at the nascent stage of development as 37.1% of organizations are establishing basic practices and 41.7% of organizations have established some practices but these practices are not refined or mature.11 Less than 40% of technical and business professionals are using basic FinOps practices such as utilizing “automated policies to shut down workloads after hours and rightsize underutilized instances,12 indicating a substantial lack of FinOps maturity at most organizations. Organizations that make substantial use of cloud technologies have an opportunity to develop a competitive advantage by proactively identifying and implementing FinOps best practices.
New Frontiers in the Regulatory Landscape
The combination of the inherently slow pace of legal and regulatory development and the rapid and increasing pace of technological advancement has left modern legal and regulatory frameworks ill-equipped to handle contemporary security, privacy, and transparency issues relating to data. It is reasonable to assume the legal and regulatory landscapes will rapidly develop out of necessity as commerce is currently hindered by the difficulty of wrapping existing intellectual property and other legal requirements around issues of modern technology. As salient decisions are handed down by judicial powers and new legislation is adopted into law, organizations can expect new legal and regulatory requirements to be created and existing requirements to be further refined.
In recent years, consumers have demonstrated consistent and increasing concern regarding their privacy rights in relation to technology–and with good reason. In the decade beginning in 2010, Americans witnessed events such as Edward Snowden’s revelation of mass surveillance, hackers stealing the details of 40 million credit and debit cards from Target point of sale systems, and a whistleblower exposing the grave misuse of personal information without consent by Cambridge Analytica via Facebook.13 During 2018, in the wake of the implementation of the European Union General Data Protection Regulation (GDPR)–widely considered to be the most comprehensive and impactful privacy protection legislation ever adopted–73% of surveyed Americans reported feeling “more concerned about their data privacy now than they were a few years ago”, with those surveyed also expressing a feeling that their data is less secure than in previous years.14 Such data privacy concerns amongst consumers translate to demonstrable pressures and realities for organizations: “63% of consumers globally believe companies aren’t transparent about their personal data use, and about 48% have ceased purchasing from companies due to privacy concerns”.15 These concerns are rational and related to identifiable stimuli as breaches of sensitive information due to both malicious actors and errors and misconfiguration remain on the rise.
Although consumers have demonstrated clear concern for their personal information, organizations that make an effort to proactively identify and respond to these trends in consumer sentiment and regulatory requirements can realize significant value. Consumers do demonstrate some nuanced perspective and appear to acknowledge the balancing act of securing and realizing the value of personal data: 58% report being comfortable with relevant personal information being used in a transparent and beneficial manner.16 Privacy concerns have been clearly established as a board level issue: a study from Cisco indicated 98% of surveyed respondents report privacy-related metrics to their Board of Directors.17 Board level involvement regarding privacy initiatives should be expected as privacy continues to be an attractive investment for organizations, despite tough economic conditions. Per Cisco, organizations are realizing a 1.8 times return on investments related to privacy.18 Not only are there business optimization cases to be made in favor of robust data privacy but there is also clear regulatory risk that can be mitigated. The speed at which technological innovation is occurring is seemingly only matched by the dramatically increasing scale of privacy related fines; the most aggressive fines in the last few years have increased from tens of millions, to hundreds of millions, to multiple billions of dollars.19
Between the potential value that can be captured by processing personal data in a compliant and transparent manner, the return on privacy related investments, the impact of negative privacy events on reputation and the massive fines relating to non-compliance, developing robust data governance and privacy practices is essential for many organizations. The regulatory landscape is very likely to be reshaped and expanded as regulators develop and promulgate new regulatory requirements intended to directly address modern technology. Recently, the Securities and Exchange Commission (SEC) issued new rules requiring publicly traded companies to report so-called material cyber events within four days of determining the event will have material impact.20 The regulatory landscape pertaining to privacy rights and data will continue to develop and obligations to comply will become more widely understood and implemented. The next major area of regulatory development will undoubtedly be in relation to artificial intelligence (AI) as existing, antiquated intellectual property laws grapple with the realities and implications of broad AI adoption and use. The recent ruling that artificial intelligence cannot hold a copyright for works it creates,21 and the class action lawsuit of creators alleging that AI solutions have been illegally trained on their work without permission or compensation,22 are just two of the ever increasing, related headlines.
Forward Thinking and Organizational Opportunities
Adopting a strong data governance program, including a mechanism for identifying, scoping, and integrating regulatory requirements into technical processes and workflows will become a de facto requirement for many organizations in the coming years. Cisco notes “organizations are not fully in sync with consumers when it comes to building trust – especially in the use of their personal data for AI and automated decision-making”.23 In order to dramatically mitigate regulatory risk, organizations must proactively design integrated processes that ensure legal, privacy, compliance, and information security requirements are clearly established and integrated into application and system development processes and continuously monitor for new, relevant requirements. Organizations that take a proactive approach to data governance and managing regulatory requirements will be significantly more likely to court consumers and avoid the scorn of regulators. In an age where threats to corporate technology environments are so pervasive and advanced that best practices dictate security practitioners assume their environments are already compromised, proactive efforts to enact proper data governance and regulatory compliance are likely to mitigate both regulatory scrutiny and the associated reputational impact amongst consumers. Failing to proactively prioritize developing robust data governance, privacy, and compliance practices will pose a substantial strategic risk to organizations over the coming decades.