Why the Bank of England CIO is not a cloud denier

England money with a lock

Last week the chief information officer at the Bank of England, John Finch, warned an attentive audience at the Cloud World Forum not to touch the cloud with someone else’s bargepole.

Actually, he did no such thing but you would be forgiven for thinking he had, given some of the online news headlines that quickly sprung up on business and tech sites afterwards.

This totally wrong impression of what was, truth be told, a very balanced and sensible presentation by a banker who knows a thing or three about technology was revealed if you bothered to read the stories to which the headlines were attached. Headlines declaring that 'cloud computing is security concern for finance' and 'cloud opens up UK firms' data to CIA spies' or even 'Bank of England urges caution on cloud adoption

Misleading Individually, none of these are too misleading (and attention grabbing headlines are not exactly news themselves in the world of business tech reporting) but it's the overall picture that is painted from the cumulative effect that worries me. That picture becomes a portrait of negativity, rather than a thoughtful portrayal of a complex landscape. Finch admitted that he may come across as "a bit of a cloud denier" but made it quite clear that he is not. So, what did Finch actually say to excite the nay-saying headline writers?

There's the thing, he said what just about everyone who knows anything about the cloud has been saying for years now. So when it's reported that Finch warned business against trusting cloud vendor promises, what he actually said was "you need to ask questions" when approaching a partner with regards to hosting your data. That's something we've been telling people for years, along with suggesting what those questions should be. It doesn't mean that we are anti-cloud, and nor is John Finch. When he accused some vendors of over-promising and under-delivering he was telling it like it is, and any business which blindly accepts a sales-pitch from any vendor, cloudy or not, is frankly a fool. Finch's statement "don’t let their bean counters tell you how to count your beans" applies as well to security as it does to matters of finance.

What does Finch think about cloud security? Well, if you listen to what was actually said, I'd say he's not spreading FUD nor is he adopting a nay-sayer strategy. He's simply exercising the kind of common sense thinking that is all too rare in the banking sector it would seem.

Image removed.

What Finch said was that you should approach CSP security promises with caution because "when you go to a third-party provider you are placing some of your security posture in their hands." The fact that cloud adoption is a security concern for the financial sector is not news, nor is it just the banking community who are concerned with security in the cloud; everyone is concerned, and that's exactly how it should be.

Of course security is a concern, but that's not the same as saying the cloud is insecure. Sure, from a regulatory viewpoint the finance industry has some specific security concerns which need to be addressed, and I think that was where Finch was coming from when he spoke of his concern with the cloud.

This is a concern that mirrors my own view that there is not enough guidance for specific industries, and that's why he was asking for more questions to be asked and less implicit trust to be granted.

I'm not sure I agree with Finch that security is the elephant in the room, however. After all, the subject has been well debated, but to continue the elephant analogy I accept that it needs to be fed some more data sovereignty buns. Data sovereignty goes beyond where the data is stored, it encompasses where the CSP is domiciled and is actually quite a complex area for most folk to get to grips with. Finch mirrors my own comments here at Cloud Pro when he warns of these matters having an impact on how, for example, the US Patriot Act applies to your data and your services.

He also warned about the problem of accepting statements such as 'your data will never leave Europe' without digging deeper. An example used in this context was of a well-known CSP whose servers are in the Nordic countries, and as he says "How many people understand the rights of Nordic countries’ governments to third-party data hosted on their servers?"

Due diligence is not just a Buzzword Bingo high-scorer, it's an essential part of any worthy security strategy and it means more than just looking at bottom lines and financial implications; it means asking questions, the right questions. Do this and you are likely to get the right answers that will help you make a secure and cost-efficient migration to the cloud.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.