Platforms including Amazon Web Services and Microsoft Azure have provided companies with huge resources to innovate and grow. But using them properly takes practice. Paul Sanders, CEO at consultancy Yobah, goes behind the scenes to explain more

Why does the cloud really matter?

Challenger banks like Monzo, and taxi companies like Uber, have changed customer service using data and technology. It’s impossible to get that level of innovation, that quickly, using inhouse capability.

In the cloud, data engineers, security engineers, artificial intelligence and machine learning are all provided as a service. Companies can use these tools, build on them, and develop new products. They can work at pace, at scale, and deliver what’s best for customers.

If that’s the case, what’s holding them back?

Companies think the cloud will save them money and be more secure. It can do both of those things, but they don’t always know how to start. They think they can buy servers on Microsoft Azure, for example, and that’s it. They don’t always appreciate that a strategy and operating model is needed. It’s also hard to find good, skilled people in the sector; most companies take one look and realise it’s too big to solve themselves.

What really matters for financial services firms considering this way of working?

The big one is compliance. A lot of financial services organisations see the benefit of the cloud, especially with the ‘work from anywhere’ model. What they don’t realise is compliance with FCA regulations is really hard. It normally holds them back, but they need to think about it because it matters.

What do they need to think about?

The concept of ‘shared responsibility is important. It means businesses are responsible for aspects of the service; it’s not just the cloud provider. In the past, if a business paid for their hosting in a data centre, the responsibility would sit with the provider. But in the public cloud, Amazon Web Services and Microsoft Azure, and others, are only responsible for 50 per cent of the service. The other 50 per cent sits with the customer. Companies need to show how they are managing that.

A good example would be users accessing data. In the old world, it would be easy, because employees came into the office and plugged into a network. Now, they can log on from anywhere. Companies need to mitigate this changing risk profile and the cyber security around it.

How do businesses respond when you start explaining these things?

They always push back and say: ‘here’s how we have always done it. That makes sense; they are comfortable, and they don’t want to change. But in these cases, I stop talking about technology. I talk about the capabilities they want, and the risks those bring. Then I align everything to an industry-standard, which might be Center for Internet Security (CIS) a cyber security framework. Then it’s about developing a proof-of-concept model to get them comfortable.

Is it important to explain these using language businesspeople understand?

I have seen a shift from IT-led change to business-led change in recent years. IT departments typically delivered services, but now business owners and heads of finance write code to improve processes. And they can do that using the cloud. In the past, IT departments have sat in their ivory towers and criticised others for not following rules. But this new way of working can actually give control back to the business.

What about cyber security? You mentioned the cloud ‘can be more secure…

Microsoft spends a billion dollars a year on cyber security. There are hundreds of changes a day, across all Microsoft products, so it’s important to understand them. But if they aren’t configured in the right way, it’s pointless; it’s like having a gate and leaving it unlocked.

Cyber security in the cloud is about two things: knowing what you are trying to protect against and doing it right. I know one company that has got plenty of tools, with bits of each one switched on. I’d rather they had two tools set up right, to help them protect against the biggest threats.

It sounds like the path to digital transformation needs to be thought through…

Using the cloud is the path of least resistance. But companies need to develop processes, controls and ways of working that are compliant in a digital world. That gives them the tools to get products to market quicker, and to innovate. But they can also achieve more for their customers than before. What they can do with data and technology, is a huge opportunity – and digital transformation is the goal.

They might push back, but their business can grow using cloud technology because they have huge resources at their disposal to help them.