As banks target core systems for cloud migration, difficulty sourcing cloud talent is a major risk factor, Accenture’s annual banking cloud report found.
Banks perceive core migration as high-risk for several reasons, the report said, including "a lack of staff with cloud expertise to manage these core functions and the difficulty of recruiting the required skills in the current environment."
Public cloud adoption represents both a security upgrade and a risk factor — a paradox reflected in the banking industry’s mixture of enthusiasm and reticence toward cloud adoption.
The complexity of cloud deployments coupled with shortages of technical expertise leads to misconfiguration errors, one of the more common causes of security lapses, according to a report published last month by the U.S. Department of the Treasury on cloud adoption in financial services.
“When configured correctly, public cloud services can provide an environment that is resilient and secure,” the report said. “But the resilience and security of any particular cloud service can and will vary depending on the vendor and service, as well as how each service is configured, provisioned, and managed.”
Patch management is a particular point of weakness, Jason Malo, banking and financial services research manager at consulting firm Gartner, told CIO Dive.
“When you look at the incidents that have happened over the last few years, it’s rarely a major denial of service or hacker attack,” Malo said. “It’s usually that someone didn't patch a web application firewall with a known exploit.”
Nevertheless, cloud adoption in the financial sector accelerated last year, Accenture found.
Cloud workloads as a percentage of total storage and compute nearly doubled, reaching a weighted average of 15%, compared to just 8% in 2021, according to the IT services and consulting firm, which analyzed nearly 100 banks.
Migration of core banking systems continued to lag but picked up momentum. The percentage of core functions in cloud more than doubled, with banks running 7% of these workloads in cloud environments, up from 3% in 2021.
For banks, as in many other sectors reliant on legacy systems, the cloud journey began with the easiest-to-shift enterprise applications and then moved to backend IT.
Nearly 4 in 5 banks rely at least partially on public cloud infrastructure for enterprise systems, including applications for sales, marketing, human resources and finance. Yet 85% of workloads remain on-prem, trapped in complex legacy systems, according to Accenture.
Collaboration software and workplace applications have led the migration charge, with more than half of workloads now cloud-based, a year-over-year increase of 15 percentage points, the report said.
IT and operations workloads experienced an even larger bump, growing by 16 percentage points, although that still leaves nearly two-thirds of workloads on-prem.
The security paradox
Despite these advances, core migration remains fraught.
“The perception of reduced security in the cloud is a challenge for many organizations,” Cenk Ozdemir, cloud and digital lead at technology consulting firm PwC, told CIO Dive in an email. “But contrary to popular belief, moving to the cloud may generally increase security as cloud providers are spending more time and money on cybersecurity.”
Integration with core applications and legacy systems complicates cloud adoption. The knowledge required to shift workloads without disrupting operations or exposing systems to security risks can be difficult to source.
In addition to on-prem systems, 7 in 10 banks use multiple cloud service providers, Accenture found. This brings further complexity to the ecosystem and ups the ante for upskilling and talent recruitment.
Most banks are adopting more than one CSP, and knowledge of one cloud ecosystem doesn’t necessarily translate to others, Malo said.
Companies have to redefine governance and operating procedures in order to take advantage of cloud scalability, said George Haggar, U.S. financial services technology risk offering leader at EY.
“Organizations need to operate differently to take advantage of the strengths of cloud,” Haggar said. “It’s not just applying what they do currently to the on-prem environments in a cloud context — that won’t work.”
CSPs have a role to play as well, providing financial institutions with greater transparency regarding operational incidents, supply chain risk and testing resilience, the Treasury report noted.
To ease cloud adoption, CSPs need to provide banks with resources and tools to overcome talent shortages.
Banks have to be prepared to answer to regulators, regardless of enterprise architecture. “If the banks can’t answer compliance questions, it creates issues and the cloud providers certainly don’t want to find themselves in the middle of an audit,” Malo said.
CSPs may offer risk-mitigating industry cloud solutions, but accountability for security rests in the financial sector, not in Silicon Valley.
“Banks can outsource their technology stack,” Malo said. “What they can’t outsource is their responsibility to the data and their customers.”