Securing the cloud is easy. Securing your org’s behaviours? Not so much.

A Clarity on Cloud blog by our CEO, Helen Gerling

Let's get one thing straight: Azure didn't lose your data. Meg from accounts did.

The cloud gets blamed for a lot - but most breaches, misconfigurations, and compliance failures aren't because cloud platforms are insecure. They're because we are.

The controls are there. The tools are there.

But, if people ignore prompts, cut corners, over-provision access "just to get things done", and spin-up shadow infrastructure to bypass slow processes - then you've got a behavioural problem, not a technology one.

The myth of "secure by default"

Public cloud platforms like Azure are secure by design - but not by default. Flexibility is a feature, and that flexibility gets dangerous when paired with poor habits and poor incentives.

The most common risks we see?

• Access never reviewed, permissions never revoked.

• Resources exposed to the Internet for “quick testing”.

• Shortcuts becoming permanent architecture.

The controls exist. The platforms log everything. But if no one’s looking - or worse, if they’re afraid to raise issues – none of it matters.

Performative security vs. actual protection

Too many organisations invest in ‘performative security’. They write long policy docs, hold annual training, and assume the risk is handled.

It’s not.

Real protection comes from:

• Least privilege access that’s enforced automatically.

• Guardrails built into provisioning, not slapped on after.

• Shared risk ownership - not just a lonely CISO catching the fallout.

Cloud breaches aren’t about the technology. They’re about the culture wrapped around it.

Where leadership gets it wrong

We work with public sector and regulated organisations every day. Most have invested in the right tools. Many have talented teams. But the same pattern keeps showing up:

• Access is granted too easily.

• Removing it later is manual - if it happens at all.

• Accountability is blurred or buried.

It’s not that people don’t care about security. It’s that the organisation doesn’t make it simple - or normal - to act securely.

The final takeaway

If you're a CIO, CTO, or exec accountable for cloud strategy, here's the hard truth:

• Stop reviewing firewalls. Start reviewing access logs.

• Stop rewriting policy. Start rewriting behaviours.

• Stop assuming security is IT’s job. It’s everyone's.

Securing the cloud is the easy part. Securing how your organisation acts in the cloud? That’s the leadership challenge. And it starts at the top.