Companies worldwide are accelerating a move to cloud computing as they seek to reduce cybersecurity risks and support a pandemic-fueled rise in remote work.

Spending on enterprise cloud services likely will surpass that on non-cloud enterprise information technology within the next few years, according to a November report from Gartner. The research and advisory firm expects global cloud revenue to jump 16% next year to $474 billion.

Businesses in recent years have shifted more data and applications to servers operated by tech companies including Amazon.com Inc., Microsoft Corp., Google LLC and International Business Machines Corp. to remove the cost and security challenges of maintaining in-house data servers and to help make digital services more widely available for customers and staff. The pandemic hastened the trend by stoking demand for online services, including an almost overnight 10-fold jump in digital transactions at Canadian lender ATB Financial Inc.

"Our decision to move to the cloud was not driven by the pandemic, but it was certainly accelerated by it," Daniel Semmens, ATB's vice president of data and artificial intelligence, said in an interview. The bank is shifting some of its operations to the Google Cloud Platform, which Semmens said provides better security features compared to those that the bank had in its legacy infrastructure.

About 52% of companies expect to be operating in public cloud work environments next year, up from about a third in 2021 and about a quarter in 2020, according to a 451 Research survey of IT decision-makers fielded in the first quarter of this year. Most businesses are also prioritizing a multicloud approach, combining services from different providers, according to a survey of 200 IT leaders commissioned by cloud security firm Valtix.

Security matters

A key benefit of using cloud services is that companies can outsource cybersecurity to an IT giant rather than having to continually update their own systems in the face of evolving threats. Maintaining security in-house is a costly and challenging endeavor, particularly as most companies' data centers use equipment put in place at least five years ago, according to Sailesh Gadia, a partner in KPMG's technology risk practice.

"These old machines can face serious hurdles when it comes to keeping up with the constant threat of cyberattacks," Gadia said. "Using the cloud allows these organizations to leverage modern security tools that are agile enough to help protect against all threat vectors."

The costs of failing to keep pace with cyberthreats are also increasing. The average cost of a data breach jumped nearly 10% in 2021 to $4.24 million from $3.86 million in 2020, according to an IBM report that analyzed 537 real breaches across 17 countries and regions.

Royal Bank of Canada moved 75,000 employees to a remote working environment in about two weeks in March 2020, triggering rapid adaptations to its IT infrastructure as all of those employees moved to cloud-based work environments, said Adam Evans, vice president of cyber operations and chief information officer at the bank.

"Without changing our overall cyber strategy, we had to pivot quickly to adapt security programs that were designed for a primarily on-premises workforce," Evans said. "Generally speaking, the sudden surge in virtual work creates room for opportunistic attacks designed to take advantage of fear and uncertainty."

RBC utilizes a multicloud strategy, combining public and private cloud environments across several vendors to help reduce its risk, said Ranji Narine, the bank's senior vice president of cloud and transformation.

Security concerns, coupled with stringent regulatory requirements, have helped to make financial services a focus area for cloud-computing providers. For instance IBM this year introduced IBM Cloud for Financial Services, which it developed with Bank of America Corp. The system's key features include integrated security capabilities and automated compliance checks.

IT resilience

Companies are also looking to further enhance their IT resilience by working with more than one cloud provider, stitching together services that best meet the needs of specific business or operational requirements and offer backup access points in case of outages at any one vendor.

"Even the biggest cloud providers are not immune to infrastructure failures," said Eric Hanselman, a principal research analyst at 451 Research. Amazon Web Services, for instance, "guarantees a 99.95% uptime for its cloud, but that may not be quite enough for most banking customers," he said. AWS experienced a disruption that led to thousands of reports of downed services by U.S. customers for part of the day Dec. 7.

A multicloud approach also means companies are not locked into a single vendor, which allays regulatory concerns and bolsters negotiating leverage. About 79% of companies consider avoiding such lock-ins as either important or extremely important to the success of their digital initiatives, according to an IBM survey of over 7,000 C-suite executives across 28 industries.

"The ability to maintain choice is a real opportunity in cloud adoption that we encourage clients to take advantage of," said James Shira, global CTO of PwC. The advisory firm itself utilizes services from AWS, Microsoft and Google in the U.S., Shira said.

Regulatory challenges are also driving companies toward a multicloud system. U.S. multinationals are effectively barred from viewing German customers' data on U.S. cloud servers because Germany requires its citizens' data to be processed in their home country, according to Paige Bartley, a senior research analyst covering data management at 451 Research.

The drawback of a multicloud approach is greater complexity compared with using just a single provider. Only 54% of companies considering using a multicloud strategy are confident they have the tools or skills they need to fully execute it, according to the Valtix survey.

"They are underfunded, under skilled, and inefficient at executing on security within a multicloud strategy," said Valtix CEO Douglas Murray. "The reality is that managing several cloud providers multiplies threats, work, and headcount."

READ MORE: Stay informed on how technology is reshaping the future of your sector. Get the Next newsletter delivered to your inbox every Tuesday. Sign up here.

Skills shortages

Even with a single provider, cloud security is potentially more complicated for end users because it requires a broader array of IT skills, KPMG's Gadia said. For instance, a network security specialist now needs a strong understanding of other areas such as database security and application security as well.

The skills requirement is extra challenging because there is a huge shortage of trained personnel across the technology industry. The U.S. alone had 597,767 online cybersecurity-related vacancies listed in the 12 months ended in September, according to the website CyberSeek. The coronavirus has added to the squeeze, said ATB's Semmens.

"There's no question that the pandemic had an impact on the demand for talent in the technology space, and cloud experts are especially sought after," Semmens said. "ATB has not been immune to this lack of talent, and it has been a challenge navigating it."

Cloud end users are not the only ones bearing the brunt of this skills shortage. AWS, the global market leader in cloud computing, had more than 23,000 open positions at the start of November.

The skills dearth and wider cybersecurity concerns contributed to U.S. President Joe Biden hosting an August meeting with tech industry leaders. Companies pledged investments to tackle the shortfall, with IBM, for instance, promising to train 150,000 people in cybersecurity over three years. Meanwhile, Google and Microsoft committed to investing $10 billion and $20 billion, respectively, over the next five years.

Cloud executives said they are deploying a mix of training and tools to reduce the industry's talent shortfall.

"At Google, we're addressing the cloud skills crisis by expanding role-based certifications, preparing workers with cloud-first skills and localizing cloud learning and certifications," said Sunil Potti, vice president and general manager of Google Cloud Security. "As security operations as a silo disappear, niche security talent can become democratized within the organization."

In July, Google expanded the availability of its risk protection program to all Google Cloud customers, connecting them with a specialized cyber insurance policy that allows customers to measure and manage their risk on Google Cloud and connect with insurers to manage that risk directly.

Meanwhile, Oracle Corp.'s Jeff Wierer, vice president of product management security services, said the company is offering its customers more automated and specialized security services that reduce the need for dedicated cloud security employees.

"Automation and built-in security could have prevented many of the configuration errors that have triggered some recent breaches," Wierer said. "Our approach raises the bar to automatically secure customer systems and free the customer to deploy scarce human resources on enterprise priorities, not security hygiene."