The articles in Digital Director of Digital McKinsey McKinsey Practice McKinsey: Insights are written Publishing: Barr Seitz Publications by consultants from Digital McKinsey together with Editor: Josh Rosenfield Editor in Chief: Lucia Rahilly colleagues across the firm. Managing Editors: Executive Editors: The publication offers Michael T. Borruso, Michael T. Borruso, Allan Gold, readers insights on digital Venetia Simcock Bill Javetski, Mark Staples transformations and the people, processes, and technologies Art Direction and Design: Copyright © 2018 McKinsey & that are critical to their success. Nicole Esquerre, Julie Schwade Company. All rights reserved.

Articles appearing in Digital Data Visualization: This publication is not intended McKinsey: Insights also appear Richard Johnson, Jonathon to be used as the basis for on McKinsey.com. If you Rivait trading in the shares of any would like to receive email company or for undertaking alerts when new digital Editorial Production: any other complex or significant articles are posted, register Elizabeth Brown, Heather financial transaction without at McKinsey.com. Byer, Roger Draper, Gwyn consulting appropriate Herbein, Pamela Norton, Katya professional advisers. To learn more about Digital Petriwsky, Charmaine Rice, McKinsey, please visit John C. Sanchez, Dana Sand, No part of this publication may mckinsey.com/business- Katie Turner, Sneha Vats, Pooja be copied or redistributed functions/digital-mckinsey/ Yadav, Belinda Yu in any form without the prior our-insights. To send written consent of McKinsey comments or request copies, Cover Photo: & Company. email us: digital_mckinsey_ © Erik Isakson/Getty Images [email protected]. Table of contents

Introduction 3

Creating value with the cloud

Features 4 12

The progressive cloud: A new Cloud adoption to accelerate approach to migration IT modernization

20 26

Reimagining software services for Making a secure transition to the cloud and the digital world the public cloud

39

Learning from leaders in cloud- infrastructure adoption

Creating value with the cloud

Once a technological curiosity, the cloud providers’ security resources and determine has become integral to modernizing the IT how to adapt their own cybersecurity pract- environment and enabling the digital trans- ices to balance speed and protection. formation of companies large and small. Cloud-based computing and storage platforms Perhaps most important, companies will need offer manifold advantages over conventional to reorganize their operations so they can on-premise systems, from lower operating take full advantage of what the cloud can do. costs to better compatibility with the working Some companies might choose to establish styles of digital enterprises. But a large-scale dedicated cloud-migration teams to set up move to the cloud isn’t a matter of merely cloud platforms and remediate applications “lifting and shifting” applications and data from or data assets so they function properly in the on-premises services to cloud platforms. It’s a cloud. Others will entrust the migration work complex endeavor that requires companies to to existing teams. Either way, all IT specialists, build new capabilities. from application developers to infrastructure teams, will have to learn the effective use One often-overlooked capability is planning the of cloud-based services. Such a learning cloud transition. IT leaders need to weigh the program should cover technical skills as well pros and cons of migrating each application as agile methods, which enable teams to build or data asset. This often requires extensive and deploy cloud applications quickly. dialogue with both cloud-services providers and software vendors so that companies can Being smart about the use of cloud platforms understand how their offerings are likely to and services can make the difference between evolve. Another key area of focus is managing gaining a competitive edge and falling behind cybersecurity during and after the transition. rivals. With this volume, we hope to help you Companies should take stock of cloud-service capture the value that the cloud can unlock.

Andrea Del Miglio Will Forrest Partner, Milan Senior partner, Chicago

3 Erikona/Getty Images

The progressive cloud: A new approach to migration

Mark Gu, Krish Krishnakanthan, Anand Mohanrangan, and Brent Smolinski

Migrating applications and data to public-cloud platforms can be tricky. Companies can ease the transition with hybrid-cloud configurations that progressively combine private- and public- cloud features.

Moving processing workloads into the public last year have migrated less than 10 percent of their cloud has helped leading companies lower their workloads to the public cloud. operating costs and build modern IT environments capable of rapid, integrated, and highly automated There are, however, ways to ease the transition development and operations. But for large companies to the public cloud. By progressively blending with complex IT architectures, moving applications public-cloud and private-cloud solutions into and data to public-cloud platforms involves hybrid-cloud configurations, companies can working through a formidable set of technology, quickly take advantage of sophisticated cloud security, operational, and financial issues. Those services and even move sensitive applications complications go a long way toward explaining the into the public cloud without disrupting their IT limited uptake of public-cloud platforms: some architectures and operations. Three practices 60 percent of companies surveyed by McKinsey are essential to implementing progressive cloud

4 Digital McKinsey: Insights December 2018 models. Companies must first estimate the costs of To work around these trade-offs and bring public- operating a hybrid configuration. Next, they should cloud capabilities together with private-cloud devise a manageable sequence in which to migrate security, companies can take a progressive approach applications and storage to the cloud. With those to combining private-cloud and public-cloud priorities in mind, they should set up a dedicated services. Such hybrid-cloud systems come in three unit to migrate applications and storage using agile primary variants (Exhibit 1): practices and streamline operations with automated services. In this article, we provide a closer look at ƒƒ A private-front or backhauling topology routes these three practices and how leading companies all traffic through private data centers and have used them to accelerate the movement of their deploys applications partly or completely in the workloads into the public cloud. public cloud so that a company can apply internal cybersecurity controls and still take advantage of The best of two worlds: The public-cloud services. progressive cloud Cloud platforms come in two main varieties, public ƒƒ A public-front topology also places applications and private, both of which have pros and cons. in the public cloud but allows users to access Public-cloud platforms give companies easy access them directly, with CSP-provided cybersecurity to a broad range of services, from basic storage and controls applied by default. Data are stored in a networking to innovative offerings like advanced private cloud with additional security controls. analytics, machine learning, and virtual-reality development. And their menus of services expand ƒƒ A public-cloud or cleansheet topology places all the time. Enterprises can easily take advantage both applications and data in the public cloud. of these cutting-edge services without having Enterprises apply cybersecurity controls from to develop their own or source them from other third-party services. vendors. However, enterprises can be apprehensive about placing sensitive information and proprietary As companies develop more sophisticated applications in the shared data centers that power cybersecurity controls and cloud capabilities, they public-cloud platforms. can shift applications from a private cloud into a hybrid cloud with a private-front topology, then Private-cloud platforms can be equipped with some into a public-front topology, and eventually into of the same automation features as public-cloud a cleansheet topology. For example, an insurance platforms (for example, one-click provisioning of company used a private-front topology to move some servers and automated scripting of architecture sensitive applications into the public cloud without patterns), so companies can rapidly deploy new having to overhaul its cybersecurity controls. Doing capabilities. Companies can also outfit private-cloud this allowed the company to migrate an additional platforms with security controls of their choosing 25 percent of its workloads into the public cloud, and thereby protect their critical applications and where it could use additional services while data. On the other hand, public-cloud platforms maintaining security controls. have more capabilities than private-cloud platforms: cloud-service providers (CSPs) invest heavily in Three essential practices for deploying developing new services, and third-party vendors progressive cloud systems tend to launch new services in the public cloud before Since progressive cloud systems rely on some introducing private-cloud versions. elements of public-cloud platforms, businesses

The progressive cloud: A new approach to migration 5 EHIBIT Progressive cloud systems come in three primary variants.

rivate front or backhauling ublic front or CS default1 ublic cloud or cleansheeting

A private-front topology routes all A public-front topology places A public-cloud or cleansheet topology traffic through private data centers applications in the public cloud but places both applications and data in the and deploys applications partly or allows users to access them directly. public cloud. Enterprises apply cyber- completely in the public cloud. Data are stored in a private cloud security controls from third-party services. with additional security controls.

Customers Employees Customers Employees Customers Employees

Virtual Security Cloud-access private apps and security Private infrastructure network services broker

Public infrastructure: Private Private Public Public infrastructure: IaaS, IaaS, PaaS, infrastructure infrastructure infrastructure: 2 3 PaaS, SaaS SaaS aaS  Known and established  Lowest-cost approach, but limited  se of multiple solutions security mechanisms to offerings from CSPs  Enhanced user experience4  Simplified monitoring and debugging  Potential creation of gaps when  Need for deep expertise in cybersecurity  uick implementation limitations are not understood and cloud architecture; increased  Higher costs because of  Greater scalability complexity and potentially IT costs increased traffic  High potential benefits (4560 savings on data-center costs)

1Refers to the use of cloud-service-provider (CSP) security controls by default. 2IaaS infrastructure as a service; PaaS platform as a service; SaaS software as a service. 3aaS everything as a service. 4For example, multiple device platforms with a single sign-on.

that opt for these hybrid setups will still need to Prices and pricing models for public-cloud platforms manage some of the complexity that the public cloud change over time. Companies have to keep an eye on presents. In our experience, three issues—finance, those changes and assess their effects. operations, and talent—typically warrant extra attention and can be managed effectively using the The characteristics of individual applications and following practices. data-storage systems affect technology costs too. A large financial-services company found that “input/ Know the costs of progressive configurations output-intensive” (or “I/O-intensive”) applications— When devising a progressive hybrid-cloud those that read or write a lot of data—were costly to configuration, most companies will want to consider host in the public cloud because the CSP charged more than innovative capabilities and security hefty “egress” fees whenever web applications made controls. Costs also matter. But comparing the costs data calls to the company’s private data center. of progressive options isn’t always straightforward. Storage was cheaper in the public cloud, though,

6 Digital McKinsey: Insights December 2018 so it was economical to run storage-intensive business, from application development, and from EHIBIT Progressive cloud systems come in three primary variants. applications there. (In some cases, companies have IT infrastructure in conducting the assessments to copy data into the cloud, rather than move them and scoring applications accordingly. The following

rivate front or backhauling ublic front or CS default1 ublic cloud or cleansheeting there, which expands their storage footprint and issues are worthwhile to explore: inflates their storage costs.) Hybrid-cloud systems A private-front topology routes all A public-front topology places A public-cloud or cleansheet topology traffic through private data centers applications in the public cloud but places both applications and data in the may require investments in bandwidth and controls ƒƒ dependencies on other applications and deploys applications partly or allows users to access them directly. public cloud. Enterprises apply cyber- for the connection between private-cloud and completely in the public cloud. Data are stored in a private cloud security controls from third-party services. ƒ with additional security controls. public-cloud platforms. ƒ security controls required by the application

Customers Employees Customers Employees Customers Employees Companies should also consider how migrating ƒƒ services consumed by the application to the cloud will affect day-to-day expenses other Virtual Security Cloud-access than technology costs. For example, using an ƒƒ data required by the application private apps and security Private infrastructure infrastructure-as-a-service capability in the public network services broker cloud still requires a company to perform many of ƒƒ the underlying technology architecture Public the same maintenance activities that it would for Private Private Public infrastructure: a private infrastructure. But when enterprises use ƒƒ the effort required to rewrite code and Public infrastructure: IaaS, IaaS, PaaS, infrastructure infrastructure infrastructure: 2 3 PaaS, SaaS SaaS aaS cloud solutions that sit higher in the stack, such as configurations and conduct testing  Known and established  Lowest-cost approach, but limited  se of multiple solutions platform as a service and software as a service, they security mechanisms to offerings from CSPs  Enhanced user experience4 can pare down their IT operations and let CSPs ƒƒ the costs of cloud-deployment options  Simplified monitoring and debugging  Potential creation of gaps when  Need for deep expertise in cybersecurity handle operating responsibilities.  uick implementation limitations are not understood and cloud architecture; increased  Higher costs because of  Greater scalability complexity and potentially IT costs ƒƒ the business risks of performing a migration increased traffic  High potential benefits (4560 savings With all these costs in play, companies should on data-center costs) take care to define the financial gains they want An insurance company used topics like these to to achieve and the metrics they’ll use to gauge evaluate the prospect of migrating its applications 1 Refers to the use of cloud-service-provider (CSP) security controls by default. performance. They can also benefit from assigning and data assets to the cloud. Then it developed a road 2IaaS infrastructure as a service; PaaS platform as a service; SaaS software as a service. 3aaS everything as a service. experts in cloud technology and pricing to model map that called for migrating an additional 10 percent 4For example, multiple device platforms with a single sign-on. the costs of their technology stacks and operating of applications in the first year, another 20 percent models and to recommend adjustments as business in the following year, and the remainder over the needs and pricing schemes evolve (Exhibit 2). next few years (Exhibit 3). Organizations must not approach this as a one-time effort but rather as an ongoing business discipline Create an agile, automation-oriented like the procurement of other integral resources. cloud unit Some companies think of the cloud as an Develop a cloud-migration road map infrastructure service, and so they ask their existing It isn’t practical to migrate all applications and infrastructure teams to operate cloud services data to the cloud at the same time. Companies need alongside legacy services. Such assignments often to sequence their migration efforts, ideally front- prove complicated. Established infrastructure loading them with applications for which cloud teams can be slow to get familiar with new migration can deliver big performance improvements technologies, legacy systems seldom support the or cost savings. One effective approach is to requirements of cloud solutions, and the additional establish a rubric for assessing applications with work can exceed the infrastructure team’s capacity. respect to the performance and cost considerations When one large enterprise put its infrastructure described above and then engage colleagues from the team in charge of cloud services, the team struggled

The progressive cloud: A new approach to migration 7 EHIBIT To get maximum benefit from cloud solutions, companies need to understand what cost savings are available with dierent cloud topologies.

otential run-rate savings in each topology, % of current total per image1 Nonlabor savings Labor savings

Current Private cloud Private front or Public front Public cloud backhauling or CSP default2 or cleansheeting IaaS PaaS 100 IaaS –9 –6 85–91 PaaS IaaS PaaS IaaS –20 –1 64–65 –5 No change 59 PaaS –20 No change 39

Sources of cost savings Sources of cost savings Sources of cost savings Sources of cost savings Infrastructure as a IaaS IaaS IaaS service IaaS  Nonlabor: public-cloud  Nonlabor: decrease in  Nonlabor: elimination  Nonlabor: compute and pricing and real-estate networking costs of all networking assets storage hardware (partly reductions3  Labor: decrease in and remaining real estate offset by added software)  Labor: fewer compute/ networking labor (except mainframe  Labor: automation storage touches footprint)  Labor: decrease in Platform as a service PaaS networking labor PaaS  Nonlabor: middleware  Nonlabor: decrease from and database-as-a- open-source licensing service pricing  Labor: decrease from  Labor: effort eliminated middleware and database by middleware as a automation service, by database as a service, and by database automation

1100% = $20,000 per environment ($246 million infrastructure baseline; 12,500 images). Saving scenarios range from low (only using IaaS solutions) to high (using IaaS and open-source PaaS solutions as well as optimized real estate). 2 Refers to the use of cloud-service provider (CSP) security controls by default. 3 Colocating data centers would make real-estate costs variable and allow the company to maintain a physical footprint for networking (~10%) and mainframes (~14%) only.

to learn new support processes, balance the A dedicated cloud-delivery team, on the other hand, added responsibilities with existing ones, and can help ensure that the migration effort gets proper attract skilled cloud engineers. Its cloud program attention and expertise. This team is tasked with progressed slowly, migrating less than 10 percent of two main sets of responsibilities. One set covers workloads to the cloud in three years. designing, building, and maintaining the cloud

8 Digital McKinsey: Insights December 2018 EHIBIT To get maximum benefit from cloud solutions, companies need to understand what EHIBIT One company sought to double the share of workloads that it deploys on public-cloud cost savings are available with dierent cloud topologies. and private-cloud platforms over a three-year period.

lanned cloud strategy, % adoption hased road map of transition to cloud, otential run-rate savings in each topology, % of current total per image1 Nonlabor savings Labor savings % increase in adoption

Current Private cloud Private front or Public front Public cloud Current Future 40 backhauling or CSP default2 or cleansheeting IaaS 10 PaaS Software as a SaaS 100 IaaS 2 20–30 service (SaaS) 10+ –9 –6 85–91 PaaS IaaS 30 PaaS IaaS –20 –1 64–65 10 Public cloud –5 No change 59 5+ Public cloud PaaS 7.50 –20 No change 39 15–20 Public front

3.75 73 10+ Public front 10–20 Private front Sources of cost savings Sources of cost savings Sources of cost savings Sources of cost savings Dedicated 7.50 Infrastructure as a IaaS IaaS IaaS 5 hosting service IaaS  Nonlabor: public-cloud  Nonlabor: decrease in  Nonlabor: elimination 10  Nonlabor: compute and pricing and real-estate networking costs of all networking assets 10 Mainframe storage hardware (partly reductions3  Labor: decrease in and remaining real estate 2.50 15+ Private front offset by added software)  fewer compute/ networking labor (except mainframe 1.25 Labor: 11.25  Labor: automation storage touches footprint) 2.50 Plan to retire  Labor: decrease in 20–25 15 Platform as a service PaaS networking labor 3.75 PaaS  Nonlabor: middleware Year 1 Year 2 Years 3–5  Nonlabor: decrease from and database-as-a- open-source licensing service pricing  Labor: decrease from  Labor: effort eliminated middleware and database by middleware as a automation service, by database as a service, and by database automation platform and training developers to use it. The other about two years). In a recent survey, we found that set of responsibilities covers the technical work of companies with a dedicated cloud team migrated 1100% = $20,000 per environment ($246 million infrastructure baseline; 12,500 images). Saving scenarios range from low (only using IaaS solutions) to high (using IaaS and open-source PaaS solutions as well as optimized real estate). migrating applications, such as managing firewall 52 percent of applications on average (from a 2 Refers to the use of cloud-service provider (CSP) security controls by default. and network settings, testing, writing code, and minimum of 20 percent to a high of 95 percent), 3 Colocating data centers would make real-estate costs variable and allow the company to maintain a physical footprint for networking (~10%) and mainframes (~14%) only. designing database structures. whereas companies without a dedicated cloud team migrated 29 percent of applications on average A dedicated cloud team can be modestly sized to (between 8 percent and 55 percent). begin with: 30 to 40 people with a mix of skills in product management, system engineering, software Dedicated cloud teams tend to be most productive development, user-interface or user-experience when they automate their work and adhere to agile design, IT operations, and financial management. development practices. Cloud teams can write Most large companies will have ten to 15 people scripts that perform virtually every task involved developing the cloud platform while the rest concen- in operating cloud platforms (see sidebar, “How trate on migration work (typically for a period of cloud teams can apply DevOps successfully”). They

The progressive cloud: A new approach to migration 9 can also build tools and application programming team’s head count can increase, and the traditional interfaces that let software developers deploy infrastructure team can be scaled back. In this cloud services on their own. Cloud-delivery teams way, dedicated cloud cells can eventually replace that follow these approaches write more code than traditional infrastructure functions. conventional system-administration teams, so they find it advantageous to follow agile methods. They One financial-services company’s cloud team chose organize themselves into squads, prioritize service- to let application developers and systems engineers development efforts by speaking with application contribute to the cloud platform’s code base. Within developers and other cloud-service users, and roll two years, more than half of the application teams out new offerings by developing them rapidly and had voluntarily moved their applications to the making frequent improvements in response to cloud, and the remainder were eager to follow suit users’ feedback. once essential capabilities were established.

An automation-heavy approach typically results  in higher productivity: one company found that its cloud team supported some 400 images per full- Cloud services can make IT organizations leaner time employee, compared with the 80 images per and more nimble while giving companies access to employee in its traditional operations group. And as innovative capabilities that will power their digital more applications get moved into the cloud, the cloud transformation. Migrating to public-cloud platforms

How cloud teams can apply DevOps successfully

Cloud teams can be tempted to move their Applications can also perform differently in different development and testing work into the public environments, such that production exposes cloud in order to save money by shutting down problems that could not be caught during testing in those activities for long periods while production a separate environment. takes place in private data centers. This works well in traditional IT delivery models with lengthy To adhere to DevOps practices, cloud teams need application-release cycles involving extensive to place their development, testing, and production manual effort. environments onto the same platform. This lets them ensure that both functionality and hardware work as But in a DevOps model, where virtually every planned, and it lets them make needed adjustments activity in an application-release cycle is automated, quickly and cost effectively. After one large personal- moving development and testing into a public-cloud insurance organization deployed an integrated environment while production stays in the private DevOps platform on its private cloud, it was able to cloud can cause trouble. Writing automation code shift 12 of its most critical application-development that spans two or more environments can be more teams into a DevOps delivery model without sac- complex than writing automation code for a single rificing application uptime or performance. In fact, environment, because the different environments the company achieved a 10 percent decrease might rely on different tools or protocols. in production errors for these applications.

10 Digital McKinsey: Insights December 2018 poses real challenges, but these challenges can be have shown, the time and effort required by cloud- overcome if companies progressively set up hybrid- migration programs are more than offset by the cloud platforms according to the three practices resulting gains in the efficiency, quality, and speed described in this article. As leading companies to market of digital solutions. 

Mark Gu is a consultant in McKinsey’s New York office, where Krish Krishnakanthan is a senior partner; Anand Mohanrangan is a senior expert in the Silicon Valley office; and Brent Smolinski is a partner in the Atlanta office.

The authors wish to thank Mishal Desai, Arul Elumalai, Marami Kar, Kevin Major, and Marc Sorel for their contributions to this article.

Copyright © 2018 McKinsey & Company. All rights reserved.

The progressive cloud: A new approach to migration 11 Ivanastar/Getty Images

Cloud adoption to accelerate IT modernization

Nagendra Bommadevara, Andrea Del Miglio, and Steve Jansen

The cloud is a means, not an end. Success in modernizing IT through the cloud is driven by a complete standardization and automation strategy.

Cloud-computing adoption has been increasing with the transformational strategy needed to get the rapidly, with cloud-specific spending expected to full value of the cloud. grow at more than six times the rate of general IT spending through 2020.1 While large organizations Just taking legacy applications and moving them to have successfully implemented specific software- the cloud—“lift and shift”—will not automatically as-a-service (SaaS) solutions or adopted a cloud-first yield the benefits that cloud infrastructure and strategy for new systems, many are struggling to get systems can provide. In fact, in some cases, that the full value of moving the bulk of their enterprise approach can result in IT architectures that are more systems to the cloud. complex, cumbersome, and costly than before.

This is because companies tend to fall into the trap The full value of the cloud comes from approaching of confusing simply moving IT systems to the cloud these options not as one-off tactical decisions

1 John F. Gantz and Pam Miller, The Salesforce economy: Enabling 1.9 million new jobs and $389 billion in new revenue over the next 5 years, IDC, September 2016.

12 Digital McKinsey: Insights December 2018 but as part of a holistic strategy to pursue digital IT security is a good example. Most traditional IT transformation. Such a strategy is enabled by environments adopt a perimeter-based “castles the standardization and automation of the IT and moats” approach to security, whereas cloud environment through an open application- environments are more like modern hotels, where a programming-interface (API) model, adopting a keycard allows access to certain floors and rooms. modern security posture, working in an automated Unless the legacy applications that have been agile operating model, and leveraging new developed and deployed for a castles-and-moats capabilities to drive innovative business solutions. security model are reconfigured for the new security While the cloud is not a prerequisite for any of these model, migrating to the cloud may have an adverse features, it does act as a force multiplier. Companies impact on cybersecurity.2 that view cloud capabilities in this way can create next-generation IT capable of enabling business Enterprises have been successful in adopting growth and innovation in the rapidly evolving SaaS solutions mainly because they address these digital era. constraints in a simple fashion: the solutions replace the existing business applications and leave the Lift-and-shift is not enough development of new features to the SaaS provider. Cloud services such as Amazon Web Services (AWS), SaaS solutions have therefore become very popular Google Cloud, and Microsoft Azure appeal to many for business functions such as marketing and sales, organizations because of their stated features, such back office, and communication and collaboration. as pay per use, ability to scale up or down based on However, in most sectors, there are no mature SaaS usage, high resiliency, and self-service. All these solutions for core business functions such as billing benefits are expected to lead to much lower IT costs, for the utilities sector and core/online banking for faster time to market, and better service quality financial services. compared with traditional IT offerings. As a result, despite overall increased cloud However, traditional enterprises run into two major investment, enterprise cloud adoption is maturing issues when moving to the cloud: slowly. Many enterprises are stuck supporting both inefficient traditional data-center environments and ƒƒ The existing business applications were created inadequately planned cloud implementations that using the traditional IT paradigm. As a result, may not be as easy to manage or as affordable as they these applications are typically monolithic and imagined. While some forward-thinking companies configured for fixed/static capacity in a few data have been able to pursue advanced enterprise centers. Simply moving them to the cloud will cloud implementations, the average enterprise has not magically endow them with all the dynamic achieved less than 20 percent public- or private-cloud features of the cloud. adoption (Exhibit 1).

ƒƒ The typical technology workforce of an Benefits of automating IT processes enterprise is well versed in developing business through the cloud applications in the traditional IT framework. Historically, enterprise business applications Most of it will need to be reskilled or upskilled for have been designed to run on custom-configured the cloud environment. IT systems, each application requiring its own

2 “Benchmark your enterprise cloud adoption,” Forrester Research, January 3, 2017, forrester.com.

Cloud adoption to accelerate IT modernization 13 EHIBIT On average, enterprise cloud adoption remains low, at around 20 percent.

of server images deployed in private or public cloud

Financial services Insurance Other Healthcare Bubble size represents volume of server images

100

90

80

70

60

50

40

30

Median adoption rate is 19 20

10

0 Virtualization+ Basic cloud Advanced cloud Maturity of cloud capabilities

Source: McKinsey Enterprise Cloud Infrastructure Survey 2016

heavily customized configuration of computer the market-differentiating solutions the business storage and network resources. As a result, IT needed cares about; the rest are working simply to “keep the armies of administrators just to keep systems lights on.” updated and running, to add new capacity manually when demand is high, or to apply quick fixes for Standardizing system configurations and issues such as low performance. As the number automating IT support processes can reverse that of IT solutions has increased, so has the overhead ratio. By enabling enterprises to manage their necessary for testing, integration, and maintenance. infrastructures better, companies can not only In a typical enterprise, just a fraction of IT save on costs but also shorten times to market and personnel are focused on designing and developing improve service levels.

14 Digital McKinsey: Insights December 2018 Adopting the cloud is a massive enabler of the Recently, many established companies have made necessary standardization and automation. With the aggressive moves to adopt public-cloud solutions. cloud, companies can do the following: Capital One is running the bank’s mobile app on AWS, GE Oil and Gas is migrating most of its ƒƒ reduce IT overhead costs by 30 to 40 percent computing and storage capacity to the public cloud, and Maersk is migrating its legacy systems to reduce ƒƒ help scale IT processes up and down as needed, cost and operational risk while enabling advanced thereby optimizing IT asset usage analytics to streamline operations.

ƒƒ improve the overall flexibility of IT in meeting Pioneer organizations are also actively seeking ways business needs, such as more frequent releases to leverage the new services on the cloud to create of business features (cloud providers are innovative business solutions. Progressive deployed increasingly offering much more sophisticated its Flo chatbot on the public cloud; NASCAR is solutions than basic computing and storage, such leveraging machine-learning solutions on the cloud as big data and machine-learning services) to analyze real-time and historical race-car data to improve performance and simulate scenarios. ƒƒ increase the quality of service through the “self- healing” nature of the standard solutions—for Even “born digital” companies that initially example, automatically allocating more storage chose, for strategic reasons, to have their own to a database (we have seen enterprises reduce IT IT infrastructure and systems are now opting to incidents by 70 percent by using cloud computing move to the cloud to leverage the scalability and as an opportunity to rethink their IT operations) the higher-order functionality it offers. Spotify is a prime example. Capturing these benefits from cloud adoption requires more than just a lift-and-shift approach How to approach the cloud when the business-application system configurations transformation are heavily customized and IT processes are mostly Fully embracing the cloud can have a significant manual. It requires a certain level of remediation to upside but also requires substantial up-front make IT systems more cloud oriented. investments in what is often a multiyear journey. For this reason, an all-in transformation approach Netflix is one of the most public examples of this needs active commitment and a clear mandate from kind of commitment to and investment in cloud- the CEO and board over the long term (see sidebar, “A enabled, next-generation infrastructure. It spent tale of an all-in transformation”). seven years on its transformation, adopting a cloud- native approach, rebuilding all its technology, and Specifically, there are four key topics companies restructuring the way it operates. It employed APIs should address for successful cloud adoption at scale: to reduce its monolithic legacy applications into smaller components, make them more flexible, 1. Decide on sourcing. It is difficult for most and then move them to AWS. As a result, service companies to build their own cloud-technology availability has increased, nearing the company’s stack and even harder to maintain it. Partnering stated goal of 99.99 percent of uptime. And Netflix with public-cloud providers to build and manage has seen IT costs for streaming fall to a fraction of the cloud stack is the more typical approach. In what they were in its own data center. most cases, the pragmatic way to start is with use

Cloud adoption to accelerate IT modernization 15 A tale of an all-in transformation

A Fortune 100 company with a $2.2 billion annual Then, beginning in 2015, the company began its IT spend ($800 million on infrastructure costs legacy-remediation work, moving all its applications alone) was struggling with the cost and complexity to a private cloud, heavily incentivizing its application of its legacy IT environment. Its IT department teams. It took an opportunistic approach to was supporting 8,000 applications (including upskilling IT: every application team that wanted 150 instances of SAP) and 20,000 workloads. Not to use the cloud had to go through an in-house surprisingly, provisioning was slow. It took more than training program. 45 days to set up a server, and the company knew this was not sustainable. Within the first six months, the company had moved its complex SAP environment to a private cloud and Consequently, the company invested more than adopted a cloud-first policy for all new applications. $200 million in an aggressive digital transformation. It replaced expensive colocated contracts and It was a significant effort, but the company achieved moved its systems to a software-defined data center. a return on its investment in fewer than four years. Less than three years in, the company has moved The company first defined its cloud-sourcing more than 2,000 workloads and two petabytes of strategy, grounding it in an aggressive move to a data to the public cloud. The company had reduced hybrid model (both public and private cloud), as costs by $90 million at the two-year mark and is on public-cloud options were still maturing in late 2013. track to cut another $60 million. Automation also It opted for a single strategic partner for each cloud significantly improved performance and agility. With and recently added a second public-cloud partner. the transformation on track to completion in 2018, It then created a cloud operating model, setting the company is now one of the largest enterprises up a new 100-person team working within an agile operating on the cloud. operations framework.

of a single cloud-service provider while adopting 2. Create a public-cloud operating model. the necessary guiding principles to avoid being Unlike traditional operating models, the public locked into one provider. cloud requires IT to manage infrastructure as code. This requires software engineers who After achieving a certain scale and level of understand the compute, storage, and security maturity—in our experience, a good rule of protocols of the public cloud (as opposed to thumb is to plan for an annual run rate of network engineers or system administrators). $30 million with the primary cloud-service For most enterprises, this translates to a massive provider—an enterprise can explore a second or upskilling of the infrastructure organization and third service provider for scaling up. the operating model in which they work. Specific

16 Digital McKinsey: Insights December 2018 teams need to be assigned to configure and challenges, but with strong leadership, it is the manage the production environment. fastest path to transformation.

3. Remediate legacy applications. Existing Many enterprises, however, are not yet ready to applications will need to be refactored at the take the full plunge into the cloud, perhaps because infrastructure and application layers to align organizational buy-in is lacking, there is a reluctance with the security and capacity requirements of to invest the required resources in a multiyear the public cloud. Security must be baked into effort, or they face regulatory constraints. These these applications, and they must work in a more organizations can achieve significant benefits in the automated fashion. This requires significant short-to-medium term, albeit on a smaller scale, by attention from application teams, which can be adopting the cloud’s agile and automated operating hard to get. model within their traditional IT. This approach builds important organizational capabilities and Companies can address this hurdle by creating prepares the business for a cloud transformation a clear business case for legacy-application when it is ready. modernization, aligning the migration schedule with major application upgrades or replacements, Companies have eagerly adopted agile methods and adopting foundational solutions (such as API for application development and are actively frameworks) to make the remediation easier. pursuing automation or DevOps (such as continuous integration and continuous delivery), but the same 4. Cultivate the right skills. Professionals must approach can have an even greater impact on IT be able to develop applications on the cloud operations and infrastructure. By organizing the (specifically on the vendor’s system) securely infrastructure function into tribes of small, cross- and quickly. To do this, companies will need to functional, self-directed squads with product hire and train cloud experts and then introduce owners to prioritize work and scrum masters them into development teams, retrain or upskill responsible for removing barriers, IT departments the existing workforce, and set up digital- can prioritize work in ways that increase innovation labs as needed, with an emphasis on productivity, quality, and speed. In addition, the cloud development. continuous automation program, over time, can further infuse cloudlike capabilities into traditional This aggressive approach relies on true commitment IT, such as APIs for interactions between developers from leadership in the form of money (one financial- and infrastructure (Exhibit 2). services business is investing $300 million in a cloud transformation) and time (these programs can take With the goals of improving service levels and two to three years). That is because, in executing reducing costs, one major life-insurance company a cloud transformation, multiple things need to adopted an agile approach within its 250-person happen at the same time. In many cases, for example, IT operations groups. The company began by a core group of cloud engineers prepares for the cloud assessing the state of its current infrastructure— migration by setting up the cloud environment, its core processes, organizational model, metrics, hardening it, looking at applications to move, and key performance indicators (KPIs), and historical creating tools for migration. Meanwhile, the main demand—and developed a hypothesis about what it IT team is being trained in how to work in an agile might achieve with a more agile approach. It created way. This approach has significant management a leadership program appropriate to agile methods,

Cloud adoption to accelerate IT modernization 17 EHIBIT The agile/DevOps operating model is proving to be even more applicable in infrastructure than in application development.

Projects (internal and external), audit, Agile suads scrum patching, nonstandard Planned requests, etc demand

Story pointing and under- standing of incoming demand allows for data-informed: Incoming work for • productivity improvements a productservice • automation investments Automation and Devps • understanding of demand drivers When systems are stable and operations work is mostly automated, nplanned a DevOps-style operating model demand can be implemented (single team owning both the planned and unplanned demand for a given Incidents, service requests, product/service) changes, and housekeeping work (eg, log reviews) peration teams kanban

Source: McKinsey analysis

adopted the necessary tools, and conducted an agile- It completed the initial transformation in six months, for-infrastructure boot camp for stakeholders. cutting IT costs by more than 35 percent and doubling productivity. The insurer plans to automate up to Within six weeks, the IT infrastructure group started 80 percent of its operations work, driving costs down planning for ongoing projects, conducted training even further and significantly improving its service sessions for senior leaders and infrastructure teams, levels. Today, it is well positioned to move more and set a goal for what ongoing operations should aggressively to the cloud in the future. look like. It fully leveraged the scrum methodology for planned work such as projects and kanban—a The rules of the cloud game methodology for managing the creation of products There are many actions enterprises can take that emphasizing continual delivery—for unplanned have proved valuable to early adopters of cloud- work such as incidents and service requests. By the enabled next-generation infrastructure. These end of the second month, the company had achieved include but are not limited to the following: the operational model it envisioned and was able to begin designing service-management processes and ƒƒ Evaluating the current IT portfolio. Before launching automation initiatives. beginning any cloud development or migration,

18 Digital McKinsey: Insights December 2018 take a dispassionate look at the existing IT ƒƒ Addressing change management. A heavily portfolio to determine what is suited for public- automated agile operating model will require cloud platforms or SaaS alternatives. significant shifts in IT behaviors and mind- sets. Invest in both change management ƒƒ Choosing your transformation approach. and the development of cross-functional Involve all key stakeholders in determining skills across infrastructure, security, and whether your enterprise will be an aggressive or application environments. opportunistic transformer. ƒƒ Adopting new KPIs. Measure and reward ƒƒ Articulating IT and business goals. Create a your technology team for standardization and well-defined set of outcome-oriented aspirations automation rather than, say, for availability. for both the short and long terms in line with your approach. 

ƒƒ Securing buy-in. Ensure commitment By viewing cloud computing as a starting point for and investment from senior management, IT automation, companies may be able to have it all: particularly finance leaders, who must support scalability, agility, flexibility, efficiency, and cost the transfer from capital to operations and savings. But that is only possible by building up both maintenance investment/accounting. automation and cloud capabilities. 

Nagendra Bommadevara is a partner in McKinsey’s New York office, Andrea Del Miglio is a partner in the Milan office, and Steve Jansen is an associate partner in the Charlotte office.

The authors wish to thank Thomas Delaet, James Kaplan, Pankaj Sachdeva, and Anand Swaminathan for their contributions to this article.

Copyright © 2018 McKinsey & Company. All rights reserved.

Cloud adoption to accelerate IT modernization 19 Scyther5/Getty Images

Reimagining software services for the cloud and the digital world

Chandra Gnanasambandam, Rahul Mangla, and Jigar Shah

Customers expect software firms to do more to help deliver outcomes. Software vendors must therefore evolve their professional-services capabilities to meet the new needs.

The growing prevalence of subscription business migrate workloads to the cloud. In short, software models and next-generation technologies is fueling companies are now called on to be partners, not just large-scale digital transformations to make compan- vendors. And this means that the software industry ies more productive, smarter, and faster. These is being challenged to reassess its entire approach to trends portend a significant change in the way B2B professional services. software vendors support newly digital companies. We find that many software vendors encounter In the past, the professional-services arms of soft- challenges navigating these shifts. Until now, their ware companies focused on installing, customizing, primary areas of focus have been R&D, sales, and and deploying applications for customers. Today, marketing. For some companies, the professional- they must help customers design, implement, and services unit was viewed as a cost center or, at most, adopt new technologies (for example, machine- a low-margin revenue generator. Many professional- learning-based applications and blockchain) and services businesses therefore haven’t invested in the

20 Digital McKinsey: Insights December 2018 new tools and capabilities they need to propel their Finally, it’s crucial to establish the desired size of the operations. That’s a mistake. Software vendors must services business and how much work should be left strengthen their professional-services offerings to to third parties (Exhibit 1). We find that top vendors meet their customers’ new demands and to maintain seek to provide 10 to 15 percent of the professional or increase their market share. services their products require, with the balance provided by partners. For new, unestablished To transform the services business and position software products, however, a vendor might provide it for the future, software companies must act 40 to 50 percent of the services for the first two years along five dimensions: defining the strategic vision and then taper off as third parties take over. for services, reimagining the services portfolio, investing in skills, adapting the services-sales model, Reimagine the services portfolio and delivering services more efficiently. To help customers succeed throughout a digital transformation, B2B software vendors must Define a strategic vision for the typically provide a mix of advisory, implementation, services business and customer-success services—on top of basic The first step in such a transformation is to define installation. Advisory services make it possible the vision and strategy. Specifically, software for vendors to help conceptualize and design large, vendors need to consider the service business’s complex digital-transformation projects. A big role (market making or value delivery), economic multinational company moving its finance functions purpose (growth or profit maximization), and size to the cloud, for example, would probably need (the share of the services ecosystem in the company’s its software-as-a-service vendor to help it design revenues). That effort should include a thoughtful evaluation of the company’s product capabilities and market landscape as well as the maturity of EHIBIT the partner ecosystem. Services should evolve to fit a product’s evolution—as customers move The role and size of the professional- their applications to the cloud, for example, the services organization must be defined for services organization must move away from serving each product area and customer segment. on-premises products. endor share of market for professional services % The role of the services organization must also match the company’s goals. A vendor with new Market making Partner Steady 50 enablement state products may need the organization to play a greater market-making role by helping to increase 40 their rate of adoption. But a software vendor with 30 a mature product line may instead need a services organization that helps the vendor’s partners provide 20 third-party services to the vendor’s customers. 10 Leaders must determine whether the services 0 organization should be a growth engine to drive the ime since product initiation adoption of products or an efficient operation to maximize profits.

Reimagining software services for the cloud and the digital world 21 Invest in skills cloud-based processes, the on-premises and cloud architecture, data models, and more. We often find that to accomplish this substantial portfolio shift and offer these new capabilities, Implementation services can help vendors give software leaders must fundamentally rethink their customers the speed they require by helping people and partner strategy. Training and hiring for them to deploy transformative products rapidly the new roles requires a wholly different approach. and to use advanced technologies, such as the Internet of Things (IoT) and machine learning. A Instead of providing standardized training for all manufacturing company looking to implement an members of the services organization, a company IoT-based digital supply-chain solution, for instance, should help its employees to learn through the lens might use a vendor’s implementation services to of the specific services they will provide. Training establish proof of concept and rapidly integrate ought to focus on this type of role-based learning; it with the company’s existing supply-chain- an architect and a salesperson, for example, would management system. benefit from very different kinds of training, and account managers transformed into customer- Customer-success services, another integral success managers would need broader training. component of the new professional-services Learning journeys are an effective tool to manage the offerings, help customers maximize the value of different training programs required to accommo- their software purchases—for example, by using date all the new services customers need (Exhibit 2). analytics to increase business value. For the vendor, these services not only promote adoption and Even with the most thorough training, the nuances usage but also reduce churn and therefore boost of professional-services roles are learned on the subscription revenues, which capital markets job, especially when customers go through their value disproportionately. own digital transformations. Supporting the

EHIBIT Learning journeys and maps are eective tools to guide retraining of the professional-services workforce.

Respondents undergoing a transition, %

Key transition Strengthening of specific skills 15–20 80–85

End to end Basic orientation Fully competent Just in time Stay connected

Supporting learning-journey type

22 Digital McKinsey: Insights December 2018 professional-services team with a resource library systems integrators and the relationships in this that its members can access in any situation will ecosystem. For example, when a customer adopts be critical. The customer-success organization, for a bleeding-edge software solution, the vendor’s example, would be able to draw on a tactical tool kit professional-services organization should provide and resource repository if a customer struggled to implementation services to establish the new product start a new installation. in the marketplace. As the product matures, however, the implementation tasks can be transferred to Professional-services organizations now require systems integrators. To make this shift possible, many different skill sets to support their customers’ vendors should invest in training the partner digital transformations, so they must often hire community. Like similar efforts in the vendor’s own external talent—a process that should start with services organization, these are most effective when data. The ability to mine profile and skills data conducted through the lens of role-based learning. on LinkedIn can be a key differentiator in hiring; cluster analyses on LinkedIn data, for instance, Transform services sales can help sort skills into categories used to find As the services portfolio shifts, so should the go- candidates and make decisions. Companies that to-market model that sells it. In the past, gener- mine these data with machine-learning tools can alist account managers sold services. But today, hire more effectively. when these services involve much more than just implementation, the savviest vendors recognize It’s not only the software vendors’ professional- that they must rethink their approach to service services organizations that need to adapt—so must sales (Exhibit 3).

EHIBIT A changing product portfolio requires a transformation in the sales of software services.

Changes in software services EHIBIT Learning journeys and maps are eective tools to guide retraining of the professional-services workforce. Pushing point solutions Delivering business outcomes for customers Respondents undergoing a transition, % Industry expertise, with focus Emphasis on product expertise Key transition Strengthening of specific skills on business outcomes 15–20 80–85 IT-focused relationships Relationships with business leaders

Client conversations on specific offers Industry-specific business needs End to end Basic orientation Fully competent Just in time Stay connected

Supporting learning-journey type Off-the-shelf value propositions Differentiated value propositions

Reimagining software services for the cloud and the digital world 23 As the need for more types of services grows, roles for each, is also critical. So is deciding how much to in the sales process must adapt, along with the use offshore talent and contractors. orchestration among them. A salesperson courting a bank that’s looking to digitize more of its operations, A perception has increasingly taken root, for for example, might need to work with services- example, that the offshoring or nearshoring of organization specialists who can guide both the talent is less effective or impossible when software prospect and the salesperson through specific vendors shift focus away from account management regulatory requirements. and toward customer success. We’ve found that while customer-success managers certainly need In the same vein, the coverage model also needs to spend time at customer sites, the services engine to evolve. In the past, a sales organization might can continue to employ nearshore and offshore have been staffed mostly by generalists, with a resources. Newer offshoring locations, such as small subset of specialists. Now that customers Eastern Europe, offer access to excellent talent. demand so many highly specific services, however, the proportions of specialists and generalists have The use of contractors must also be managed nearly flipped. carefully. Contractors are alluring because they bring high-quality skills without overhead and can Other aspects of sales that must evolve include be deployed on short notice. But they are expensive, the way success is measured (something vendors have built-in incentives to become indispensable, should consider early on) and the organizational and may form important customer relationships that model, which involves weighing trade-offs, such as really ought to be held by full-time employees. revenue accountability versus speed of innovation. Institutional capabilities should also be reexamined, Through a structured, concerted effort targeting especially because services organizations often lag these and other cost drivers, enterprises can often behind their product counterparts in developing a improve the run-rate cost of services operations by 10 granular understanding of customer needs at the to 25 percent. In addition to improved margins, there account level. are other benefits to improving efficiency in this way: it boosts customer satisfaction and creates headroom Focus on efficient delivery for investment in new capabilities and skills. As customers demand that more services be bundled with—or even be enabled by—the platform itself,  software vendors must adapt the way they think about managing the cost of services. This isn’t cost Professional services have historically been a cutting; it’s investing intelligently in the right areas. required—but often uninspired—offering to help The key is establishing a balance among services software companies win more enterprise customers. resources and maintaining that balance vigilantly. But the world has shifted as those customers adopt subscription products and pursue digital Talent is the most prominent driver of costs, which transformation. Today, they are moving much faster, is why investing in skills is so important. Finding the so they need software companies that move with right balance between people hired from inside and them as partners, not just vendors. outside the organization, and the training involved

24 Digital McKinsey: Insights December 2018 This is a great opportunity for software companies business models, to develop new capabilities, to cement long-term relationships and loyalty. But and to find the right balance among advisory, it also challenges them to rethink their services- implementation, and customer-success services. 

Chandra Gnanasambandam is a senior partner in McKinsey’s Silicon Valley office, where Rahul Mangla and Jigar Shah are associate partners.

Copyright © 2018 McKinsey & Company. All rights reserved.

Reimagining software services for the cloud and the digital world 25 John Lund/Getty Images

Making a secure transition to the public cloud

Arul Elumalai, James Kaplan, Mike Newborn, and Roger Roberts

As enterprises scale up their use of the public cloud, they must rethink how they protect data and applications—and put in place four critical practices.

After a long period of experimentation, leading cybersecurity2 models that many companies have enterprises are getting serious about adopting the built up over years. As a result, as companies make public cloud at scale. Over the past several years, use of the public cloud, they need to evolve their many companies have altered their IT strategies to cybersecurity practices dramatically in order to shift an increasing share of their applications and consume public-cloud services in a way that enables data to public-cloud infrastructure and platforms.1 them both to protect critical data and to exploit fully However, using the public cloud disrupts traditional the speed and agility that these services provide.

1 For more, see Nagendra Bommadevara, James Kaplan, and Irina Starikova, “Leaders and laggards in enterprise cloud infrastructure adoption,” October 2016, McKinsey.com. Also see Arul Elumalai, Kara Sprague, Sid Tandon, and Lareina Yee, “Ten trends redefining enterprise IT infrastructure,” November 2017, McKinsey.com, which primarily addresses the impact of infrastructure as a service (IaaS) and platform as a service (PaaS), rather than software as a service (SaaS). 2 By cybersecurity, this article means the full set of business and technology actions required to manage the risks associated with threats to the confidentiality, integrity, and availability of systems and information. Some organizations may refer to this function as information security or IT security.

26 Digital McKinsey: Insights December 2018 While adoption of the public cloud has been limited to public cloud also reduces IT operating costs. As a date, the outlook for the future is markedly different. result, companies are both building new applications Just 40 percent of the companies we studied have and analytics capabilities in the cloud and starting more than 10 percent of their workloads on public- to migrate existing workloads and technology stacks cloud platforms; in contrast, 80 percent plan to have onto public-cloud platforms. more than 10 percent of their workloads in public- cloud platforms in three years or plan to double their Despite the benefits of public-cloud platforms, cloud penetration. We refer to these companies as persistent concerns about cybersecurity for “cloud aspirants” (Exhibit 1).3 They have concluded the public cloud have deterred companies from that the public cloud offers more technical flexibility accelerating the migration of their workloads to the and simpler scaling for many workloads and cloud. In our research on cloud adoption from 2016, implementation scenarios. In some cases, using the executives cited security as one of the top barriers

EHIBIT Cloud aspirants: Nearly 80 percent of companies plan to have 10 percent or more of their workloads in the public cloud or double their public-cloud use within three years.

Respondents by industry, % of group Epected growth in adoption in net years,1 % of group

Financial services Other Cloud aspirants: 33 30 34 34 27 35 33 ≥2× companies 15 20 13 3 7 17 11 Lorem ipsum90 companies 20 30 30 40 20 20 <2× 15 5 Healthcare 25 35 16 Cloud skeptics: 22

Technology, media, and Retail and consumer <10% ≥10% telecommunications 14 packaged goods Workload in public cloud (now)

1Figures may not sum to 100%, because of rounding.

Source: McKinsey analysis

3 McKinsey conducted a global survey and in-depth discussions with IT security executives at 97 companies between August 2017 and November 2017, receiving 90 complete survey responses. Forty-one percent of these 97 companies generate annual revenues of less than $3 billion, 22 percent generate $4 billion to $10 billion, 20 percent generate $11 billion to $22 billion, and 17 percent generate more than $22 billion. Thirty-five percent of the 97 companies are in the financial-services industry; 15 percent are in the healthcare industry; 13 percent are in the technology, media, and telecommunications industry; 6 percent are in the retail or consumer-packaged-goods industries; and 31 percent are in other industries.

Making a secure transition to the public cloud 27 to cloud migration, along with the complexity of ƒƒ Redesigning the full set of cybersecurity managing change and the difficulty of making a controls for the public cloud. For each compelling business case for cloud adoption.4 individual control, companies need to determine who should provide it and how rigorous they Interestingly, our research with chief information- need to be. security officers (CISOs) highlights that they have moved beyond the question, “Is the cloud secure?” ƒƒ Clarifying internal responsibilities for cyber- In many cases they acknowledge that cloud-service security, compared with what providers providers’ (CSPs’) security resources dwarf their will do. The public cloud requires a shared own and are now asking how they can consume security model, with providers and their cloud services in a secure way, given that many of customers each responsible for specific functions. their existing security practices and architectures Companies need to understand this split of may be less effective in the cloud. Some on-premises responsibilities—it will look very different from controls (such as security logging) are unlikely a traditional outsourcing arrangement—and to work for public-cloud platforms unless they redesign internal processes accordingly. are reconfigured. Adopting the public cloud can also magnify some types of risks. The speed and ƒƒ Applying DevOps to cybersecurity. If a flexibility that cloud services provide to developers developer can spin up a server in seconds but can also be used, without appropriate configuration has to wait two weeks for the security team to governance, to create unprotected environments, sign off on the configuration, that attenuates as a number of companies have already found out to the value of the public cloud’s agility. Companies their embarrassment. need to make highly automated security services available to developers via application In short, companies need a proactive, systematic programming interfaces (APIs), just as they are approach to adapting their cybersecurity doing for infrastructure services. capabilities for the public cloud. After years of working with large organizations on cloud- Developing a cloud-centric cybersecurity programs and speaking with cybersecurity model cybersecurity leaders, we believe the following four For a company that has only begun to use the public practices can help companies develop a consistent, cloud, it can be tempting to build a public-cloud- effective approach to public-cloud cybersecurity: cybersecurity model using the controls it already has for on-premises systems. But this can lead to ƒƒ Developing a cloud-centric cybersecurity problems, because on-premises controls seldom model. Companies need to make choices about work for public-cloud platforms without being how to manage their perimeter in the cloud and reconfigured. And even after being reconfigured, how much they will rearchitect applications in a these controls won’t provide visibility and way that aligns with their risk tolerance, existing protection across all workloads and cloud platforms. application architecture, resources available, Recognizing these limitations, cloud aspirants are and overall cloud strategy. experimenting with a range of security strategies and architectures, and a few archetypes are emerging.

4 For more, see Nagendra Bommadevara, James Kaplan, and Irina Starikova, “Leaders and laggards in enterprise cloud infrastructure adoption,” October 2016, McKinsey.com.

28 Digital McKinsey: Insights December 2018 The most effective approach is to reassess the ƒƒ Backhauling. Backhauling, or routing traffic company’s cybersecurity model with respect to through on-premises networks, is how half of two considerations: how the network perimeter is cloud aspirants manage perimeter security. defined and whether application architectures need This model appeals to companies that require to be altered for the public cloud. The definition internal access to the majority of their cloud of the perimeter determines the topology and the workloads and wish to tailor their choices about boundary for the cloud-cybersecurity model. And migrating workloads to fit the architecture they choices regarding application architecture can guide have. Companies with limited cloud-security the incorporation of security controls within the experience also benefit from backhauling applications. These two key choices also inform one because it allows them to continue using the another. A company might opt, for example, to make on-premises security tools that they already its applications highly secure by adding security know well. But backhauling might not remain features that minimize the exposure of sensitive popular for long: only 11 percent of cloud data while the data are being processed and making aspirants said they are likely to use this model no assumptions about the security controls that are three years from now. applied to a given environment. ƒƒ Adopting CSP-provided controls by default. Choosing a model for perimeter security This model is the choice of 36 percent of cloud- Among cloud aspirants, the following three models aspirant companies we studied. Using a CSP’s for perimeter design stand out (Exhibit 2): security controls can cost less than either of

EHIBIT Architecture options: Three models for perimeter architecture stand out among cloud-aspirant companies.

Enterprise Cloud-service provider (CSP) Third party

Backhauling: All public-cloud access is through private infrastructure with external gateway. Private Public

Adopting CSP controls by default: CSP controls for public cloud only. Separate private security controls. Private Public

Cleansheeting: Best-of-breed security controls for public cloud and private cloud. Private Public

Source: McKinsey analysis

Making a secure transition to the public cloud 29 the other perimeter models but makes it more Deciding whether to rearchitect applications complex to secure a multicloud environment. for the cloud For larger and more sophisticated organizations, The second choice that defines a company’s cloud- using CSP-provided controls appears to be cybersecurity posture is whether to rearchitect a temporary measure: 27 percent of cloud applications in the public cloud, by rewriting code or aspirants say they will use this model in three altering application architectures (or both). Just years (down from 36 percent today). 27 percent of the executives we interviewed said their companies do this. The benefits are compatibility ƒƒ Cleansheeting. Cleansheeting involves with all CSPs (with container architectures, for designing a “virtual perimeter” and developing example), stronger security (with changes like tamper cloud-specific controls from solutions offered by detection using hash, memory deallocation, and various external providers. Used by around encryption of data flows between calls), superior 15 percent of cloud aspirants, this approach performance (for example, by allowing horizontal enables companies to apply the best perimeter- scaling in the public cloud), and lower operating costs security solutions they can find, switching them (because app-level security protections reduce the in and out as needed. Since changing solutions need for a company to choose best-of-breed security creates technical demands, companies typically solutions). However, rearchitecting applications practice cleansheeting when they have enough for the cloud can slow a company’s migration rate. in-house cybersecurity expertise to select Because of this, a large majority of enterprises in vendors and integrate their solutions. Although our survey, 78 percent, migrate applications without those efforts can slow the migration of workloads rearchitecting them for the public cloud. into the cloud, cleansheeting appears to be on the rise, with 47 percent of cloud aspirants saying The choice of perimeter-security design, along with they will use cloud-specific controls in three the choice about whether to adapt applications to years. Despite the high cost and complexity the public cloud, create six archetypes for cloud of cleansheeting, organizations choose this cybersecurity. In our experience, five primary approach so they can support multicloud criteria inform enterprises’ decisions about their environments and replace point solutions more overall cloud-cybersecurity model: public-cloud- easily as their needs evolve. security effectiveness, their desired cloud-migration rate, their willingness to pay additional security Backhauling is now the most popular model for costs, their expertise implementing new security perimeter security among the cloud aspirants programs, and the flexibility they desire from their we researched. However, enterprises are moving security architectures (Exhibit 3). toward a virtual-perimeter model, which they develop through cleansheeting (see sidebar “A Rearchitecting applications for the public cloud progressive outlook on perimeter-security design”). improves security effectiveness but can slow down Cleansheeting is the least popular practice for migration. Backhauling extends existing controls that managing perimeter security today, but more companies are already familiar with to public-cloud executives say they will use cleansheeting over the implementations. Using default CSP controls is the next three years than any other model. simplest and most cost-effective approach.

30 Digital McKinsey: Insights December 2018 A progressive outlook on perimeter-security design

A cybersecurity executive we interviewed at a large areas that CSPs do not support. Said the executive: pharmaceutical company described a forward- “We lift and shift applications to the public cloud, looking view of perimeter-security design that is fairly and backhauling is an intermediate step. However, typical of cloud aspirants. As the company increases we see that CSPs and third-party tools provide its use of the public cloud, it is backhauling as a more secure technology. We appreciate the stepping stone but intends to move to a flexible shared responsibility with our CSP, but we require architecture that leverages cloud-service provider additional third-party tools to go beyond default controls where available and third-party controls for CSP capabilities.”

EHIBIT Assessing architectures: Cloud-cybersecurity models generally follow six archetypes, which are defined by their designs for perimeter and application architectures.

erformance of archetype against evaluation criteria

Perimeter Backhauling Adopting Cleansheeting architecture CSP1 controls by default

Rearchitecting No es No es No es ow igh applications

Evaluation criteria Leveraging cloud controls (from CSP or third party) increases perception of security, by Security drawing on providers’ expertise. effectiveness Backhauling increases focus on rate of adoption, as opposed to building new capabili- Migration ties or redesigning security. Rearchitecting apps rates is likely to slow down migration. Using CSP controls that are offered for free is the most cost-effective approach. Cleansheeting Cost- tends to increase costs because of potential effectiveness duplication of controls and design expenses. Implementation Cleansheeting requires the most expertise to expertise integrate across multiple controls. Backhauling required requires the least expertise, because the existing model can be extended.

Flexibility Cleansheeting allows companies to integrate solutions of their choosing. Adopting CSP controls provides limited opportunity for customization.

1Cloud-service provider.

Source: McKinsey analysis

Making a secure transition to the public cloud 31 Cleansheeting controls calls for substantial security ƒƒ Identity and access management. IAM expertise but provides flexibility and support for solutions for cloud-based applications and multiple clouds. Organizations can use these criteria data are gradually shifting into the cloud (see to choose the best methods. That said, a company sidebar “Moving into the next generation of need not apply the same archetype to its entire public- IAM”). Sixty percent of interviewees reported cloud profile. It’s possible, even advantageous, to use that they employ on-premises IAM solutions different archetypes for applications with different today, but only half as many expect to be using requirements: for example, backhauling with a single on-premises IAM solutions in three years. By CSP for a core transaction system to enable faster that time, 60 percent of interviewees anticipate migration and familiar controls while using CSP- that their enterprises will rely on a third-party provided security controls for low-cost, accelerated IAM service that supports multiple public-cloud deployment of new customer-facing applications. environments and unifies IAM controls across on-premises and public-cloud resources. Redesigning a full set of cybersecurity controls for the public cloud ƒƒ Data. Encryption of cloud data in motion and at Once enterprises have decided on a security rest should soon be standard practice. Eighty- archetype (or a mix of archetypes, with each four percent of cloud aspirants expect that within archetype matched to a group of workloads with three years they will encrypt the data they store similar security requirements), they can design and in the cloud. Over time CISOs would like to have implement cybersecurity controls. Understandably, more practical mechanisms for encrypting data companies are experimenting with a variety of in memory as well. However, interviewees have designs for controls, and, given the pace of progress, different approaches to managing encryption cybersecurity executives anticipate considerable keys for cloud workloads: 33 percent prefer to change to these controls over the next three years. have CSPs manage keys, 28 percent keep them Cybersecurity controls can be categorized into on premises, and 11 percent prefer to have eight areas, which organizations need to think about third parties manage keys (see sidebar “Why in combination: companies manage keys differently”).5

Moving into the next generation of IAM

A Fortune 500 healthcare company we spoke each user’s behavior based on monitoring data with has redesigned its identity- and access- from the CSP and compares that behavior with management (IAM) controls for the public cloud what is observed to determine whether the user by using the automation and analytics features should gain access. As a company executive of its public-cloud platforms. Specifically, it has told us in an interview, “Passwords are obsolete. created automated authorization schemes, based Even MFA [multifactor authentication] is a step on identity services provided by a cloud-service backward. Behavioral authentication is the next provider (CSP), to eliminate human factors from generation. With the training data from CSPs, we provisioning and deprovisioning. The company are taking a risk-based approach and building has also developed a risk model that predicts continuous authentication.”

5 Twenty-eight percent of interviewees declined to discuss key management.

32 Digital McKinsey: Insights December 2018 ƒƒ Perimeter. Enterprises are moving toward a governance as workloads move to the cloud. virtual-perimeter model. Around 40 percent of This is likely to be soft governance, with only enterprises are routing traffic via on-premises 20 percent of enterprises using application- data centers today, using on-premises security security tools or templates. controls with some form of virtual private network or direct connectivity between on- ƒƒ Operations monitoring. Sixty-five percent premises and public-cloud workloads as the of enterprises rely on their current security only way to access applications or data on public- information and event management (SIEM) tools cloud platforms. But 49 percent of interviewees for monitoring cloud apps. This allows them to say they expect their companies to use third-party maintain a single view of their on-premises and perimeter controls over the next three years. The cloud workloads. Another 30 percent use other transition to these perimeter-control models will native monitoring tools provided by their CSPs typically involve developing cleansheet designs or request logs from CSPs to generate insights that draw on a combination of services, such as using proprietary data-analytics solutions. Since security secure web gateways, web-application CSPs can provide a wealth of monitoring data, it firewalls, and network monitoring from different is critical for organizations to collaborate with third parties that support multiple clouds. them on selecting solutions that provide a unified view of on-premises and public-cloud workloads. ƒƒ Applications. Most interviewees (84 percent) define security-configuration standards for ƒƒ Server-side end points. Interviewees are mostly cloud-based applications and depend on CSPs confident in the server-side security offered by to implement them. But 85 percent said their CSPs: 51 percent indicate that they have a “high” companies are likely to drive more developer level of comfort with CSP-provided security

Why companies manage keys differently

Companies determine their key-management A global pharmaceuticals and medical-products practices based on various factors, such as company takes a different approach, drawing on regulatory compliance and security benefits. Two its CSP’s key-management capabilities to improve examples from our interviews show why approaches cost-effectiveness and performance. The executive differ. An IT services company has opted to generate we interviewed said, “Our public-cloud application and manage keys using a localized private system functionality is improved when keys are stored in the so it can use key ownership as a mechanism to stay public cloud. Public-cloud applications need the “in the loop” if cloud-service providers (CSPs) are keys to decrypt public-cloud data, and so we see forced to hand over data. The executive explained, less security benefit to storing keys privately. We get “We are holding the key ourselves because it gives better performance having keys closer to apps, and us and our compliance people confidence that only encryption and decryption cost less with publicly local employees have access to keys, and data stored keys.” cannot be accessed without our knowledge. That control gives peace of mind.”

Making a secure transition to the public cloud 33 for server-side end points. Many companies, Clarifying internal responsibilities for especially ones that have less sophisticated cybersecurity, compared with what security programs, believe that CSPs have more providers will do insight into and control over their server fleets When enterprises migrate applications and data to than they could ever achieve internally. the public cloud, they must depend on CSPs and third- party providers for some security controls—but they ƒƒ User end points. Moving workloads to the cloud should not depend on these parties to provide all of ordinarily necessitates changes to controls for the necessary controls. Unless companies and CSPs user devices, mainly for data-loss prevention clearly divide all the responsibilities for cybersecurity and for protections against viruses and malware. in public-cloud environments, some responsibilities Seventy percent of interviewees said using a could fall through the cracks. This makes it essential public-cloud infrastructure requires their for companies to develop and maintain a clear enterprises to change users’ end-point controls. understanding of what controls their CSPs provide by having CSPs provide a comprehensive view of ƒƒ Regulatory governance. Most cybersecurity their security operating models, along with timely programs are governed by regulations on data updates as those models change. (CSPs organize protection (such as the European Union’s their cybersecurity responsibility models differently, General Data Protection Regulation), data and take various approaches to sharing them, so location and sovereignty, and personally each situation needs to be handled carefully.) That identifiable information. Financial institutions way, companies can design and configure controls and healthcare organizations are also subject that work well in multiple cloud environments and to industry-specific regulations. More than integrate well with various tools, processing models, 50 percent of the executives we spoke with and operating models. indicated that they would like their CSPs to be jointly responsible for compliance with Based on our experience and research, we find that regulatory mandates. enterprises can benefit greatly from collaborating with CSPs across the full cybersecurity life cycle, from In selecting controls, organizations should design to implementation and ongoing operations. consider all eight areas in conjunction and build However, four main areas emerged as top priorities for a comprehensive cybersecurity architecture collaboration between companies and their CSPs: rather than following a piecemeal approach. Companies can start to design controls based on ƒƒ Transparency on controls and procedures. threat scenarios and levels of security required, and Companies should get CSPs to provide full then they can apply an appropriate security-model visibility into their security controls and archetype (such as backhauling or cleansheeting) to procedures, as well as any exposure incidents. determine the best security controls and their scopes. Companies will also need to understand each Companies can also work with CSPs to determine CSP’s ability to conduct security audits and which of their controls to use and which ones to penetration testing. procure from third parties. Finally, companies should short-list and prioritize controls that can be ƒƒ Regulatory-compliance support. Companies standardized and automated and then implement should ask their CSPs to provide detailed them in agile iterations. descriptions of the assurances they provide with

34 Digital McKinsey: Insights December 2018 regard to regulatory compliance, inquire about movement into the cloud. Integration is achieved how they stay abreast of regulatory changes by automating security services across the full for each industry, and update their compliance development cycle and making them available via mechanisms accordingly. APIs (Exhibit 4).

ƒƒ Integrated operations monitoring and Secure DevOps enhances all categories of security response. Companies will likely have to controls for the cloud by shortening deployment collaborate with CSPs when it comes to timelines and reducing risk. For example, some integrating their SIEM tools in a way that companies have policies requiring the classification supports centralized security administration. of all data. But when data can only be classified Companies should request that their CSPs manually, the necessary effort adds time to provide them with comprehensive reporting, deployment schedules. With secure DevOps, insights, and threat alerts on an ongoing basis. mandatory data classification becomes much They can pass on insights to help CSPs develop more practical, because all data receive a default new capabilities for all their tenants. They must classification based on preset rules. As a result of that also ensure that CSPs make logs readily available improvement, and others provided by secure DevOps, in formats that companies can process using organizations can decrease their risk of breaches on-premises analytics tools. in public-cloud environments while reducing or removing delays that would have been caused by ƒƒ Multicloud IAM capabilities. Companies should manually classifying data before they are stored. insist that CSPs provide native multifactor authentication. Those that use identity as a Adopting secure DevOps requires companies to service (IDaaS) or on-premises IAM solutions foster cultures in which security is a key element will need to work with CSPs to integrate them of every software project and a feature of every properly, so they have adequate support for developer’s work. Many developers will need multiple public-cloud environments. Companies additional security training to provide effective should also have their CSPs share their IAM support during and after the public-cloud migration. road maps so the companies can plan to take Training will also help developers understand the advantage of features such as behavioral security features of the tools they are using, so they authentication and role-based access. can make better use of existing security APIs and orchestration technologies and build new ones. Applying DevOps to cybersecurity DevOps is an increasingly prevalent approach to Companies should streamline their security- integrating development and IT operations that governance procedures to make sure they do not supports continuous delivery of new software cause delays for developers. As companies automate features, in part by providing developers with their security controls, they can make controls APIs to access operational services. Secure fully visible to developers. That way, developers can DevOps (sometimes called “SecDevOps” or independently check whether controls are working “continuous security”) integrates security properly in the background, rather than delaying reviews, implementation of security controls, and work to consult with security specialists. Automating deployment of security technology with the DevOps the processes of auditing security mechanisms is approach that many teams have already adopted for also helpful. For example, companies can require

Making a secure transition to the public cloud 35 EHIBIT Traditional security models make it harder to take advantage of cloud’s speed and agility.

Cloud-deployment process with secure DevOps

Architecture and design Implementation Enhancements: Enhancements: Developers with architecture-security Developers with secure coding expertise expertise design more secure introduce fewer vulnerabilities architectures from project inception Modular security components “snap in,” Architectures are approved for without separate design and implementation implementation faster, without the Milestones achieved faster, without the need need for security team’s oversight for security team’s oversight

Security challenge eliminated: No need for design, implementation, and code reviews to be performed by developers with specialized security knowledge

Entire process Code review Enhancements: Enhancements: Lower-cost cloud operations Secure code scanners Faster cloud deployment, with shorter development cycles conduct automated between versions code reviews for Decreased maintenance costs with increased monitoring fidelity common vulnerabilities Pervasive automation institutionalizes repeatable security Developers with secure coding expertise locate and eliminate vulnerabilities before they can be accepted into code base Deployment esting Enhancements: Enhancement: Application programming interfaces for Security test cases are created and cloud-environment creation include automated by team’s own developers, functions to specify secure configuration without need for outside assistance Configurations are done securely by from security team default, with strong encryption and authentication preselected

Security challenge eliminated: No need for separate testing, because cloud environments are configured to security standards by default and instrumented before deployment into products

Source: McKinsey analysis

that code is automatically scanned every night for implementation becomes a part of the cloud- compliance with policy and integrate build-time development and -deployment processes. In such checks of security components into applications. an operating model, a properly trained development team is the security team; no outside engagement To implement secure DevOps, companies also is needed to obtain the right security expertise. change their IT operating model so security Embedding security expertise in the development

36 Digital McKinsey: Insights December 2018 team eliminates delays in the cloud-deployment they can lift and shift internal core transaction process and permits the development team to apps without rearchitecting while backhauling iterate much faster than traditional security for data access. models allow. 4. For each workload, determine the level of How companies can begin strengthening security to enforce for each of the eight cybersecurity in the cloud controls. For example, companies should The four practices we have described for structuring determine whether IAM needs only single- a public-cloud-cybersecurity program should enable factor authentication, requires multifactor companies to take greater advantage of public-cloud authentication, or calls for a more advanced platforms. Nevertheless, setting up the program approach such as behavioral authentication. can be a complicated task, because companies have multiple cloud workloads, CSPs, on-premises and 5. Decide which solutions to use for each private-cloud capabilities, locations, regulatory workload’s eight controls. Given the capabilities mandates, and security requirements to account of the CSP (or CSPs) identified for each workload, for. This ten-step workplan will help companies the company can determine whether to use stay coordinated as they move through design, existing on-premises security solutions, CSP- development, and implementation of their public- provided solutions, or third-party solutions. cloud cybersecurity programs: 6. Implement the necessary controls and 1. Decide which workloads to move to the integrate them with other existing solutions. public cloud. For example, many organizations This requires the company to gain a full choose to move customer-facing applications understanding of CSPs’ security capabilities and or analytical workloads to the public cloud security-enforcement processes. CSPs need to be initially, while keeping core transaction transparent about these aspects of their offerings. systems on premises. Then they can determine security requirements for workloads that 7. Develop a view on whether each control can are migrated. be standardized and automated. This involves analyzing the full set of controls and making 2. Identify at least one CSP that is capable decisions on which controls to standardize across of meeting security requirements for the the organization and which ones to automate workloads. Companies may choose multiple for implementation. providers for different workloads, but these selections should be consistent with the 8. Prioritize the first set of controls to implement. objectives of the company’s overall cloud strategy. Controls can be prioritized according to which applications a company migrates and which 3. Assign a security archetype to each workload security model it chooses to apply. based on the ease of migration, security posture, cost considerations, and internal 9. Implement the controls and governance expertise. For example, companies can model. For controls that can be standardized rearchitect applications and use default CSP but not automated, companies can develop controls for customer-facing workloads, and checklists and train developers on how to follow

Making a secure transition to the public cloud 37 them. For controls that can be standardized and private-cloud platforms to public-cloud platforms, automated, companies can create automated which provide superior levels of cost-effectiveness, routines to implement the controls and to enforce flexibility, and speed in many situations. But public- standardization, using a secure DevOps approach. cloud migrations will only succeed if companies maintain the security of their applications and 10. Use the experience gained during the first data—a task that some have struggled with. wave of implementation to pick the next group of controls to implement. Drawing Our experience and research suggest that public- on this experience will also help improve the cloud cybersecurity is achievable with the right implementation process for subsequent sets approach. By developing cloud-centric cybersecurity of controls. models, designing strong controls in eight security areas, clarifying responsibilities with CSPs, and  using secure DevOps, companies can shift workloads to the public cloud with greater certainty that their Companies are steadily moving more of their most critical information assets will be protected.  applications from on-premises data centers and

Arul Elumalai and Roger Roberts are partners in McKinsey’s Silicon Valley office, James Kaplan is a partner in the New York office, and Mike Newborn is a senior expert in the Washington, DC, office.

The authors wish to thank Yash Agrawal, Rich Cracknell, Srikanth Dola, Lisa Donchak, Dan Guo, James Manyika, Brent Smolinski, and Adam Tyra for their contributions to this article. They also wish to express their thanks to the security team members at Google Cloud for their input and insights and to the more than 100 security executives who shared their practices and plans, without which this article would not have been possible.

Copyright © 2018 McKinsey & Company. All rights reserved.

38 Digital McKinsey: Insights December 2018 Atomic Imagery/Getty Images

Learning from leaders in cloud-infrastructure adoption

A crucial benefit of cloud adoption is a decrease in time to market for new applications, which in turn can drive down costs and quickly improve product quality.

Companies that have taken the initiative to adopt on the internet, and those servers are managed in a cloud infrastructure rather than rely on server highly automated way. They’re also shared by many technologies have found that the advantages are applications at the same time, and that results in well worth the investment of resources. In this three kinds of outcomes. transcript of a McKinsey Podcast, McKinsey partner Irina Starikova speaks with McKinsey Publishing’s First, you have much lower cost of hosting appli- Roberta Fusaro about what laggards in the enter- cations and data. Second, you have much faster prise cloud-infrastructure space can learn from speed of putting new applications on that infrastruc- leaders finding business uses for cloud technologies. ture. Lastly, you have much better reliability and security for your applications. Roberta Fusaro: Let’s start this discussion on the ground. What is the cloud, and what are some Those servers can be either internal for your examples that we might run across in our day-to- enterprise­—and we call them private cloud—or they day lives? can be owned or managed by a third party. In that case, you would call them public cloud or managed Irina Starikova: Put very simply, the cloud private cloud. We use applications and data that are is a network of distributed servers that are hosted hosted on cloud technology every single day. In our

Learning from leaders in cloud-infrastructure adoption 39 personal lives, there are very few things that you do several years back, enterprises were direct buyers of when you’re turning on an application on your phone 35 to 40 percent of all server and storage technology. or you’re sharing data with someone that would work Now some analysts expect that the share will shrink without cloud technology in the back end. to less than 20 percent, and that will happen as soon as the next two years. That has huge implications, The examples run the gamut of everything you do in obviously, on all providers of server-storage net- your daily life. You can be shopping on Amazon. You working technology as well as service providers that could be watching Netflix, sharing pictures with your exist in the ecosystem around that. family, getting an Uber, ordering food on DoorDash. Or you could be booking your SoulCycle session. Roberta Fusaro: How have companies’ discussions about the cloud changed over the past three to That all involves some sort of cloud technology in the five years? back end to make it work. Similarly, when you think about our clients, most large companies today use Irina Starikova: In addition to this shift of cloud technology quite extensively. That could be enterprises to use public-cloud services a lot more, a private cloud that they’re managing in their own we also see that there’s a shift in conversation to data center, or they could be using services by public- the scale of adoption. People are talking about cloud providers such as Amazon Web Services, what it’s like to be using the cloud for a majority Google Compute Platform, Azure, or IBM. of applications in their portfolios. Another big set of conversations that has changed significantly is Roberta Fusaro: How have cloud technologies and related to the security and compliance requirements the market for cloud solutions evolved over the past of the public cloud. Let me take those one by one. three to five years? On scale of adoption, companies are no longer happy Irina Starikova: The overall market for those ser- to be using the cloud for just a small share of their vices has really taken off. If you look at the latest overall data-center footprint or a small share of their reports by all leading market analysts, everyone is application portfolio. There’s a lot of focus on what it putting it well above $200 billion. would take to really adopt the cloud at scale and what it would take to adopt public-cloud services at scale. There’s hardly any debate about this being a huge thing happening. Secondly, when you look at On the security and compliance side, we’ve gone enterprise adoption of cloud, that also started to away from talking about how that is the hugest change dramatically, and it’s shifted a lot from barrier to using public-cloud services. Now you have private cloud to public cloud. a lot more advanced conversation on what the right controls are and what the right standards are to To give you some numbers, through our surveys, protect information in the public cloud. we found out that more than half of all enterprises of any size plan to shift at least some applications Security is still very important, and compliance completely to the public cloud in the next two to is still a nonnegotiable thing for many of our three years. That’s the change that we started to see clients. But what is happening now is that instead happening in the last two years. of saying, “OK, we’re just not even going to discuss cloud because of those constraints,” people are Those things have a huge impact on the overall saying, “OK, well, those constraints are there. enterprise-technology ecosystem. If you think about Let’s talk about specifically how they’re going to

40 Digital McKinsey: Insights December 2018 be addressed when we use public-cloud services.” hairy science project. There are clearly companies And, frankly, even for clients that are coming from that are emerging as leaders in cloud adoption, highly regulated industries that have to worry about and we are calling them “cloud savvy.” They have highly sensitive patient information or customer achieved a lot higher adoption of cloud. information that is considered highly personal, we already see many examples of those companies We measure that as a share of their overall hosting moving to adopt public-cloud services at scale for a environments that are based on cloud technology. pretty large variety of different applications. The difference between leaders and laggards here is pretty stark. We’re talking in some cases about Roberta Fusaro: McKinsey’s Enterprise Cloud a gap of 40 to 50 percent. Some leaders in the same Infrastructure Survey sheds light on what’s market and in the same industry would have over really going on with cloud adoption. When was it 40 or 50 percent share of their environments on conducted? And who participated? cloud, whereas the laggards would have single-digit percentage share. What leaders have done differently Irina Starikova: We started the survey in 2014. Over in those cases is that they focused a lot more on time, we’ve collected information from more than building organizational capabilities rather than 50 large enterprises that are based either in North overinvesting on technology engineering. America or in Europe. We wanted to understand what cloud technology they were adopting, how they were They were not striving to create a perfect technology adopting it, and at what pace. solution but were, first of all, focused on getting mean- ingful results. So they tested and learned and adjusted For a good majority of those enterprises, we have their strategies along so that they focused a lot more multiple observations across this time period, so on getting results rather than science projects. we can see how they have evolved over time. We were able to include companies here from a variety Roberta Fusaro: Clearly your research found of different industries. So we have just as many leaders and laggards—a lot of companies that have a companies from nonregulated as well as regulated way to go with their cloud programs. What lessons spaces as well as company sizes and different levels can the laggards take from the leaders? of cloud adoption and sophistication. Irina Starikova: The benefits are quite significant, Companies are still investing in pretty complex and there were multiple types. The number-one private-cloud platforms. And those companies, benefit that many leaders saw from adopting cloud we believe, first went down this path because they was in time to market. What that means is that they thought that the public cloud was not secure enough were able to deploy new applications using cloud or not meeting compliance requirements they have. services a lot faster than they were able before. Some of them chose more sophisticated platforms Sometimes we were talking about the difference to build something that can meet the needs of many between weeks cut down to a few hours and different applications in their portfolio. They did sometimes less than one hour. that over choosing a more practical and simpler approach that is going more aggressively after The importance of that time to market is that the busi- broader adoption—and, frankly, better impact—from ness of those organizations were able to deploy changes using simpler solutions, while some companies are to their products a lot faster than they were ever able continuing to build those complex private-cloud before or they could change some of their internal platforms. We sometimes talk about that as a big, processes that they were transforming a lot faster.

Learning from leaders in cloud-infrastructure adoption 41 What comes clearly in the second and third place that has had any impact or could have any impact on in terms of benefits are cost reductions and quality the data points that you cited. improvements. What that means simply is that the total cost of operating your hosting infrastructure Irina Starikova: Absolutely. There will always be has gone down quite significantly because of the concerns. All of the cybersecurity questions and cloud. Similarly, the quality, the reliability, of that unfortunate incidents recently have brought it back service has improved a lot in the same time. to the top of mind for everyone. There’s a much better understanding of how security in the public cloud Roberta Fusaro: I noticed that one of the major works, how it is different from what companies have themes that emerged from the research was this been able to build internally in their own data centers notion around openness to the public cloud. This within their own walls, and understanding where point has been cited in a lot of external media. Can the public cloud could be better, stronger, than you talk a little bit more about this point? what folks are able to do today. You start to under- stand a lot better what the weaknesses are and Irina Starikova: In part, this has been happening what the available tools are for you to address because some of the cloud-service vendors have those weaknesses. become a lot more aggressive. They have invested a lot in their enterprise sales forces and have been At the same time, what’s been interesting to see is beating on the doors of a lot of them. what other concerns have become the top barriers on the top of mind of enterprises for adopting public In parallel, the economics of public-cloud services cloud, much more practical questions, such as, what is have changed a lot in the last three years and have the cost? What is the complexity to move away from become comparable to what some of the most what the enterprises have accumulated in their own efficient private-cloud environments were able data centers? to achieve. Another one that often comes up in conversation So it has become a lot easier for our enterprise is related to vendor lock in. Many enterprises are clients to be able to see that they can save quite a concerned about the concentration that is happening bit by moving to the public cloud. Of course, it also in the provider space. Increasingly, the top four happened because the security standards started players are gaining bigger and bigger market share to emerge for the public cloud. As we already said, away from all of the other players. the conversation around security and compliance has shifted from that being the major barrier to it Roberta Fusaro: Looking at those two particular no longer being a major barrier but instead being concerns—these notions of moving away from legacy something that needs careful understanding and systems and avoiding vendor lock in—did your analysis and engineering before any applications can research turn up any best practices or any advice for be shifted to the public cloud. avoiding those traps? Or mitigating those traps?

Roberta Fusaro: There’ve been wide reports of a Irina Starikova: A number of companies are number of security breaches in government agencies starting to ask for better standards or interopera- and companies and so forth. I’m wondering if any of bility commitments from the biggest vendors, so that

42 Digital McKinsey: Insights December 2018 it becomes easier for enterprises to shift between Irina Starikova: The four big lessons that we’ve those players and avoid the vendor lock in, avoid learned from the leaders in cloud adoption from being attached to one single one. our survey are all about building organizational capabilities rather than technology. Roberta Fusaro: Notwithstanding the very legiti- mate issues that were surfaced in the survey, do you The first one is, focus on the migration road map think everything is going to end up in the cloud? and focus on getting meaningful migration results, Storage, computing, everything? basically executing on your plan. The second one is to look for ways to improve the experience for Irina Starikova: I love this question. Let me explain application-development teams, iterating on that what I mean by that. By the year 2020, which is as you go, because you will never get it right the first not that far away, I can see that up to 80 percent of time. The third lesson is around being very clear on enterprise applications can be in the public cloud. the business case and understanding, as you go with Whereas the remaining 20 percent would be in their the migration, how that business case is realized and own data centers in the private cloud because of what kind of incremental decisions are changing that legacy, cost, or security reasons. What I also believe business case or helping you to realize the benefits is that the 20 percent might be even a smaller figure you went after from the get-go. The final lesson for some companies in nonregulated industries. learned is around understanding the operating- model implications of using the cloud services at What I am also fascinated by is learning stories scale. There are really huge implications on what about digital-born companies, so those companies kind of skill sets are required, how different teams that have existed for ten years or less. When you ask within your IT department would operate with each about how they’re doing their infrastructure and other and with the business units. what they’re doing with cloud, you almost never hear that they’re building their data centers. They have The cloud leaders in our research have embraced and all embraced the public cloud as just the right thing have done a lot against all of those four areas. to do. Roberta Fusaro: I had one last question about They, frankly, are saying, “This is not our compe- supporting a cloud-operating model. I’m just tency. Why would we build our own electrical power wondering, how hard or how easy is it for companies station? No one does that anymore.” Similarly, we to make that wholesale change? And what are some see those companies completely move away from the key questions that executives need to ask themselves concept of building infrastructure by themselves. if they’re thinking about making this journey? They have clearly stated that they will not own their own data centers. Irina Starikova: That’s a great question, Roberta. This is, frankly, one area where we’ve heard from Roberta Fusaro: For the companies that do own a lot of companies we’ve been working with—that their own data centers, what lessons can they take operating model is the hardest thing to get done right from digital-born companies and other leaders that when migrating to the cloud at scale. have kind of gone in another direction?

Learning from leaders in cloud-infrastructure adoption 43 Even companies that anticipated that it would be Roberta Fusaro: That’s interesting, because you hard were surprised by how much harder it was than think of the term “cloud” as being very ethereal, they initially thought. What we are talking about right? But the actual work on the ground, there’s a lot here is that you not only change the skill sets quite of nuts-and-bolts tactics that executives need to be fundamentally, you are rescaling a big portion of involved with in order to adopt enterprise cloud and your infrastructure teams. You’re also changing be successful with it. some of the processes: what those folks are working on day to day and how they interact as well as how Irina Starikova: Yes. None of those changes happen they are working with other teams inside IT. in a short period of time, either. 

Irina Starikova is a partner in McKinsey’s Silicon Valley office. Roberta Fusaro is a member of McKinsey Publishing and is based in the North American Knowledge Center.

Copyright © 2018 McKinsey & Company. All rights reserved.

44 Digital McKinsey: Insights December 2018 About Digital McKinsey We help imagine and deliver digital reinvention by bringing together the best of McKinsey’s digital capabilities. We work with clients to first uncover where meaningful value exists and then create and implement the right solution—from building a new business to developing an IT architecture to delivering a customer experience.

Digital McKinsey brings together more than 2,000 experts from across our global firm—including more than 1,500 developers, designers, IT architects, data engineers, agile coaches, and advanced-analytics experts.

For more information, visit DigitalMcKinsey.com.

45 December 2018 Designed by Global Editorial Services Copyright © McKinsey & Company McKinsey.com @digitalmckinsey linkedin.com/showcase/digital-mckinsey/ facebook.com/DigitalMcKinsey/