
Company that sells product ...
... funds customer poll that reveals product makes financial sense.
Research into small businesses in the US and Asian markets has shown that there's an increasing mismatch between the theory and practice of cloud security. When questioned in a blind test conducted by comScore and funded by Microsoft, a third of SMBs said they didn’t use cloud security because of fears over the cost of …
Just because these companies spend less on security after moving to the cloud in no way imply, prove or show factual data that they are indeed more secure.
I would propose quite the opposite even. They have relinquished control and actual knowledge of this security completely to an outside organization, and have no way of knowing their security level once this has been done.
All this study shows is that people who move to the cloud feel comfortable that security is now a problem for someone else to handle, which to me seems a bit myopic and naive. This isn't really news, as they were already a willing customer of moving to the cloud. One would expect that expenditure for other IT costs will also be reduced as well (data storage, etc)
"It's an interesting dichotomy between people that have the perceived barriers to cloud adoptions in security and privacy and those that actually have taken the plunge and used the cloud,"
People looked at cloud. The ones who found they could save money moved, the ones who didn't see an advantage didn't.
Wow, look the people who moved to cloud saved money!
Yes, there are security risks in the "cloud", but no more so than some Microsoft certified administrator leaving a port wide open or giving their users global file server access or some other error. People pretend as though they have iron clad security today because they have firewall. In SMBs, security isn't exactly NSA grade in the first place. The real issue with the cloud should be data governance and the proprietary nature of some clouds which makes it impossible to leave, not some concern over losing security that doesn't exist in the current environment.
Sensible organisations (there are many that aren't, of course) will select a level of security appropriate to their needs. For many, this will be substantially below 'NSA grade'. But if you identify a security hole in your own systems (perhaps by using an <ahem> security consultant), you can fix it, if to do so makes business sense. If it's in the cloud you can (unless you're Boeing or GM) do little about it except move to another provider (good luck with that).
Who is responsible if data from "your" cloud [area] get stolen/hacked etc?
Working for a company which has very sensitive data, I was told by a number of cloud providers (when the company toyed with the idea of moving to the cloud), that if the data was stolen from them, they (the cloud provider) would NOT be responsible legally. So if you do lose sensitive data - it's your fault!