So what does everyone at a typical company do? They sneak around. They sign up for cloud applications without telling anyone, and next thing you know, the whole company is running in the cloud, security be damned.
According to research by CipherCloud, one of the leading cloud gateway providers, 86 percent of cloud applications used by companies were unsanctioned "shadow IT," with the average global enterprise using more than 1,100 cloud applications.
Valtman recommends that security departments look at cloud gateway technologies to secure cloud applications.
"These gateways provide aggregated discovery, control, auditing and analysis tools to ensure that cloud application usage is secure," he said.
Cloud gateway vendors can help fully secure such popular cloud apps as Salesforce, Office 365, Google Apps, and online storage providers while still preserving functionality.
And they can provide limited security, such as access control, to any other commercial or home-grown cloud app.
"Transparent to the user, you can automatically verify devices, IP addresses, locations, OS and more. This prevents phishing, malware, social engineering and other attacks," said Yair Grindlinger, CEO & co-founder at Redwood City, Calif.-based cloud security firm FireLayers, Inc.
By having a solution to offer, CSOs can actually get ahead of cloud adoption, instead of playing catch-up.
But cloud gateways aren't just for cloud users. Companies selling services in the cloud can also partner with cloud gateway vendors to provide their clients even more security -- while not compromising on functionality.
That would make security a selling point and a revenue generator, not just an expense item.
Listen to rank-and-file employees
When Adam Meyer was CISO at the Washington Metropolitan Area Transit Authority he would hold open forums during lunchtime, with coffee and snacks, where anyone from the company could come and ask questions.
He originally expected people to work-related questions, he said, "and it turned out to be 99 percent personal questions and 1 percent corporate."
People would come up to him and ask about their teenagers' computer use, about whether to trust their mobile banking apps, and other personal questions that had nothing to do with the company.
But that actually worked, he added.
"By making it personal, now those users became more cyberserurity aware in their jobs," he said.
And they began to see where the security department was coming from.
"It wasn't some big policy coming down, it was a personal conversation between them and me and they knew I was just looking to do the right thing," he said.
In addition, users were more inclined to share problems they were having, allowing the security department to get out ahead of potential issues.
For example, one person complained that filing sharing was too burdensome, inspiring the company to decomission their own storage solution and switch to cloud-based storage, after working with the cloud provider to implement specific rules for credit card information.
Sign up for CIO Asia eNewsletters.