In a previous blog, we’ve already talked about why the manufacturing sector is increasingly moving business-critical applications to the cloud. Two of the biggest reasons:
- Manufacturers are focusing on what’s strategic. For manufacturing companies, leveraging your applications and data to run and grow your business is what’s strategic – not managing the underlying technology stack. Cloud service providers have both the resources (infrastructure, people and specialized technical expertise) and the focus to perform better at these important activities.
- Cloud service providers are earning a reputation for being more secure. Traditionally, manufacturers have been cautious about moving business-critical applications such as ERP from on-premise implementations to the cloud, based on concerns about data security, data privacy and regulatory compliance. However, sustained investments in these complex areas can be more readily justified by cloud service providers, which can be amortized over a large subscriber base.
Manufacturers Have Valid Concerns
Consistent with the above, virtually all planned growth of application deployments seen in Aberdeen’s benchmark research favors the use of cloud service providers – particularly among small and mid-size businesses (SMBs).
More recently, Aberdeen’s partnership with Bombora provides additional visibility into the issues currently of highest concern for manufacturers, based on the keywords they are actively searching with. For example, Aberdeen’s analysis of the search activities of more than 7,700 global manufacturing companies, using searches on ERP as a baseline reference, yields the following insights (which are also highlighted in the chart below):
- Deployment model: Cloud ERP correlates with the vast majority (over 90%) of ERP search activity – a finding which correlates nicely with previous results.
- Security: Manufacturers are two to three times more likely to search specifically on ERP security – a finding which reflects the significant business impact of a potential compromise of confidential information or intellectual property, or from an unplanned disruption of critical manufacturing systems.
Compliance: Manufacturers are 20 to 30 times more likely to search specifically on compliance – a finding which reflects the mind-numbing array of regulatory and industry compliance requirements for data and processes that any given enterprise may need to deal with, including PCI DSS, GDPR, 21 CFR Part 11, contracts and service level agreements (intellectual property; client/business partner data), SOX, SSAE18/SOC 1, SSAE18/SOC 2, ISO 27001/27002, ISO9001, Privacy Shield, Cloud Controls Matrix, Good Manufacturing Practice (GMP) and Materials Management Operations Guideline/Logistics Evaluation (MMOG / LE), among others.
Useful Indicators for Manufacturers
Given the manufacturing sector’s obvious and necessary interest in security and compliance, certifications for many of the standards and processes enumerated above are an important and readily available indicator of a given cloud service provider’s maturity and level of commitment. Simply put, certifications provide manufacturers with a higher level of assurance that key processes related to security, privacy, and compliance for a potential service provider are defined, documented, reviewed and attested to.
Another potentially useful indicator is the use of non-intrusive approaches to assessing the security posture of a service provider, by identifying vulnerabilities the way an attacker would – from the outside. The basic idea is that evidence of maturity and attention to detail in these visible matters provide useful insights into how the service provider is likely to operate in other, less visible matters (e.g., see BitSight Technologies or SecurityScorecard).
For these simple reasons, Aberdeen’s view is that any manufacturer that finds themselves asking, “Can I be confident in moving my business-critical applications and data to the cloud?” should make certifications one of their key selection criteria for a cloud service provider. Do certifications guarantee that there will never be a security-, privacy- or compliance-related issue? No – but having certifications is a definite plus and not having certifications is a definite red flag.