The Governance Plateau
When Cloud Governance stalls after the quick wins, leaving you trapped between putting out fires and building sustainable momentum.
Edition #5: The Governance Plateau
Most Cloud Governance efforts hit a plateau after the initial wins. Teams onboard CSPM and FinOps solutions for visibility, set up alerts, fix glaring issues. Get quick value from obvious improvements. Then progress flattens.
This is The Governance Plateau - when easy fixes are exhausted but teams haven't built systematic improvement capabilities.
The plateau happens because initial Cloud Governance efforts are often reactive. Respond to a security incident. Fix a cost spike. Prepare for an audit. These project-driven approaches prove Cloud Governance works but don't create lasting momentum.
Teams want to keep improving but can't identify clear priorities. Breaking through requires shifting from reactive fixes to systematic visibility-to-action processes, building governance as a continuous system.
The Cloud Governance Loop provides the framework for sustained progress:
Know Your Cloud: Establish continuous discovery processes that surface new opportunities automatically, not just during crisis moments.
Raise the Bar: Build systematic prioritization criteria - risk impact, team readiness, implementation complexity. The next improvement becomes obvious.
Make Change Happen: Create structured rollout processes that teams can repeat for any governance improvement, not just the current one.
This transforms Cloud Governance from a series of isolated wins into a self-reinforcing cycle. Each improvement builds a flywheel of momentum to tackle the next one.
The plateau becomes a launching pad rather than a permanent stopping point.
- Keep on Herding, Bob
PARTNER SPOTLIGHT
Turbot: Complete Cloud Governance
Transform visibility into action with automated policy enforcement and remediation at enterprise scale.
What's Happening in Cloud Governance 📡
Overcoming AWS Security Alert Fatigue: My exploration of how organizations move from reactive security incident response to proactive standards and controls using the 5 Cloud Governance Practices. Covers the phases of alert fatigue and systematic approaches to transform security findings into sustainable improvement processes.
Cloud Governance: Concepts, Tools, and Requirements: LinkedIn Learning course by David Linthicum covering fundamentals of Cloud Governance, tool identification and selection, and deployment processes for governance within enterprise projects.
Cloud Governance: Basics and Practice: Academic reference guide by Meredith Stein and colleagues. While published in 2022, the fundamentals around how cloud computing disrupts traditional corporate governance remain relevant, exploring new operational, cybersecurity, and regulatory risks with practical guidance and self-assessment questions.
Infrastructure Choices and Development Velocity: Danny Steenman's commentary on how infrastructure complexity, technical debt, and prioritization decisions impact development velocity - key considerations for Cloud Governance programs balancing innovation enablement with operational control.
NIST 800-30 Risk Assessment Guidance: Meera Maxy highlights how NIST 800-30 helps teams move from "we think this might be risky" to "we know how risky this is, and here's what we're doing about it." NIST 800-30 is an essential resource for building solid risk programs and translating technical risks into business language for all audiences.
Get Involved 👋
Join the conversation on LinkedIn about this newsletter edition.