RoseRyan VP Pat Voll recently weighed in on a recent CFO.com debate that posed the question “Is your data more secure in a data center or in the cloud?” CFO published her bylined article alongside other data-security experts in one of its monthly Square-Off virtual panels. Pat’s take: Companies need to focus on the “who” rather than the “what” when looking at where they store their information. See below for an excerpt of Pat’s article:

Ultimately, you are responsible for the protection and security of your data, regardless of where it is stored. Where your data is safest depends on your company’s own internal processes, infrastructure, controls, training, and discipline, and those of your cloud provider.

Consider this fact: The most common reason companies suffer from a data breach is because of an employee error. In a recent survey by the Association of Corporate Counsel, 24% of in-house lawyers blamed employee error for a breach at their company. That’s higher than phishing attacks (12%), third-party access (12%) and lost devices (9%).

A mishap by an employee could happen no matter where the data resides—on-premises or in the cloud. To tamp down the risk, it is essential that companies take a hard look at their internal processes, including periodic training for all employees and robust on-going monitoring of controls, to ensure policies and procedures are being followed.

CFOs can’t pass off the responsibility for data security to the IT department and hope it’s getting done. Similarly, you can’t assume the vendor has adequate controls and procedures in place. It’s not only the right thing to do—it’s increasingly becoming an expectation.

To read the article in its entirety, go here.