Cloud is too important to leave to technical people.
Cloud distributes responsibility for IT services across an IT supply chain. This supply chain is composed of independent providers. This implies that there are these companies have technical boundaries that are matched by organisational and contractual boundaries. This is new, we did not have that before the digital revolution. Amazon calls this the shared responsibility model for cloud security. I would simplify that as: what do I do, and what do you do? For example, who is responsible for patching the Operating System in an IaaS service model?
Contracts need to fix this allocation of responsibilities, otherwise it is not enforceable. But, who is going to check those contracts? Who needs to make sure that the contracts actually specify those tasks, specify who needs to do them, and specifies how to monitor and enforce that. That is a job for procurement and legal, typically. Because of that, these people (in this case: procurement and legal) need to understand what the service is. And they need to understand which (technical) tasks are not part of that service.
This is important. Insufficient understanding delays the whole assessment process, and reduces its quality. As one of my course participants, a legal person, once said:
“ When I go into a conversation with a cloud provider I have time for let’s say 10 questions. If all these questions go to understanding basic cloud terminology and technology, I have missed the opportunity to talk about the real risk and opportunity for our company ”.
The conclusion must be obvious. Educate your lawyers, procurement and so on. Help them understand the cloud well enough. Help them know where technical boundaries need to be translated into legal controls.