Cloud Computing vs. Tolerance To Risk
As I meet with Symantec customers and partners to talk about some of the impacts that cloud computing is having (or may have) on their businesses, I hear time and time again about the importance of data and about the fact that the governance and information security & management policy that surrounds data will be key to ensuring successful transitions to new computing and service delivery models.
In almost every case, though, the organisation that I am speaking to is struggling with the same problem.... Where on earth do I start with all of this ?
I hear a lot of potential answers to this question ("data classification", "virtualization", "service level agreements", etc..). For me, these are all too technical and specific as a first step to the creation of a cloud computing strategy (or any IT strategy for that matter !). In my training (a good few years ago now) in the business of Risk Management, I was taught that any programme of radical transformation (inside IT or external to it) should start with a question:
"How much risk am I prepared to take ?" (in risk management speak, "what is my preferred risk posture ?").
At first glance, this seems like a tough nut to crack: how on earth can I quantify such a thing ? Well, there are methods and best practices out there that can help guide an organisation through the business of defining "preferred risk posture" (the one that I am familiar with is published within the OGC's MoR standard and is called "Summary Risk Profiling" - this book will explain everything..).
To my way of thinking, even if it is hard to do, how can organisations possibly make good decisions about technology until there have made clear (to themselves !) how much risk they are prepared to take ? This logic applies to everything transformational in IT (DR, Security, Compliance, Cloud, Mobile Computing....).
My advice with regard to the 1st phase of a cloud computing project: Pick a "pilot" for transformation, define what "acceptable risk" looks like for this target using a methodology like MoR, do a risk assessment (based on the risk tolerances defined) and do not tranform until you are satisfied that it can be completed with a compelling ROI and within the defined acceptable levels of risk. THAT'S what good cloud computing looks like !