Risk Management, Cloud & The Business of Tolerance
As I meet Symantec customers and partners to talk about some of the impacts that virtualization, mobile and cloud computing are having on their businesses, I hear time and time again about the importance of information and about the fact that the governance and securiy policy that surrounds information will be key to ensuring successful transitions to new computing and service delivery models.
In almost every case, though, the organisation that I am speaking to is (fundamentally) struggling with the same problem.... Where on earth do I start with all of this ?
I hear a lot of potential answers to this question ("data classification", "virtualization", "service level agreements", "data loss prevention" etc..). For me, these are all too technical and specific as a first step. In my training (a good few years ago now) in the business of Risk Management, I was taught that any programme of radicial transformation (inside IT or external from it) should start with a question:
"How much risk am I prepared to take ?" (in risk management speak, "what is my preferred risk posture ?").
At first glance, this seems like a tough nut to crack, how on earth can I quantify such a thing ? Well, there are methods our there (the one that I am familiar with is published within the OGC's MoR standard and is called "Summary Risk Profiling") and, even it is it is hard to do, how can organisations possibly make good decisions about technology until there have made clear (to themselves !) how much risk they are prepared to take ?
My advice as a 1st phase of a cloud computing project: Pick a "pilot" scope for transformation, define "risk tolerance" with the business and IT involved for this target, do a risk assessment (based on the risk tolerance defined) and do not switch the transformation "on" until you are satisfied that it can be completed with an ROI and within acceptable levels of risk.