Darren Thomson is Symantec’s Chief Technology Officer (CTO) for the EMEA region. He holds the most senior technical position in the region and works within Symantec EMEA Technical Sales Organization (TSO).
As I meet Symantec customers and partners to talk about some of the impacts that virtualization, mobile and cloud computing are having on their businesses, I hear time and time again about the importance of information and about the fact that the governance and security policy that surrounds information will be key to ensuring successful transitions to new computing and service delivery models. In almost every case, though, the organisation that I am speaking to is (fundamentally) struggling with the same problem: “Where on earth do I start with all of this?” I hear a lot of potential answers to this question ("data classification", "virtualization", "service level agreements", "data loss prevention" etc.) For me, these are all too technical and specific as a first step. In my training (a good few years ago now) in the business of Risk Management, I was taught that any programme of radical transformation (inside IT or external from it) should start with a question: "How much risk am I prepared to take?" (in risk management speak, "What is my preferred risk posture?") At first glance, this seems like a tough nut to crack, how on earth can I quantify such a thing? Well, there are methods out there (the one that I am familiar with is published within the OGC's MoR standard and is called Summary Risk Profiling) and, even it if it is hard to do, how can organisations possibly make good decisions about technology until they have made clear (to themselves!) how much risk they are prepared to take? My advice as a first phase of a cloud computing project: pick a ‘pilot’ scope for transformation, define ‘risk tolerance’ with the business and IT involved for this target, do a risk assessment (based on the risk tolerance defined) and do not switch the transformation ‘on’ until you are satisfied that it can be completed with an ROI and within acceptable levels of risk.