What's your cloud risk appetite?
I recently had the opportunity to host a panel of lawyers, discussing cloud computing and its impact given the current state of legislation. I surmised three points from the debate:
- Once contracts are in the mix, cloud very quickly becomes just another procurement mechanism. Whether it fits with how things have been done traditionally is irrelevant.
- The hybrid cloud model is inevitable, indeed it is already here. However some behaviours remain inextricably linked to traditional, in-house models.
- The complexities inherent in the hosted model mean that lawyers are not going to be about of jobs any time soon.
The conversation turned, inevitably given the panellists, to the risk factors which underpinned cloud computing, its procurement and operation. The fly in the ointment was the general acceptance that risk discussions have traditionally run on a parallel track to those about IT strategy or infrastructure delivery.
Such discussions have traditionally been kept at arms' length for a number of reasons. First, things to do with service failure (for whatever reason) are counted as 'non-functional requirements' and therefore considered as subsidiary to the things that the service needs to deliver, i.e. 'functional requirements'. Second, contracts are dealt with by procurement, not IT. And third, different teams deal with security and business continuity, which may be, but don't have to be within the same part of the organisation.
Suffice to say that the cloud model leapfrogs all of the above. With very little in-house infrastructure to speak of, cloud deployment conversations become primarily about procurement, service delivery, continuity and security. Oh, and cost above all. A researcher or an executive may acquire processor time, storage space or functionality using a credit card and reclaim on expenses; meanwhile, centralised IT service procurement becomes a trade-off between the low-cost, less resilient option and the gold-standard service.
Perhaps it should ever have been thus. After all, in-house IT also has a cost (capital and operational) and risk profile, all of which should feed into the decision making process. We now have, quite simply, a broader spectrum of options, in-house and outsourced, each of which balances cost, risk and service quality.
The term used by the lawyers was 'risk appetite' in that, like managing a personal portfolio, we all need to decide what level of risk we're prepared to trade off against less cost or a higher return. With IT systems, this requires an understanding of what's being stored and processed - if you don't want to gamble with the corporate crown jewels, you need to know what they are.
I would hazard that many CIOs are risk-averse, in that they would rather keep a system in house where they can control it, even if it's more costly to do so. But being risk averse isn't an approach which works well in the increasingly hybrid, consumerised world we are heading towards. These are still early days and there remains ample opportunity to understand better the risks that will be inherent in the new era of hybrid computing. However, it is never a good option to bury one's head in the sand.