Is Your Head in the Clouds ?

Cloud computing is here to stay.  Many corporations faced with profitability challenges  will in the foreseeable future, continue to face cost pressures.  As CEO’s review their organizational portfolio’s , it’s apparent that infrastructure technology continues to drive growing costs with limited returns. The total cost of ownership is hard to put a price on. It includes assets such as hardware, software, communication lines, real estate, and physical structures. In addition, there are large direct and indirect people costs from infrastructure support, development, security , data center personnel, legal, procurement, Human resources, etc… In addition, most organizations, have great difficulty in keeping track of their software licensing terms and reconciliation to actual usage which could subject them to large legal risk and penalties.

One smart way to increase profitability is to take advantage of the “cloud” offerings that many of the major vendors such as Google, Microsoft and Amazon.  These companies are well capitalized, have robust infrastructures that are globally dispersed and have compelling costs savings propositions. They generally use an “on demand or  pay as you go” model which is flexible and efficient. You never have to worry about buying wasted capacity for the seldom activity ” spikes and you can easily upgrade software  and be ahead of the curve.

Now that you are ready to run out and move your entire infrastructure IT shop into the cloud, you may have to consider a few steps.   First you need to know is the value of your business application assets to  decide which applications should stay inside the corporate infrastructure.  This is vital to get approval from your board, regulators and other key stakeholders. They must be convinced that that return(ROI) is much greater than the risk. It’s also critical that all the current state metrics are complied and used to drive the vendor service levels and demonstrate the vendors on going performance. Missing this step will just lead to unnecessary finger pointing later on.

The way to value your application assets is by using the Pcubed application inherent risk model . This is an inherent  assessment that will identify your most critical assets by risk types. These may include Confidentiality, Integrity, Availability, Effectiveness and Legal/Regulatory risk.  Once the applications have been classified in High, Medium and Low easy decisions can be made to move to the cloud or not.

Many of the initial reactions on cloud computing are that it’s “too risky.” Our regulators and boards will never lets us do it. Let’s break that down.  I would suggest that it’s too risky not to do it. Lets assume you went through RiskTao's inherent risk assessment program and understand the business value of your applications.  A major concern is “people risk” of the vendors.  First of all , they all have strong HR practices. Secondly , there people have less motive and knowledge of your business then your own. Its still a fact that most technology crime is still internal. Why, motive, knowledge and opportunity are the main drivers for criminal activity. Thirdly, the vendors will keep track of your software usage and will relieve you of the legal liability risk of software usage which most organizations actually have but don’t even know it.

So what’s left to worry about.  For one there is cross-border information processing risk. Countries are very sensitive and have strict penalties and laws concerning access to personal  information from foreign countries. Even the most innocent data, such as a corporate directory can be subject to a countrie’s laws. Risktao can help you ensure that vendors agree to process data in only certain locations that have been cleared for that access. This must be written into the contract and serve,  penalties  must be built into the vendors performance clauses. In addition, you must have measures to audit this and other critical vendor controls to give assurance to your stakeholders  and regulators.

Another area of concern is computing performance and technology refresh.  Performance must be held to expected standards and reported upon in a clear and concise way that actually reflects your businesses and clients experience. Again, RiskTao has a proven risk based method for establishing this key metric. Concerning the technology refresh, you and the vendor must use metrics and past performance as a discussion for technology refresh and discuss refresh cycles.  The good news is that these companies core business evolve around robust and responsive technology. Little chance that they will not make required investments

So is it safe to go in? We  believe cloud computing is an excellent alternative approach to improve cost saving  and effectiveness of your technology spend. Vendors, build stronger and more flexible technology infrastructures that can instantly respond to changing client needs at a price point that is compelling. However, most organizations will need to retain a smaller “hardened” infrastructure for their high risk applications. These should stay at home but with increased management focused.

Managing risk is about knowing when to seize or pass on opportunities. At RiskTao we can help you make decisions that are right for your organization. Cloud computing is an example where we can help you manage risk in-line with your risk appetite and business strategy.

Craig,