Great companies see business risks as opportunities, and execute strategies accordingly. Such a mentality is compatible with emerging technologies. IT plays a vital role in the deployment of new strategies that mitigate business risk.
With the proliferation of so-called cloud services, the execution has become less complicated. The cloud is no longer an emerging phenomenon, and the number of vendors and services offered with the “cloud“ badge has been exploding. Indeed, there are very few companies in the world that are not currently using cloud services in some form.
With this new approach to service delivery, it is more important than ever that the security risks are fully understood by business leaders. The Cloud Security Alliance produces guidance on risk and mitigation techniques related to cloud services, mostly aimed at IT managers and security professionals – but business leaders need to understand the risks to their business operations as well.
So what should a business leader know about the cloud and its impact on their business?
Firstly, cloud services are a form of outsourcing. And as with all B2B relationships, trust is critical. The business is in essence trusting cloud providers to provide a contractual level of service that is vital for the running of the business. As such, selecting a reputable cloud provider and ensuring contract negotiations cover key business continuity requirements are key parts of any cloud adoption strategy.
Secondly, every contract includes an expiry date; including cloud services. A company needs to have at least a high-level plan for the longer-term future: does the service need to maintain flexibility to move to a different provider, or are there plans to build an internal service eventually? What are the costs and other constraints of these migrations? These need to be considered as part of any cloud strategy.
The next concern is related to the security and ownership of any business data that are processed by the cloud provider. This area is where the knowledge of IT and security professionals cannot be underestimated. Together with business managers and legal counsels, they will be able to assess the criticality of the business data, what the legal and regulatory restrictions related to the data processing and storage are, and provide vital information about the cloud provider’s conformance in these regards.
Finally, before any cloud strategy is enacted, a value assessment should be performed. This does not need to be a precise calculation: a simple comparison between the costs of a service provided by the cloud and that same service run internally, over the course of 3-5 years, will provide ample data. Add in the various advantages and drawbacks of each solution (internal services have a roadmap built to suit the business; cloud services are often far cheaper to run and allow significant outsourcing opportunities, and so on), and the business decision can then rest upon full analysis. It is important to note that such a business case may not always be pro-cloud.
So in summary: embrace the cloud, but with full awareness of the risks and costs, and how to mitigate them.