At the recent Business Cloud Summit held in London, I was fortunate enough to host a panel of lawyers.
One doesn't normally see the terms 'fortunate' and 'lawyers' in the same sentence, so I thought it was worth elaborating why. As well as the expected topics around contracts, due diligence, data escrow (should things go wrong) and, indeed, involving lawyers in any large-scale outsourcing decision, one term bubbled to the surface: 'risk appetite'.
To understand why this is so important, we need to revisit where cloud computing fits, or is going to fit, in medium and large organisations across the board. What's pretty clear (I hope) to everybody by now is that cloud computing isn't going to replace traditional IT. Even this perspective still treats cloud as a single thing; rather it is a sourcing option for a whole variety of service types, from pay-as-you-go hardware to advanced applications.
With an additional option in the mix, businesses have more choice as to how they are going to do things. Companies are complex, and what's suitable for one department (hosted applications of the like of Office 365, say) may not be suitable for another. This reality will no doubt be the cause of many challenges in the future, in terms of integration and interoperability, management and support - or, in other words, the same issues that IT has always faced.
So, what's different? One thing cloud brings to the party that differs from the past, is a reduced hurdle in terms of procurement. In olden times, the 4-8 week delay between decision and deployment created an artificial barrier which, as a spin-off benefit, meant everyone had time to think. These days, the first time IT managers may have heard of a new SaaS application may be when support gets a call complaining that it isn't working properly.
And so, to risk, and the appetite for it. Cloud-based apps and services are not without their limitations - to revisit an old adage, "free services are worth what you pay for them" and their terms and conditions may offer little if any recourse if you lose information, as users of email services such as Hotmail and Yahoo have found out in the past. Similar devilry can lie in the detail of pay-per-use hosted services, not just in terms of data protection but also uptime guarantees and support restrictions.
All of these aspects add to the risks of taking a service on. That doesn't mean that they should be ignored or avoided; rather, that their use needs to be tempered at the moment of decision, in terms of whether or not they offer sufficient guarantees to support the part of the business using them. Are they protecting personal information adequately? Have they safeguards in case of denial of service attack? What happens if their data centre is subject to fire, flood or theft? These questions, traditionally asked of IT, now need to be pitched at the provider. And quickly, before their use becomes entrenched.
This ability to make decisions based on a reasonably slick grasp of the risks is natural to all of us - indeed, we do it every time we cross the road. However, it is not traditionally how IT is done, and processes and procedures may actually slow down or blunt our abilities to respond. As we move into a new year, then, perhaps it's worth revisiting how our own IT organisations deal with risks of cloud-based service delivery, and asking the question - is the current approach helping or hindering the business? If the latter, the role of IT itself may itself come into question.
