CIO Strategy Notes: Cloud Risk Mitigation
Yes, you most likely have an enterprise risk mitigation plan in place to address the usual risks involved in running a business. And you’re probably factoring in things like competitive threats, fluctuations in market demand, economic pressures, generational dynamics, etc. Many companies, however, fail to revisit their risk mitigation plans as they implement new technologies and processes. Utilizing cloud services for data storage, applications and disaster recovery is no different. The question is, ‘How do you factor in cloud-computing risks into your overall risk mitigation plan?’
If you’ve participated in risk management for your firm in the past – many of the same questions, issues and plans will be familiar to you. Yogi Berra once said, ‘It’s like déjà vu all over again.’ And the same is true for risk management and the cloud. There are a few twists, however:
Disaster recovery benefit vs. cost: As in 'standard' risk mitigation efforts, the cost of cloud risk mitigation – especially as it relates to disaster recovery, should not exceed the losses that those efforts were designed to prevent. If it does then you are doing it wrong.
Manage incremental departmental cloud implementations: One sure fire way to drive up both cloud cost and cloud risk is through out-of-control departmental cloud implementations, of which the human resources, legal and marketing teams are the three most common offenders. For instance, marketing not only has many of its own on-premise and cloud-based implementations that make up the Marketing Technology stack but they also tend to have dedicated budgets and developers – much of which has flowed freely out of the CIO’s budget and into that of the CMOs. Whether it’s a Salesforce or Slack implementation, CMOs and their digital teams are often rolling out technology and web sites without IT knowing about it. Now, we don’t think it prudent to stymie agility and try to stop these departments from deploying their departmental cloud-based systems but it’s important to educate the teams on the risks and educate them to leverage the IT risk management/disaster recovery plan that’s already in place to provide for data protection, application failure or some other unforeseen circumstance that could put these implementations at risk.
Manage run rates: We mentioned rising costs associated with departmental cloud implementations, but the same is true for IT driven cloud implementations. Sometimes a company will just review a cloud provider’s pricing model, approve it and then forget to manage to a stated budgetary objective. By putting your cloud consumption on auto-pilot and thinking that costs are just going to manage themselves, many organizations will find themselves with bloated and out-of-control cloud consumption costs. CIOs must set a budgetary objective when it comes to cloud implementations and govern usage to those costs, just like any other IT project – déjà vu all over again.
Diversify your cloud strategy: Some CIOs are frustrated trying to get public cloud providers to commit to a long-term contract but there’s a good reason for that: cloud providers want to maintain technological and business flexibility as the cloud market and technology rapidly evolves. These providers are substantially modifying their platforms on an ongoing basis. According to IDC, during 2015, 75% of IaaS provider offerings would be redesigned, rebranded or phased out. Still, that’s frustrating to a CIO who thrives on platform stability and long-term budgetary planning and who doesn’t necessarily want to do business with a provider that wants the right to terminate a contract at their convenience. This non-commitment keeps many CIOs from even starting their cloud journey. But rather than get turned off by it, CIOs should embrace it. Prices have only fallen since the inception of cloud infrastructure as each of the vendors vie for market share. As long as CIOs have accounted for workload portability in their technology choices, not being locked into long-term contracts provides flexibility.
Optimize workloads: Not all clouds are created equal. IT departments should leverage diversification to optimize workloads. When IT outsourcing was initially all the rage, CIOs primarily leveraged one outsourcer for all outsourcing needs. But eventually they moved to a best-of-breed approach, leveraging different outsourcers for different business outcomes. CIOs can do the same with cloud providers. Use the cloud provider that will ensure the best specific business outcome, whether it is placing a data set with a certain provider, using another for your disaster recovery efforts, and yet another for your application initiatives. Now to be fair, the more providers you have the more complex your relationship and workload management becomes. So some sort of governance process, tools and structure will be needed to optimize those relationships.
Mitigating cloud-computing risks should be an essential element of your organization’s enterprise-wide risk mitigation plan. It’s important to revisit those plans as you deploy public and private cloud implementations, especially since both provide different service levels and contractual commitment lengths.