Cloud governance is quite a balancing act for CIOs. In this podcast, Ben Woo, founder of New York-based IT strategy firm Neuralytix Inc., discusses steps CIOs and IT departments can take to balance freedom of choice and the rewards of ad hoc cloud services purchases, with the risks these services present to an organization.
A partial transcript is below; listen to the full podcast to hear about the tools and best practices CIOs can use for cloud governance, and whether Woo believes CIOs should be developing services comparable to external cloud services in-house.
Cloud services are often purchased or signed up for by individuals and business units. How can CIOs start to govern these purchases?
Ben Woo: CIOs have little [power] in terms of governing these purchases. But these business units and individuals are actually helping the IT department in looking at alternatives and also helping to shorten that time to value [for the business]. What the CIO can do is really start looking at the relationship between IT and the business units. IT departments can often highlight and recognize these rogue individuals and start working with them early to understand what their needs are for IT and to find out why these individuals are going outside IT and the corporate standards.
It's not a case of using a carrot or a stick here. It's really a case of enabling the business, whether you are in the IT department, marketing or executive management, to work closely together in terms of the activities that are related to IT.
Once these third-party cloud services are already in place, what can the CIO do to develop a business-wide cloud governance strategy rather than somewhat of a free-for-all, business-unit-to-business-unit approach?
Ben Woofounder, Neuralytix Inc.
Woo: I am a supporter of enabling business units and individuals to go out and look at what the alternatives are. These individuals are going to test out for themselves the functionality, capabilities and features of these services, but once they identify that a service is applicable or beneficial to the business, that's when collaboration needs to happen. If you go down the road with these services and they get really embedded in the business processes, then IT has a really tough time trying to back into these services and enable them to work in the context and confines of the corporate policies that have been defined. Even more difficult to enforce is the corporate compliance policies that need to be ensured in terms of these services. So the answer, at the end of the day, is to engage IT early. Have them look at how integration can take place from Day One and not somewhere down the chain, because that's only going to make everyone's job worse.
What risks do businesses face if they don't put cloud governance in place?
Woo: No. 1, if they don't put governance in place, IT has no idea where the data is going. No. 2, there is a separation between corporate data, business unit specific data and external data. That presents a number of security and integration risks. Ultimately, from a governance perspective, because business users may not be familiar with or conversant in the regulatory requirements, they could actually increase the risk of a company by not complying with those sets of rules. I can't emphasize enough the need to engage IT early.
Let us know what you think about the podcast; email Christina Torode, executive editor.
Survey: Security, compliance often lacking in cloud computing strategy
Cloud services test information security strategies
CIOs aren't letting security risks deter move to the cloud