BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
At SIMposium 2014, the annual CIO event hosted by the Society for Information Management, Stephen Braat of IT service provider CDW gave CIOs some insight into where he and his clients have found points of risk in their cloud operations.
Security, privacy and data protection loom large, of course, said Braat, a vice president of cloud and managed solutions at the Vernon Hills, Illinois CDW. Unfortunately, one of the first missteps CIOs make is to rely on the vendor contract to address their concerns.
"If you're trying to affect those things contractually or after the fact, it's really too late," Braat warned. "The biggest mistake any of you can make in cloud computing is assuming it's made to be well-protected, that it's made to be secure, and it's made to be redundant."
But for many organizations, cloud technologies have already been deployed and it is already "after the fact." So what can be done? Here are two pointers.
Look out for departments signing your company up for more risk
A good place to start is to know which departments within your organization are signing you up for more risk. Braat said usually the top three are marketing, human resources and legal.
Marketing departments not only have Web-based environments, Braat said; they also tend to have their own team of developers.
"They're already like moths to the flame using Azure, using Salesforce.com," he said, and they are often implementing these technologies and rolling out websites without IT knowing.
Debbie Jowers, an audience member and director of enterprise architecture and integration services at Texas Health Resources, a non-profit company that operates a network of hospitals and related health facilities, said her team zeroed in on the marketing team to get a handle on cloud risk. "Not to stop them from what they're doing, but to help them understand [the risks]," she said.
In other words, Braat said, IT teams need to educate and implement governance.
Continuously manage run-rates and vendor-beware
Sometimes companies simply review a cloud provider's pricing model, approve it, then leave it and forget about it.
"If you put that consumption on auto pilot and think the cost is going to manage itself, you may find your business so far down the road that the cost to switch is prohibitive," Braat said.
Braat gave an example of a retail client that was growing rapidly, moving into new markets, and could not keep up with the marketing department. The C-level execs at this company decided to deploy a public cloud product. They ultimately -- unknowingly -- overspent, with the internal run-rate of their platforms racking up a bill of $100,000 a month, and a first quarter bill of $1.3 million.
The lesson? This fast-growing retailer didn't manage or govern usage of the cloud and this lack of vigilance came back to bite them, Braat said.
Braat gave another example of a client, this time a global firm, whose chief procurement officer found that the firm had spent $35 million on cloud without knowing it.
One way to avoid this is to use resources other than a vendor to help model pricing: "A fourth of you are using your own … development models; a fourth of you are using a consultancy; a fourth of you are using a research firm like a Gartner, or a Forrester, an IDC or one of those guys," Braat said. "And a fourth of you are doing what's probably the most dangerous thing you can do: You're using the vendor to help you model it."
Let us know what you think about the story; email Kristen Lee, features writer, or find her on Twitter @Kristen_Lee_34.
Read more of our coverage of SIMposium 2014:
Adaptation is tantamount to CIOs' survival
How CIOs quantify the value of technology
Want to build an analytics culture?