This content is part of the Essential Guide: A CIO's guide to cloud risk management
Manage Learn to apply best practices and optimize your operations.

Advice for CIOs on cloud computing risk management

Cloud technology expert Stephen Braat of IT service provider CDW shared his views on cloud computing risk management with CIOs at SIMposium 2014.

At SIMposium 2014, the annual CIO event hosted by the Society for Information Management, Stephen Braat of IT service provider CDW gave CIOs some insight into where he and his clients have found points of risk in their cloud operations.

Security, privacy and data protection loom large, of course, said Braat, a vice president of cloud and managed solutions at the Vernon Hills, Illinois CDW. Unfortunately, one of the first missteps CIOs make is to rely on the vendor contract to address their concerns.

"If you're trying to affect those things contractually or after the fact, it's really too late," Braat warned. "The biggest mistake any of you can make in cloud computing is assuming it's made to be well-protected, that it's made to be secure, and it's made to be redundant."

But for many organizations, cloud technologies have already been deployed and it is already "after the fact." So what can be done? Here are two pointers.

Look out for departments signing your company up for more risk

A good place to start is to know which departments within your organization are signing you up for more risk. Braat said usually the top three are marketing, human resources and legal.

Marketing departments not only have Web-based environments, Braat said; they also tend to have their own team of developers.

Stephen Braat, vice president of cloud and managed solutions at CDW, an IT service provider, talks about the cloud at SIMposium 2014.

"They're already like moths to the flame using Azure, using," he said, and they are often implementing these technologies and rolling out websites without IT knowing.

Debbie Jowers, an audience member and director of enterprise architecture and integration services at Texas Health Resources, a non-profit company that operates a network of hospitals and related health facilities, said her team zeroed in on the marketing team to get a handle on cloud risk. "Not to stop them from what they're doing, but to help them understand [the risks]," she said. 

In other words, Braat said, IT teams need to educate and implement governance.

Continuously manage run-rates and vendor-beware

Sometimes companies simply review a cloud provider's pricing model, approve it, then leave it and forget about it.

"If you put that consumption on auto pilot and think the cost is going to manage itself, you may find your business so far down the road that the cost to switch is prohibitive," Braat said.

Braat gave an example of a retail client that was growing rapidly, moving into new markets, and could not keep up with the marketing department. The C-level execs at this company decided to deploy a public cloud product. They ultimately -- unknowingly -- overspent, with the internal run-rate of their platforms racking up a bill of $100,000 a month, and a first quarter bill of $1.3 million.

The lesson? This fast-growing retailer didn't manage or govern usage of the cloud and this lack of vigilance came back to bite them, Braat said.

Braat gave another example of a client, this time a global firm, whose chief procurement officer found that the firm had spent $35 million on cloud without knowing it.

One way to avoid this is to use resources other than a vendor to help model pricing: "A fourth of you are using your own … development models; a fourth of you are using a consultancy; a fourth of you are using a research firm like a Gartner, or a Forrester, an IDC or one of those guys," Braat said. "And a fourth of you are doing what's probably the most dangerous thing you can do: You're using the vendor to help you model it."

Let us know what you think about the story; email Kristen Lee, features writer, or find her on Twitter @Kristen_Lee_34.

Next Steps

Read more of our coverage of SIMposium 2014:

Adaptation is tantamount to CIOs' survival

How CIOs quantify the value of technology

Want to build an analytics culture?

Dig Deeper on Cloud computing for business

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What precautions do you take in your organization to reduce cloud risk?
The best answer to this question is that reducing risks in organizations actually depend on clear understanding of the organization's level of risk acceptance. Understanding how much risk an organization is able to tolerate is dependent on specific organization security needs, not forgetting information assets such as data, system processes and applications. Failure to assess and mitigate cloud risks can lead to exposure of sensitive information or applications, resulting to dramatic loss to the organization.