Scared of the Cloud?

Written by on February 16, 2016 in Risk Management with 2 Comments

Cloud black + white photoCloud Computing and Its Risks

Recently I was talking with a member of the board of trustees for a very special and successful not-for-profit.  Our talk turned to data, a precious resource for them.  I mentioned cloud storage, and my friend told me that he would “never, ever” agree to keeping their data in the cloud.  He’d heard of three other organisations that had lost the lot, and he wasn’t going to risk theirs.

I thought back to the commercial IT setups I had managed, worked in or consulted to.  Risk management was a less mature discipline then, but of course we all recognised and took steps to mitigate the risk of catastrophic data loss.  We had backup storage, interlocking tape cycles, fireproof vaults… the most advanced and expensive outfits had spare computers so they could not only keep the data, they could keep processing it.  I thought of the diligent IT manager who dropped off a backup tape at a bank deposit box every evening on the way home, until he found that the magnetic name tag he also kept in his briefcase was wiping the tape every time.  I thought of the brand-new computer room with new climate control, that on day one went straight to 40°C and kept going, until they switched everything off.  I thought of the database administrator who accidentally deleted some critical data tables, and had to go knock on the door of a competitor, using the same software, for help with reconstructing them.

Could the cloud be so much worse?

What is This Cloud Anyway?

I saw a great bumper sticker the other day: “There is no cloud.  It’s just someone else’s computer.”  Like many such remarks, it is both true and inadequate.  True, cloud computing, from a board perspective, is just a kind of outsourcing.  Do you see the same calendar events on your smart phone and your PC?  That’s a cloud service.  A computer belonging to Apple, Google, Microsoft or some other provider is keeping a master copy that you can view and update from different devices.  You might go further and use online file sharing, or an online accounting package.  “Cloud” is just IT’s way of saying you don’t need to know the details.

As a director, should you be satisfied with that?

Risks and Opportunities

Here’s one way to look at it.  Cloud services offer the opportunity to run much leaner in your internal IT.  No more need, perhaps, of that “server” in the corner of the back office that cost thousands and needs regular, expensive TLC until the day it fails.  Their ultimate failure rate, let’s remember, is 100%.  There’s also the opportunity to use the latest software, every time, automatically, without those long upgrades that always have to be done when you’ve got a deadline looming.  You can get away from “Damn, I left that file I need on the office computer.”  And thanks to economies of scale and efficient distribution, good cloud providers can give you better technology and service, for less money, than in-house IT systems.

From a board perspective, there are other opportunities of potentially greater value still.  Cloud, like vehicle fleet management or equipment leasing, turns CAPEX into OPEX.  You pay for what you need, when you need it, and the benefit is immediate.  These services scale up and down with you.  Use it well, and cloud is plug-and-play, fit for purpose.  Instead of having to buy a fistful of CDs containing software you don’t need and will never use, good cloud services deliver what you need, when you need it.  You don’t buy a telephone exchange in order to make phone calls.

The price we pay for opportunity is risk.  As it’s just someone else’s computer, it too can fail, burn out, get invaded by a virus or get hijacked by criminals.  If you choose a struggling backyard operator as your cloud provider, your risk profile has not improved.  If you choose a substantial, reputable, accredited supplier, you incur much less risk than most in-house IT setups.  Why?  Because good cloud providers have the scale, the funds and the techniques to manage the risk of failure and attack much better than virtually any IT department.  They have made that their core business, after all.

Risk management is board core business.  Start small, do your due diligence, identify and mitigate the risks.  Have contingency plans.  Call me, let’s see if I can help you with it.

Other Resources

There’s an Australian standard covering assurance controls on reports at service organisations (such as a cloud provider).  You can get it here:

Print Friendly, PDF & Email


If you enjoyed this article, subscribe now to receive more just like it.

Subscribe via RSS Feed Google Plus LinkedIn Profile

2 Reader Comments

Trackback URL Comments RSS Feed

  1. Great post Iain.

    So true about the variation between cloud providers.

    I would suggest that the leaders offer an order of magnitude less risk compared to in-house IT for same cost. An order of magnitude or more even. And the less capable providers would probably be on par with in-house IT just because that’s their primary function and they would learn quicker from their mistakes.

    The benefits are so big I think it is almost negligent to not go with the cloud.

    Netflix just completed their six or seven year move to be totally cloud-based.

    All the infrastructure for our startup is in the cloud, thanks to a grant from Google, and it still blows my mind that we can do so much automatically with ease. As someone else said “even hardware is now software.”

    • Iain says:

      Thank you, Ashley.

      I agree, cloud services open up so many more possibilities once you take the leap. But I’m still surprised how many people still think their company’s data is “safer” on “their” computer.

      There are risks, including jurisdictional and data governance risks, but they are dwarfed by the likelihood that that server in the back room could so easily take your whole enterprise down with it.

      All the best,

Leave a Reply

Your email address will not be published. Required fields are marked *