The idea of cloud computing, or internet-based computing, has become very popular over the past few years with its innovative cost benefits and efficiency. And as more organizations look to switch from company-owned hardware to per-use service-based models, the benefits of cloud computing have been touted over and over again. But what about the risks?
Well, according to The Information Systems Audit and Control Association (ISACA), many feel the risks of such computing outweigh the benefits. In fact, 45% of those surveyed in ISACA’s first annual IT Risk/Reward Barometer survey feel that way. In addition:
The IT Risk/Reward Barometer found that only 10% of respondents’ organizations plan to use cloud computing for mission-critical IT services and one in four (26%) do not plan to use it for any IT services.
Consistent with this attitude is the appetite for overall IT-related risk in 2010. In the face of continued economic uncertainty and despite the potential to drive greater rewards, more than three-quarters of those surveyed believe that projects should offer the same or lower level of risk in 2010. Similarly, 79% will invest the same amount or only slightly more in risk management and compliance in 2010.
“The cloud represents a major change in how computing resources will be utilized, so it’s not surprising that IT professionals have concerns about risk vs. reward trade-offs,” says Robert Stroud, international vice president of ISACA and vice president of IT service management and governance for the service management business unit at CA Inc. “But risk and value are two sides of the same coin. If cloud computing is treated as a major governance initiative involving a broad set of stakeholders, it has the potential to yield benefits that can equal or outweigh the risks.”
The survey also revealed organizations’ attitudes and behaviors related to IT risk management. According to the IT professionals questioned, only 22% of organizations are very effective at integrating IT risk management with their overall business risk management. And, as usual, every organization employs people who further contribute to the company’s IT risks. The Barometer found that the top three high-risk ways in which employees contribute to risky business are:
- Not protecting confidential work data appropriately (50%)
- Not fully understanding IT policies (33%)
- Using non-approved software or online services for their work (32%)
“Many employees are working around controls and using non-approved devices and programs so they have the tools they need to do their jobs,” said John Pironti, member of ISACA’s Certification Committee and president of IP Architects LLC. “Instead of prohibiting certain technologies, organizations should try to learn why their employees feel they need these technologies and train employees to use them safely.”
As with anything, proper training is essential to reducing inherent risks. As the popularity of cloud computing grows, organizations will be forced to step up their employee training while more responsiblity will be placed on IT professionals. Is it all worth it? Is cloud computing worth the risk?
- Cloud Computing: Convenience Versus Confidence
- Developing Standards for The Cloud
- Ernst & Young’s Global Information Security Survey
- November Issue of Risk Management Now Online