By CYRIL TUOHY, managing editor of Risk & Insurance®
Close to half of U.S. IT professionals say the risks of cloud computing outweigh the benefits, according to the first annual Risk/Reward Barometer survey of 1,810 IT professionals conducted by the Information Systems Audit and Control Association (ISACA).
Only 15 percent of respondents said their organizations plan to use cloud computing for mission-critical IT services, the survey also found.
John Pironti, a member of ISACA's certification committee, said the question before U.S. IT managers regarding cloud computing is how to use the economic advantages of the cloud without compromising their employer's risk profile.
"We're in a different mode right now compared with other technologies in terms of privacy and security," he said.
Cloud computing, or the ability to use the Internet to share processing power, software applications and data, is of great interest to C-suite officers because of the model's potential to deliver lower total cost of ownership, higher return on investment, and more efficiency and pay-as-you-go services, according to proponents of cloud computing.
Google and Salesforce.com are among the most popular cloud-based computing models in the consumer arena. Spending on cloud services will outpace traditional IT spending over the next five years and will represent $44.2 billion by 2013, according to analyst firm IDC.
Yet IT professionals see risks in entrusting information assets to the cloud as many equate it with "giving away the data," said Pironti.
IT risk managers prefer to keep their data locked up on mainframe or proprietary database platforms.
The IT Risk/Reward Barometer, released on April 7, found that one in four (26 percent) respondents said their organizations do not plan to use cloud computing for any IT services.
Leading-edge cloud-computing companies--Amazon, Google and Salesforce.com Inc., for instance--have been primarily responsible for pushing the cloud-computing model into the marketplace, which may help explain the latest survey results.
Because the vendor community was mainly responsible for pushing cloud computing onto consumers, said Pironti in an interview last week, "there's more upside to the provider than the user of the cloud."
OVERALL IT RISK
Consistent with IT managers' reticence toward cloud computing is the appetite for overall IT-related risk in 2010.
In the face of a continued slow economy, and despite the potential for higher economic reward, more than three-quarters of those surveyed believe that IT projects should offer the same or a lower level of risk in 2010. Similarly, 79 percent will invest the same amount or only slightly more in risk management and compliance in 2010.
"The cloud represents a major change in how computing resources will be utilized, so it's not surprising that IT professionals have concerns about risk versus reward tradeoffs," said Robert Stroud, international vice president of ISACA, based in Rolling Meadows, Ill.
Only 22 percent of organizations are very effective at integrating IT risk management with their overall business risk management, the survey found. The most common reason for practicing IT risk management was regulatory compliance (28 percent) versus business drivers such as balancing risk-taking with risk-avoidance to improve return (8 percent).
"While compliance is critical, it is unfortunate that more enterprises do not see performance improvement as a primary reason for implementing effective risk management," said Brian Barnier, member of ISACA's Risk IT development team and principal at ValueBridge Advisors.
The survey revealed that one in six respondents, or about 15 percent, see cost management as a driver for risk management; while 9 percent see business change as the most important driver.
As the one-third of IT professionals who are more business-focused already seem to know, robust risk management is a powerful tool to create that value, Barnier added.
"We hope to see more enterprises shift from a compliance to performance view of risk management," he said.
For additional information on cloud computing, see the ISACA white paper, released in October and titled "Cloud Computing: Business Benefits with Security, Governance and Assurance Perspectives."
April 14, 2010
Copyright 2010© LRP Publications