cfo.com

Print this article | Return to Article | Return to CFO.com

Risks of a Model Still Maturing

Here are some factors CFOs should take into account when their organization considers moving data, applications, or infrastructure to the public cloud.
Rob Livingstone, CFO.com | US
October 17, 2011

If one were to swallow the cloud-computing hype whole, its adoption in the enterprise is inevitable. It will lower IT costs and speed up IT delivery and business-project implementations. It will transform IT as we know it, all at the flick of a switch.

However, back on planet Earth, the volatile and rapidly evolving nature of cloud computing is bringing with it a fragmentation of definitions, interpretations, and value propositions for organizations, not to mention a degree of information overload. CFOs may be confused as to what all the shouting is about, what business benefits cloud computing could provide, and how to assess, accurately and holistically, its costs and risks. 

Until recently, the initial focus of most of the hype has been on the public cloud; i.e., a cloud you share with others. (It's worth mentioning that credible cloud providers have emerged that offer a blend of public, private, and hybrid cloud solutions, giving organizations options other than the unadulterated public cloud.) And the question, "Why should I choose a particular public cloud solution today if there's going to be a lower-cost alternative that's better suited to my business tomorrow?" is being asked by organizations that are being a bit more deliberate in their decision-making processes. This is a valid question, especially considering the difficulties in switching cloud providers due to the current lack of standards for interoperability.

Indeed, for a number of reasons, the jury is still out as far as the public cloud's value proposition for the enterprise market. So here are some things to consider before making the move.

Asymmetry of Understanding
While there is a solid understanding of what's inside the public cloud  among CIOs and those in the IT industry, this is often not the case for line-of-business executives and managers. As long as this asymmetry exists, the relevance and potential of cloud computing will not be fully realized in organizations. CFOs need to become very conversant with the public cloud technology model and its inherent risks in order to make the best decisions for their organization. Don't let yourself be bullied. If you have doubts, air them. If you have questions, ask them.

The IT Simplification Paradox
One of the fundamental benefits of cloud computing is the theoretical removal of IT complexity: its processes become invisible to the end user. Paradoxically, this presents those organizations concerned about IT security, risk, and governance with a challenge because that lack of visibility into what's under the covers may lead to the assumption of risks that would be considered unacceptable if fully disclosed and understood. For instance, your cloud provider's disaster-recovery capabilities may not meet your own organization's standards. One only has to look at the recent spate of BlackBerry outages. Where would your business be if your IT systems were unavailable for three days? CFOs generally hold accountability for enterprise risk, and for this reason it's important that they have full visibility into and full understanding of the cloud provider's capabilities.

Marketing and Delivery Misalignments
Be aware of potential misalignments between the vendor's promises and what you may actually end up with in your public cloud.

For example, a leading public cloud provider's website states: "You only pay for what you need . . . and scaling up or down is easy." While this sounds good, the actual contract states: "The number of User subscriptions purchased cannot be decreased during the relevant subscription term." This, by the way, is 12 months.  So, in other words, even if you don't need the service during a down time, even if you're cutting staff, forget about paying less for the service. That's hardly "You only pay for what you need."  For CFOs, the message should be clear: Perform your due diligence before signing on the dotted line (or allowing anyone else to do so) in order to fully understand your cost exposure.

Early Adoption Risks and Benefits
While cloud evangelists are happy to be early adopters and drive their organization to run ahead of the curve, other organizations that are more risk averse are choosing to wait until the industry matures. Their delay may mean missed opportunities that could put them at a competitive disadvantage, at least in the short term. CFOs are uniquely placed to help their organization evaluate the risks and opportunities in the adoption of public cloud strategies.

International Operations
The most popular and widely used public cloud providers are U.S.-based entities, which could be a challenge for your overseas business operations. Issues such as foreign national privacy laws and data sovereignty in your overseas operations that do not align with U.S. practices may cause governance problems. CFOs need to be aware of these foreign legislative and regulatory factors before undertaking an international deployment of cloud computing.

Contracts
Earlier this year, the Australian-based University of New South Wales Cyberspace law and policy professor Roger Clarke reviewed the terms of use for a number of well known public cloud applications. The result was anything but complimentary: "None of the nine providers satisfy all of the reasonable expectations of users," he wrote. As is the case in most outsourcing relationships (which the public cloud most certainly is), the majority of contracts favour the provider and not the user, so be aware of what you sign up for in the public cloud, especially if it involves the provisioning or support of a critical business function.  I would strongly advise CFOs to fully vet the wording, structure, and jurisdiction in each contract. After all, once you've outsourced your data or applications or infrastructure in a public cloud, your contract is all you have.


As a CFO you have a responsibility to be a leader when it comes to cloud computing in your organization so make sure you're aware of, and actively involved in all key cloud discussions and decisions. If not, you may be the one asked to pick up the pieces if your business goes off the rails due to factors about which you weren't clear. These are critical decisions that can generate both great risks and great rewards. Don't make them lightly.

Rob Livingstone, an experienced CIO, is the author of the book Navigating through the Cloud: A Plain English Guide to Surviving the Risks, Costs and Governance Pitfalls of Cloud Computing. Visit Rob at http://navigatingthroughthecloud.com or e-mail him at rob@rob-livingstone.com.

 




CFO Publishing Corporation 2009. All rights reserved.