This blog post is part 1 of a 3-part blog series on taking the journey to the cloud and understanding how to approach the risks involved.
When it comes to the Cloud, security remains the biggest concern for IT leaders[i]. While the cost and flexibility offered by the Cloud are appealing, the risk of data breaches and downtimes have CIOs thinking twice about moving to the Cloud. But risk is an unavoidable aspect of business. Any project you undertake has a risk element – will it be delivered on time, aligned to your strategy, and within scope and budget? Well, Cloud adoption is no different. However, in the case of Cloud, what most CIOs end up doing is focusing too much on certain aspects of the technology risk and externalized security controls. They fail to pay enough attention to all the other risks in the aggregate ecosystem they are carrying today that may indeed be even larger.
Behind the scenes: A comprehensive look at Cloud risks
As they say in compliance, you can be secure without being compliant, and you can be compliant without being secure. Similarly, you can be secure in your Cloud technology without eliminating risks related to cost, schedule, attrition, service, data loss etc.
When looking at risk elements for Cloud adoption, other than the usual suspects of technology, data, and security risks, CIOs need to also consider the risks associated with the Cloud strategy, operating model, economic model, service resiliency, etc. (See Fig. 1) and the various obstructions that could hinder their ability to move forward in various ways.
Fig 1: Cloud Risk Elements
For instance, overspending is a risk when it comes to the Cloud economic model. You could achieve the most elegant IT implementation, but what it would cost could break your business. Spending more than planned is a frequent occurrence with as many as 69% of companies reportedly overspending on their cloud budget by 25% or more[i]. Wasted cloud spend runs into billions of dollars every year! Managing this risk is not just a financial but also a career-level discussion for many leaders.
When it comes to data, there are security risks that raise questions like - Who holds the encryption keys? Where is the data? Where is the data being replicated to? Are the services externally contactable? Are we using Zero Trust? The truth is that while there are many things that are perceived to be risks on data in Cloud, a well-architected Cloud Data Platform is no more risky than any global enterprise data platform today.
Creating an app migration strategy also comes with its share of risks that are a part of any transformation and not specific to Cloud. For instance, migration of applications from legacy code to new code may not duplicate functionality and result in risky/unpredictable behavior. Then there are operating risks during implementation. If you aren’t geared to do it right and move too many things at the same time or too quickly, you could tip the balance. An organizational ability and maturity to manage a process, which is poorly planned and ends up partially on Cloud and partially on-prem, may end up increasing the number of Cloud to non-Cloud handoffs. This could put too much strain on existing IT resources and processes. And a botched implementation could mean unhappy employees and attrition that could further damage operational stability. These risks have nothing to do with Cloud as a platform!
In essence, risks to Cloud Adoption are absolutely complex and multi-dimensional and managing them, like managing Cloud adoption, requires an integrated strategy.
An integrated approach for cloud risk management
For successful Cloud adoption, the planned initiatives must have a balance of risk vs. reward in a specific timeframe. For example, you may want to consider:
A good approach would be to map out what is the risk to business, what are the potential benefits, and what will be the cost to achieve these (See Fig 2). For example, let’s say you’ve planned 7 initiatives A, B, C, D, E, F, and G over three quarters. In Q1 when you go ahead with A, B, and C the aggregate risk and cost is acceptable, but benefit is insufficient. Similarly, in Q2 when initiatives D and E roll out, the benefit is high, and the cost is ok, but the risk is too high. This mapping can be done for all initiatives planned for the entire journey and optimized accordingly.
For example, in Wipro Cloud Studio, we have a methodology to classify projects and programs in a standardized way, which helps consistent treatment of these within an enterprise’s overall risk posture and level of comfort.
Is the Cloud really worth it?
All of these elements of risk are not unique to the Cloud and externalization of services is certainly nothing new to organizations. And indeed, material outsourcing (as defined by the regulators) is also nothing new to organizations. So, where does the Cloud come in?
Talking about mitigating and managing all these risks that could come in the way of successful Cloud adoption could sound like a lot of work. And honestly, is that effort worth it? Well, the short answer is YES. We believe that the benefits of Cloud far outweigh these risks, and that with a strategic approach and partnerships like Wipro’s Cloud Studio, it’s quite possible to manage them. In fact, we will go so far as to say that the reverse is true and that adopting Cloud has the potential to not only improve your overall security but also reduce your level of risk across all the axes mentioned. In the next article, we’ll continue this discussion and talk about how Cloud actually cuts down cost and risk significantly.
Please click here to read part 2 (Balancing the Cloud risk equation) of the blog series.
Senior Partner, Cloud Consulting, UK and Europe
Gavin has 25 years of experience with enterprise customers, helping them drive business success through innovative technology solutions. He works with different customers throughout the UK and Europe to understand their business needs and help them set technology strategy and direction. He also has in-depth and extensive knowledge of customer business challenges with board-level messaging.