Risk-free cloud is oceans away

Almost half of Oceania IT professionals say that the risks of cloud computing outweigh the benefits, according to the first ISACA Oceania IT Risk/Reward Barometer survey.

CIOs are increasingly interested in cloud computing because of its potential to deliver lower total cost of ownership (TCO), higher return on investment (ROI), increased efficiency and pay-as-you-go services. Analyst firm IDC says that cloud services will outpace traditional IT spending over the next five years and will represent approximately AU$51 billion by 2013.

Yet IT professionals see risks in entrusting information assets to the cloud, according to a recent survey of 218 Australia- and New Zealand-based IT professionals who are members of the global, non-profit professional association ISACA.

ISACA’s Oceania IT Risk/Reward Barometer found that fewer than 10 percent of respondents’ organisations plan to use cloud computing for mission-critical IT services and almost one third (30 percent) do not plan to use it for any IT services.

Consistent with this attitude is the appetite for overall IT-related risk in 2010. In the face of continued global economic uncertainty, and despite the potential to drive greater rewards, almost 60 percent of respondents believe projects should offer the same or lower level of risk as 2009.

However, this is significantly lower than the North American results, where 78 percent of those surveyed were comfortable with the same or lower level of risk than 2009, highlighting the greater confidence levels currently experienced in Australia and New Zealand.

Not surprisingly, though, almost one third (32 percent) identified budget limits as being their enterprise’s greatest hurdle when addressing IT-related business risk.

“Moving to cloud computing represents a significant shift in how companies utilise resources, so it is not surprising that IT and business professionals feel there could be a number of potential risks in entrusting information to the cloud,” says Ria Lucas, CISA, CGEIT, international vice president of ISACA and investment manager at Telstra Corporation Ltd., Australia.

“However the advantages of speed, cost, flexibility and access to high value services will drive the business demand for cloud services, as the rewards have the potential to outweigh the risk. What is important, is that the transition to cloud computing needs to be viewed as requiring major governance review involving a broad range of stakeholders and a governance framework to address the changed risk landscape.”

The online survey also gauged organisations’ attitudes and behaviours related to IT risk management. According to IT professionals, only 17 percent of organisations in Australia and New Zealand are very effective at integrating IT risk management with their overall business risk management.

The most common reason for practising IT risk management was to ensure that current functionality aligns with business needs (25 percent), showing the need for sound business reasons to underpin IT change.

“The economic climate has had serious impacts on all aspects of business, including IT-related risk management activities,” comments Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, director of ISACA.

“On the performance side, about 10 percent of IT professionals see cost management as a driver for risk management; 12 percent see business change as the most important driver; and 13 percent choose improving risk-return balance. Respondents are also concerned with complying with industry and government regulations, with almost 20 percent reporting this being the main impetus behind risk management in IT systems.

“The key driver for IT related risk-management should be balancing risk vs. return to drive profitable growth. Senior management should view risk management as a powerful tool to create value and we urge enterprises to focus on the performance side of the equation,” adds Mr Hayes.

The ISACA Oceania Risk/Reward Barometer also looked at what IT professionals thought about employee behaviour. According to results, the top three high-risk ways in which employees contribute to ‘risky business’ are:
Not fully understanding IT policies (56 percent)
Checking personal e-mails or visiting social networking sites from work devices (52 percent)
Using non-approved software or online services for their work (42 percent)

“Many employees do not fully understand IT policies, putting systems at risk,” comments Howard Nicholson, CGEIT, CRISC, CISA, director of ISACA and business analyst for the City of Salisbury in Australia.

“The rise of social media tools has also created a number of potential issues. Instead of banning certain technologies in the workplace, organisations should investigate why employees feel they need to use these and train staff to apply safe practices.

“Organisations should also be evaluating whether they can harness the power of these new tools in the achievement of business outcomes. While they present significant risks, they may also provide opportunities for significant leverage when used as part of an appropriate business model that aligns IT use with organisational objectives.”

The risks and rewards of cloud computing are further examined in the ISACA white paper, Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives. The paper is a collaboration between ISACA and the Cloud Security Alliance and is available as a free download at www.isaca.org/cloud.