Cloud certainly offers companies across industries many benefits – agility, decreased costs, improved collaboration and personalized services to the customer, to name a few. However, cloud also adds complexity to a company's risk profile. By further venturing outside its "four walls", such as by collecting external data and IT sourcing models that include cloud, companies are forced to evaluate their risk tolerance and seek out current methods to stay within the accepted level of risk. With cloud, there is a wide array of factors to consider in managing risk, including vendor management, shadow IT, business continuity, information management, cybersecurity and compliance. Navigating through each risk-contributing factor is overwhelming in and of itself for many organizations. This, combined with the fear of missing a critical element of risk, is stalling some investment in cloud.
The hesitation around cloud investment and level of discomfort associated with it is largely attributable to IT governance and risk management methods lagging the pace at which the IT landscape is changing. This scenario is causing a lot of confusion in the cloud market and also leading to inefficient and ineffective ways of managing risk. For example, a top concern with cloud for both users and providers is regulatory compliance. On the provider side, there has been and continues to be a great deal of activity to ensure compliance across the changing regulatory landscape. However, there lacks a standard method of proving compliance from the vendor side to the buyer side. This creates uneasiness among buyers and also ignites unproductive and unstandardized attempts from the buyer side to prove compliance on the provider side (mainly through lengthy surveys and questionnaires).
All of these factors are placing companies in a precarious position where many realize cloud investment is inevitable, but a lack of expertise in risk management defers widespread investment. This is generating demand, from both the cloud provider and buyer side, for consulting partners that have the technical expertise to address cloud initiatives, deep and current global compliance proficiency, methods for calculating risk tolerance and the ability to develop an operational and IT landscape that will keep the client company within risk bounds.
