CIOs cannot ignore governance in cloud

Cloud adoption in organizations includes staff use of personal cloud services, highlighting need for IT chiefs to focus on governance or risk having confidentiality compromised, industry execs note.
Written by Jamie Yap, Contributor

SINGAPORE--Enterprise cloud adoption as well as personal cloud use among employees for work purposes mean CIOs must also think about governance to have successful and secure cloud implementation.

Geofrey Master, Asia head of business and technology sourcing practice at law firm Mayer Brown JSM, said CIOs today must deal with "constituents in their organization" who have access to cloud technology regardless of whether they use it for personal or professional reasons.

Speaking in a panel discussion at the 3rd Cloud Computing Executive Roundtable event held here Thursday, Master explained that given the proliferation of Web technology in today's digital era, even if a company openly states it does not adopt cloud services, there is still "the silent cloud within" that cannot be ignored when employees, for example, say "send that [document] to my Gmail".

This dynamic environment and potential sprawl--created by consumer-type cloud use within organizations, where such use is prohibited due to industry or compliance regulations--is a clear signal that CIOs "cannot turn a blind eye to this very dangerous [scenario]", he emphasized.

Another panelist, Ho Wah Lee, partner and head of advisory at KPMG Singapore, concurred, saying CIOs have to think differently when it comes to cloud implementation because it changes the way they interact with customers, employees, suppliers and regulators.

For instance, IT heads cannot begin to look at how to ensure successful cloud deployments without first instilling a comprehensive code of cloud conduct for staff. "If the people in your organization are using cloud services like iCloud, your corporate information could get compromised," Ho pointed out.

Having cloud-related governance, policies, training and staff awareness and education, are all the more critical, given that companies are always concerned about protecting their confidential data whenever they adopt a cloud service, he added.

Be a facilitator, not just inhibitor
Gary Teo, IT director of campus IT services at SIM University, one of panelists, said online sharing of documents was inevitable in the education space.

To counter any "shadow IT"--a term referring to IT use without prior approval--by staff in the school, it was necessary to put in place policies for data and document classifications, Teo told ZDNet Asia at event sidelines.

However, he noted that the IT department must be a facilitator, not just an inhibitor.

Because people would always prefer something that is easier, better and cheaper to use, IT must make it simple for staff to use their company's own system, so they will not turn to online tools such as Dropbox or Facebook to share information, he emphasized.

"The IT department has to be very sharp and suss out the kind of requirements staff have, zoom into the area where shadow IT has been identified, and mitigate that by giving even better solutions."

In SIM University's case, its IT department made it easy for academic staff to deposit content, and easily view and share large-sized files with an in-house application, Teo shared, noting simplicity was the underlying hook to ensure staff buy-in.

Krishna Srinivasan, director of IT infrastructure at UBS, said as an investment bank, the company has one of the most conservative set of requirements and "tremendous amount" of regulatory compliance when it comes to cloud.

Hence, use of personal cloud services among employees could not be permitted in UBS, Srinivasan said during the panel discussion.

The company, however, did adopt cloud as part of its infrastructure because it provided benefits in terms of efficiencies, such as provisioning for burst workloads and better support of its mobile workforce, he said.

To ensure its cloud use was compliant with regulations, Srinivasan said UBS established a very clear operating and service delivery model that demonstrated to regulators "complete transparency [and] audit-ability".

The panelists' discussion on the need for CIOs to change their tact due to the inevitable deployment of cloud services echoed McKinsey analyst Rajat Dev's prediction that private cloud adoption would grow "especially fast" among companies.

Editorial standards