Julian Box, CEO and Founder of Calligo, shows how current cloud strategy design is not suitable for 2018, and the tangible impact it is having on businesses.
No matter the business area, any strategy inherently serves to execute on the business’ wider objectives. In theory, this means that the starting point for building any strategy is those objectives, alongside any nuances to the business environment – whether legislative, political or regulatory – that need to be accommodated.
No matter the business area, any strategy inherently serves to execute on the business’ wider objectives.
However, in recent years, CIOs have been drawn away from this best practice in their construction of cloud strategy.
The reason is the natural stranglehold that information security has over the media headlines. The impacts of ill-conceived and poorly-executed security efforts are naturally attention-grabbing and will stick in the IT industry’s memory. No CIO wants to be the next to be associated with a ruined brand, plummeting share price or crippling fines.
The power of these stories and the fear they cause has drawn companies’ IT leaders off course in how they plan their cloud strategies.
We suspected that this has become such a critical issue that we investigated the degree of the problem and its impacts earlier this year. Our market research data of more than 200 UK companies showed that information security has become by far the number one consideration in cloud strategies’ construction. The business’ core objectives were ranked second, but were statistically considered only half as important – a stark and worrisome gulf. Ranking alongside business objectives were both industry-specific compliance and the most critical new facets of the modern business environment – data privacy and GDPR. All of them distanced by security by a remarkable margin.
Is it possible to be too focused on security?
No one would argue against the importance of information security in cloud strategy, but its ranking and the distance of its lead ahead of other considerations is disproportionate and dangerous. In fact, it suggests a fundamental problem and misunderstanding about information security itself, and its place in cloud strategy.
Giving information security an unequal priority over other considerations such as business objectives, compliance and data privacy suggests that CIOs do not appreciate how security is an intrinsic component within each and should not be treated as a standalone pillar. To do so risks mistaking it for simple technical security and the implementation of firewalls and anti-virus, rather than the strategic discipline it has become, incorporating processes, operational performance and compliance.
Does it matter?
To some, these will seem academic problems. But this naivety and fixation on technical security has real world implications, far beyond the way the cloud strategy is designed. It has meant that cloud platforms themselves (Microsoft Azure, Amazon Web Services etc.) have been chosen for unwise reasons – choices that have subsequently had tangible and detrimental impacts on the business.
Our research showed that security’s dominance in the cloud strategy has naturally led to it being either the first or close second consideration when choosing a cloud platform, regardless of which was chosen. Cost and uptime were almost universally the other two factors.
But the interesting point is not what ranked highly, it’s what was not ranked at all. Worryingly, vital aspects of cloud and business performance such as data regulations, industry-specific compliance, integration capabilities and latency were all muscled out by security. None of them, despite their at least equal importance to a cloud platform’s suitability, were considered sufficiently important to feature anywhere in the top three considerations for any platform’s selection.
So if cloud strategies are being devised from the wrong starting point, and cloud platforms are being chosen for the same wrong reason, what has the impact been?
What’s the damage?
In order to discover if these choices have had a detrimental impact on the business, we examined where compromises were knowingly made. This would show not only where the impact lay, but also give further insight into what CIOs and IT heads were willing to consciously surrender in favour of security.
And the results were revealing. Cost is the first to be compromised in any situation where there is another priority to be met. It was therefore no surprise to see almost half of CIOs admitting to spending more than they needed to in order to implement their security preferences. Even performance was willingly surrendered as many let latency suffer or overlooked less-than-ideal uptime guarantees. Similar numbers sacrificed ease in migration and technical integration.
But the worrying trend was the proportion of cloud platform selections that deliberately undermine both industry-specific compliance (43%) and data regulations (41%). Data privacy is the theme of business in 2018, especially in light of GDPR launching in May, and yet CIOs and their teams are overlooking it in their cloud strategies.
Taken as a whole, this data shows that CIOs are openly building cloud infrastructures that are more expensive and more difficult to manage than they need to be, and that are openly in breach of legal requirements – all in the name of technical security. Simply because they don’t see an alternative.
The great irony of this situation is that it is the fear of brand damage, fines and potentially even worse that drives this overwhelming focus on security. And yet, they do this while risking exactly the same penalties for failing to comply with regulations, particularly data privacy.
What can be done?
Frustratingly, our research also showed that while businesses recognised they have had to compromise, they are nervous of making a change. They may know they are stuck with a poorly-conceived cloud strategy and platform selection, but the migration to a new cloud platform or introducing an additional one is just too daunting. The cost of migration, the possibility of downtime and the practical difficulty of the move are considered just too risky.
They may know they are stuck with a poorly-conceived cloud strategy and platform selection, but the migration to a new cloud platform or introducing an additional one is just too daunting.
But unless cloud strategies can be revamped to meet the particular pressures of 2018, and cloud service providers can be found whose offering mitigate these concerns, businesses will continue to leak profit and invite the scrutiny of regulators.