In the next five years, the cloud will create corporate giants from nothing. It also may destroy some of the biggest icons of corporate America that we know today. Are you ready to take on the cloud of tomorrow? To adapt, stay secure and maintain compliance, enterprises should employ risk management and agile principles.
There's no doubt that cloud computing is top of mind with organizations of all sizes. Whether they're large, small, for-profit or nonprofit, the topic they most commonly ask me about is cloud computing. Some seek opportunity in the cloud; others are afraid, often for good reason. What amuses me is the "experts" who now are coming out of the woodwork and pontificating about the wares and woes attached to the cloud.
"Make sure your data is protected," the experts say. "Make sure your customers' privacy issues are addressed," they opine. "Make sure you're not violating any PCI [Payment Card Industry] or HIPAA [Health Insurance Portability and Accountability Act] concerns," they warn.
Common sense should already tell you all of that.
I see a stark absence of really good advice about handling compliance and risk as they relate to the cloud. The reason there's no good advice is that we've never seen a cloud this large before. It's a black swan: a rare, important and unpredictable event that defies normal expectations. There are no compliance regulations specific to the cloud, but there will be. And although there are commonsense risks that we can reasonably infer, there's no common law guidance available today. Most of the cloud's insidious risks haven't been unearthed yet, because the whiplash of their effects is still to come.
It is this uncertainty that underlies the fears of the cloud -- not knowing what you don't know. Risks that are known quantities can be profiled. How do you profile an unknown? The simple answer is that you can't. In traditional risk management, you would set up a management reserve for the so-called unknown unknowns. This contingent action respects that fact that you don't know everything that could happen. The problem with it lies in the impact of the black swan dilemma. The management reserve approach relies on an event having a relatively low impact; that kind of event is just the opposite of a black swan event.
Given the flaws in the management reserve approach, the next best thing to do is to structure operations to be agile enough to handle anything that might show up. This is still a contingent action, but it addresses the low-probability, high-impact unknown unknowns more effectively. Building agility can be segmented into the three classic areas of governance, risk, and compliance (GRC). Let's start with compliance.
Apply agile principles to compliance
Agility in regulatory compliance means responding and adjusting to guidelines, standards and regulations in near real-time. Answer this question for yourself: If the government passed a new regulation tomorrow, how long would it take for you to comply with it? Compliance includes:
- The ability to showcase an organization properly aligned to support the concerns of the regulation.
- The ability to produce a policy that demonstrates understanding, and a corporate willingness to abide by the regulation.
- The ability to showcase a control structure that demonstrates you've taken appropriate measures to mitigate risk.
- The ability to produce evidence of compliance in the event of an audit.
- The ability to produce evidence that all appropriate people are aware of and educated about the importance and impact of the regulation.
- The ability to produce evidence of a self-governing control system, whereby the suspicion of non-compliance can be reported without the threat of negative consequences.
You're not an agile organization unless you can adjust to new regulations quickly. Agility means bringing an organization back to a state of compliance in a short time. If it takes a week, you're good. If it takes a month, you're okay, but I urge you to get better. If it takes a quarter or longer, you're not good enough. To build an agile compliance organization, concentrate on the following:
- Strong communication, coordination and collaboration between the legal department and IT departments; alternatively, an IT wing dedicated to compliance.
- A nimble training infrastructure that's virtually plug and play.
- A robust policy management system that leverages information systems.
- An automated system for testing controls.
- Strong software change management that gives IT the courage to experiment.
Compliance is good, but risk is your biggest enemy. Agility in risk takes a combination of innovative and paranoid thinking. I suggest that a risk management team be established separate from the compliance team, because it takes a different set of skills. That said, the two teams will need to collaborate.
Applying agile thinking to risk management
Agility in risk management takes a great deal of creative and strategic thinking. The team should constantly be asking the question, "What are the uncertainties that I need to be concerned with, and how will they affect our organization?" Here is the signature of an agile risk organization:
- It has robust external information systems that are plugged into trends in the economy, technology, government and social arenas. (Ironically, a good source is the same cloud they're concerned about adopting.)
- It's constantly creating scenarios based on this information.
- It's good at building models that characterize risk in terms of probability, detectability and probable causation.
- It has systems for documenting and tracking assumptions.
- It welcomes new information and is able to incorporate and adjust its risk infrastructure (models, assumptions, profiling, and so forth) quickly.
Applying agile to governance
Governance in this context means combining compliance and risk management in a system that makes sense. An agile governance team will ensure that the risk and compliance systems are not only sound but resilient. It will provide open and effective communication channels between the systems' groups. It will support the infrastructure for the compliance group to respond quickly to scenarios generated by the risk group. And it will support the risk group in helping to process the information coming from the compliance group. This bilateral collaboration is critical for the organization's overall success in agility.
The key to managing cloud computing risk isn't the ability to predict technology changes as much as it is the capacity to respond and react to them. Will you be around in the next five years? Or will your organization be overcome by the dark demons that lurk in the nimbostratus regions of the cloud?
You have more control than you might think. If your organization is considering cloud computing, start making changes today to your GRC infrastructure. Of all the points I've noted above, start with the one where you thought, "Yeah, I think I could do that." That momentum is what you'll need to build the organization that will face the cloud of the future.
John Weathington is president and CEO of Excellent Management Systems Inc., a San Francisco-based management consultancy. Let us know what you think about the story; email firstname.lastname@example.org. Follow @ITCompliance for compliance news throughout the week.
This was first published in February 2010