The CFO's role in the Cloud question

"CFOs must be involved from the start when determining how cloud computing can best serve the organisation"

Tom Powledge, vice president of product delivery, SMB and .Cloud, Symantec (Network World)
01 May, 2012 02:29
Comments

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Cloud computing will affect everything in your organisation - right down to the bottom line. For the CFO whose job centers on managing risk, what happens to your organisation's data in the Cloud is directly relevant to your role in the organization. Yet, many CFOs, and even their CIO counterparts, don't hear about some cloud deployments until after they're rolled out.

Research from the IT Policy Compliance Group reports that 54 per cent of organiaations surveyed do not know how many cloud computing projects are underway in their business. The ease and instantaneous ability to turn on cloud apps is leading to deployment without IT, legal, internal audit, and information security involvement, resulting in new and unanticipated risk to the organization. In some cases, the only way these organizations find cloud services operating is after finance identifies orders and payments from invoices.

This means that not only were the risks not evaluated, but the change in accountabilities was likely not considered. For enterprises to fully realize the benefits of cloud computing and minimize the risks, CFOs must be involved from the start when determining how cloud computing can best serve the organization.

Cloud models provide multiple benefits, including elastic consumption, elimination or dramatic reduction of capital expenditure, self-service, and pay-as-you-go pricing. In many cases migrating to the cloud eliminates capex and replaces the upfront costs with predictable and manageable opex. When cloud resources are maintained outside of the business, CFOs can shift form managing an asset in a fixed manner to managing a service, which is an operational cost.

In addition to capital savings, maintenance costs may be reduced by adopting cloud computing. The cloud provider maintains the service and performs any necessary upgrades, freeing the customer from the additional man hours IT staff would require to keep up an on-premise deployment. [Also see: "Cloud-onomics 101"]

It's short-sighted to view this as an opportunity to further reduce operating costs by lowering head count in IT. CFOs that see the big picture recognize the opportunity the cloud presents to redeploy IT staff to work on more strategic projects that will have a direct impact on the business and can improve the bottom line -- developing competitive products or improving productivity. This transition lowers the risk associated with strategic IT projects and keeps business agile by allowing for more experimentation and innovation.

Beyond the direct financial gains, there are other advantages which, while less directly tied to revenue, still provide operational advantages. In business, where one day can mean the difference between leading the market and lagging behind competitors, cloud computing offers the advantage of speed. Whereas purchasing, testing, and integrating new hardware and software components can take weeks or even months, cloud-based solutions can often be deployed in a matter of hours. This flexibility also allows for real-time response to needs as they arise.

Another key advantage of cloud computing is the ability of mobile users to access corporate resources. With the proliferation of mobile devices, businesses can see a competitive advantage by having their employees connected whether or not they are in the office. This improved connectivity allows for faster response to customer service issues and other needs much more quickly than is otherwise possible.

The security of sensitive data in the cloud is one of the most prominent questions voiced by organizations that are considering making the move. The recent State of the Cloud survey conducted by Symantec shows that security is a top concern and also the top goal when moving to the cloud, but most businesses are optimistic -- 87% believe that security in the cloud will be at least as good as traditional measures.

READ: 4 essential cloud security tips

Keeping data within the perimeter of an organization is no longer the only -- or even the safest -- way to protect confidential information. Cloud vendors often have larger-scale operations that enable more resources and expertise to protect your data. In fact, security as a service can allow better protection than most organizations are able to achieve on their own. While the threats to organizations increase every day, instead of dealing with a targeted attack in an isolated situation, organizations in the cloud are part of a larger group that can leverage the greater intelligence of the cloud provider in an accelerated time frame.

Data in the cloud is subject to the same business risks in terms of data loss, whether it is deliberately leaked or hacked. Because information in the public cloud can reside along data from other customers, there is the potential for data leakage or related security breaches. In addition, because mobile users will be accessing corporate information and applications through a variety of networks, there is the risk of outside parties gaining access. CFOs need to be aware of these risks, since incidents like this pose financial threats to the business through loss of customer trust, as well as damage to the brand.

While the potential gains are significant, cloud computing also poses a unique set of risks that CFOs should be aware of. Compliance with governmental or industry regulations is an ever-present challenge, and it's important to select a cloud provider that will allow you to maintain that compliance. Regulations need to be carefully considered, including restrictions regarding the geographic location of data, who can access it, and the nature of the information which may be stored in the cloud. [Also see: "Meeting data privacy, residency and security requirements in the cloud"]

Where to start

CFOs play an integral role in ensuring the organization takes control of its cloud environment to mitigate risk and realize scalability and agility, particularly when any business manager with a corporate credit card can easily acquire new cloud services with the click of a button.

In order to take advantage of the benefits of cloud computing while managing the risks, there are several steps an organization can take.

CHEAT SHEET: How to get started with cloud computing

• First, take an active part in the discussion. Because the implications of cloud computing range beyond IT, the CFO should take an active part in the process from the beginning.

• Consider what information you are willing to put into the cloud, balancing risk with accessibility. Efficiency improves as your employees are able to access more information from more places, but be aware of the risks.

• Carefully evaluate cloud providers, particularly their security practices. The right provider should comply with all government and industry regulations, minimizing compliance-related risks. Their service should not only serve your current needs, but it must be able to scale to fit future needs as well.

• Implement security measures specifically developed for the cloud environment. There are a growing number of vendor solutions that are well suited to the cloud. Deploying these in addition to traditional, locally implemented security gives you the best protection.

• When creating a service level agreement (SLA) with a cloud vendor, be sure it includes requirements regarding uptime and data recovery, as well as financial penalties for failure to meet the SLA. Network downtime can cost your company just as much as outright theft or fraud, whether through loss of sales or simply employee productivity, and you will need to carefully consider your level of risk.

Technology is rapidly becoming a driving force in all aspects of the corporate environment, and important decisions such as adopting cloud computing deserve the attention of more than IT administrators -- the CFO should be involved in the process in order to communicate requirements, oversee the controls, ask for reports and ultimately take responsibility for the security of cloud vendors.

After all, the CFO is responsible for the financial reporting, controls and procedures for the whole organization, and, if anything goes wrong, the audit committee will hold the CFO accountable.