Nearly half of US IT professionals say that the risks of cloud computing outweigh the benefits, according to the 2010 ISACA IT Risk/Reward Barometer survey.
CXOs are increasingly interested in cloud computing because it can deliver lower costs, higher returns and increased efficiency. Analyst firm IDC says that cloud services will outpace traditional IT spending over the next five years and will represent $44.2 billion by 2013.
Yet IT professionals see risks in entrusting information to the cloud, according to the survey of 1,809 US IT professionals who are members of ISACA. The ISACA IT Risk/Reward Barometer found that only 10 percent of respondents’ organizations plan to use cloud computing for mission-critical IT services and 26 percent do not plan to use it for any IT services.
This is consistent with the current appetite for overall IT-related risk. Despite economic uncertainty and the potential to drive greater rewards, more than three-quarters of those surveyed believe that projects should offer the same or lower levels of risk in 2010. Similarly, 79 percent will invest the same amount or only slightly more in risk management and compliance in 2010.
“The cloud represents a major change in how computing resources are utilized, so it’s not surprising that IT professionals have concerns about risk vs. reward,” says Robert Stroud, vice president of ISACA and vice president of IT service management and governance for the service management business unit at CA Inc. “If cloud computing is treated as a major initiative involving many stakeholders, it has the potential to yield benefits that can equal or outweigh the risks.”
Risks and rewards of cloud computing are examined in the free ISACA white paper, Cloud Computing: Business Benefits with Security, Governance and Assurance Perspectives, (www.isaca.org/cloud), a collaboration between ISACA and the Cloud Security Alliance.
From Compliance to Performance
The online survey also gauged behaviors related to IT risk management. According to IT professionals, only 22 percent of organizations are very effective at integrating IT risk management with their overall business risk management. The most common reason for practicing IT risk management was regulatory compliance (28 percent) versus business drivers such as improving the balance of risk taking with risk avoidance to improve return (8 percent).
“While compliance is critical, it is unfortunate that more enterprises do not see performance improvement as a primary reason for implementing effective risk management,” said Brian Barnier, member of the team that developed ISACA’s new Risk IT: Based on COBIT and principal at ValueBridge Advisors. “On the performance side, about 16 percent see cost management as a driver for risk management; 9 percent see business change as the most important driver; and 8 percent choose improving risk-return balance. From the CXO or board perspective, the main driver should be balancing risk vs. return to drive profitable growth. As the one-third of IT professionals who are more business-focused already seem to know, robust risk management is a powerful tool to create that value.”
High-risk Activities
The Barometer also revealed the top three high-risk employee behaviors:
Not protecting confidential work data appropriately (50 percent)
Not fully understanding IT policies (33 percent)
Using non-approved software or online services for their work (32 percent)
“Many employees are working around controls and using non-approved devices,” said John Pironti, member of ISACA’s Certification Committee and president of IP Architects LLC. “Instead of prohibiting certain technologies, organizations should train employees to use them safely.”
The IT Risk/Reward Barometer topics will be featured at the North America Computer Audit, Control and Security (CACS) conference (www.isaca.org/nacacs), 18-22 April 2010 in Chicago. North America CACS attracts IT audit, security, risk and governance professionals from around the world who discuss the latest challenges and solutions for critical industry issues. Risk management leaders will provide guidance based on ISACA’s new Risk IT framework.
ISACA IT Risk/Reward Barometer
The ISACA IT Risk/Reward Barometer is based on online polling results in March 2010 from 1,809 ISACA members located in the US. The study gauged organizational behaviors surrounding IT-related risks and rewards. Full results: www.isaca.org/news.
ISACA
With more than 86,000 constituents in more than 160 countries, ISACA® (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems assurance and security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969, ISACA sponsors international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards. It also administers the globally respected CISA®, CISM®, CGEIT® and CRISC™ designations and developed the COBIT®, Val IT™ and Risk IT frameworks.