More than 45% say risks of cloud computing outweigh benefits

Close to half of US IT professionals say that the risks of cloud computing outweigh the benefits, according to the first annual ISACA IT Risk/Reward Barometer survey.

CXOs are increasingly interested in cloud computing because of its potential to deliver lower total cost of ownership (TCO), higher return on investment (ROI), increased efficiency and pay-as-you-go services. Analyst firm IDC says cloud services will outpace traditional IT spending over the next five years and will represent $44.2 billion by 2013.

Yet IT professionals see risks in entrusting information assets to the cloud, according to the survey of 1 809 US IT professionals who are members of ISACA. The IT Risk/Reward Barometer found that only 10% of respondents' organisations plan to use cloud computing for mission-critical IT services, and one in four (26%) do not plan to use it for any IT services.

Consistent with this attitude is the appetite for overall IT-related risk in 2010. In the face of continued economic uncertainty and despite the potential to drive greater rewards, more than three-quarters of those surveyed believe projects should offer the same or lower level of risk in 2010. Similarly, 79% will invest the same amount or only slightly more in risk management and compliance in 2010.

“The cloud represents a major change in how computing resources will be utilised, so it's not surprising that IT professionals have concerns about risk vs reward trade-offs,” says Robert Stroud, international vice-president of ISACA. “But risk and value are two sides of the same coin. If cloud computing is treated as a major governance initiative involving a broad set of stakeholders, it has the potential to yield benefits that can equal or outweigh the risks.”

The risks and rewards of cloud computing are examined in the ISACA white paper, Cloud Computing: Business Benefits with Security, Governance and Assurance Perspectives. The paper is a collaboration between ISACA and the Cloud Security Alliance and is available as a free download at www.isaca.org/cloud.

The online survey also gauged organisations' attitudes and behaviours related to IT risk management. According to IT professionals, only 22% of organisations are very effective at integrating IT risk management with their overall business risk management. The most common reason for practising IT risk management was regulatory compliance (28%) versus business drivers such as improving the balance of risk taking with risk avoidance to improve return (8%).

“While compliance is critical, it is unfortunate that more enterprises do not see performance improvement as a primary reason for implementing effective risk management,” said Brian Barnier, member of the team that developed ISACA's new Risk IT: Based on COBIT. “On the performance side, about 16% see cost management as a driver for risk management; 9% see business change as the most important driver; and 8% choose improving risk-return balance. From the CFO, COO, CEO or board perspective - just like in personal investing or sports - the main driver should be balancing risk vs return to drive profitable growth. As the one-third of IT professionals who are more business-focused already seem to know, robust risk management is a powerful tool to create that value. We hope to see more enterprises shift from a compliance to performance view of risk management.”

The Barometer also looked at what IT professionals thought about employee behaviour. According to results, the top three high-risk ways in which employees contribute to “risky business” are:

* Not protecting confidential work data appropriately (50%).
* Not fully understanding IT policies (33%).
* Using non-approved software or online services for their work (32%).

“Many employees are working around controls and using non-approved devices and programs so they have the tools they need to do their jobs,” said John Pironti, member of ISACA's Certification Committee. “Instead of prohibiting certain technologies, organisations should try to learn why their employees feel they need these technologies and train employees to use them safely.”

To learn more about security-related risks, the 2010 ITWeb Security Summit, which is taking place from 11-13 May 2010 at the Sandton Convention Centre, brings together leading international and local security experts and industry innovators, as well as a blue-chip audience of IT and security professionals. Register at http://www.securitysummit.co.za.