Organizations that ignore the IT department when approving Cloud projects will face more than just security challenges, according to a legal expert.
Speaking before his presentation at Computer Audit Control Security (CACS) 2011 in Brisbane, Deloitte technology risk partner, Alastair Banks, said that all parties, including risk and audit staff, should be involved when deciding to investigate moving data or services into the Cloud.
“Cloud is not going to be for everyone and that’s why not every organization will go down that path,” he said. “They should be assessing it [Cloud] and considering if there is business benefit in it, than they can decide if the risks such as security and data privacy can be overcome to deliver those Cloud benefits.”
He gave the example of an Australian organization that Deloitte worked with that did not involve all the relevant parties, such as the chief information officer, in a Cloud implementation.
“The first time the CIO knew that a Cloud solution had been contracted by the organization was when he was phoned by the Cloud provider saying that they needed connectivity to the network,” he said.
“This is an example where the payroll department simply went out and procured a business service from the Cloud. We have to be careful because the IT department are going to feel challenged by other parts of the business undertaking Cloud projects without their knowledge.”
According to Banks, exploration of the Cloud was a great opportunity for technology risk professionals to become the good guys and be seen to be helping the organization overcome the challenges of Cloud.
“What happened with that organization is not an ideal situation so make sure there is governance over that project in the same way as any other IT implementation.”