Survey: Almost Half Of IT Professionals Say Cloud Computing Risks Outweigh Benefits
Nearly half of U.S. IT professionals say that the risks of cloud computing outweigh the benefits, according to the 2010 ISACA IT Risk/Reward Barometer survey.
CXOs are increasingly interested in cloud computing because it can deliver lower costs, higher returns and increased efficiency. Analyst firm IDC says that cloud services will outpace traditional IT spending over the next five years and will represent $44.2 billion by 2013.
Yet IT professionals see risks in entrusting information to the cloud, according to the survey of 1,809 U.S. IT professionals who are members of ISACA. The ISACA IT Risk/Reward Barometer found that only 10 percent of respondents’ organizations plan to use cloud computing for mission-critical IT services and 26 percent do not plan to use it for any IT services.
This is consistent with the current appetite for overall IT-related risk. Despite economic uncertainty and the potential to drive greater rewards, more than three-quarters of those surveyed believe that projects should offer the same or lower levels of risk in 2010. Similarly, 79 percent will invest the same amount or only slightly more in risk management and compliance in 2010.
“The cloud represents a major change in how computing resources are utilized, so it’s not surprising that IT professionals have concerns about risk vs. reward,” said Robert Stroud, vice president of ISACA and vice president of IT service management and governance for the service management business unit at CA Inc. “If cloud computing is treated as a major initiative involving many stakeholders, it has the potential to yield benefits that can equal or outweigh the risks.”
The online survey also gauged behaviors related to IT risk management. According to IT professionals, only 22 percent of organizations are very effective at integrating IT risk management with their overall business risk management. The most common reason for practicing IT risk management was regulatory compliance (28 percent) versus business drivers such as improving the balance of risk taking with risk avoidance to improve return (8 percent).
“While compliance is critical, it is unfortunate that more enterprises do not see performance improvement as a primary reason for implementing effective risk management,” said Brian Barnier, member of the team that developed ISACA's new Risk IT: Based on COBIT and principal at ValueBridge Advisors. “On the performance side, about 16 percent see cost management as a driver for risk management; 9 percent see business change as the most important driver; and 8 percent choose improving risk-return balance. From the CXO or board perspective, the main driver should be balancing risk vs. return to drive profitable growth. As the one-third of IT professionals who are more business-focused already seem to know, robust risk management is a powerful tool to create that value.”
The Barometer also revealed the top three high-risk employee behaviors:
- Not protecting confidential work data appropriately (50 percent).
- Not fully understanding IT policies (33 percent).
- Using non-approved software or online services for their work (32 percent).
“Many employees are working around controls and using non-approved devices,” said John Pironti, member of ISACA’s Certification Committee and president of IP Architects LLC. “Instead of prohibiting certain technologies, organizations should train employees to use them safely.”