Despite suggestions that the cloud would remove responsibilities from the shoulders of the CIO, the converse now looks to be true. Mark Samuels reports.

“The CIO is dead,” screamed the headline to an article on silicon.com’s sister site, TechRepublic. The story suggested on-demand computing would quickly mean technology purchasing decisions could be decentralised to line-of-business executives, rather than being made by a dedicated IT department.

Two years later, the cloud remains a work in progress and the management reality behind on-demand IT has hit home. Someone, somewhere simply must be responsible for the policies and strategies associated to the use of the cloud – and that person is still the CIO.

As the executive charged with making the most of internal and external technology resources, the IT chief has to steer the organisation towards secure on-demand computing. And that remains a tricky path.

A further dip into the archives shows just two members of silicon.com’s 12-strong CIO jury said the cloud was part of their strategy to cut costs in March 2009. For many IT leaders, security concerns remained a considerable barrier to entry.

The cloud inevitably raises security risks because of the greater reliance on partners, which must be audited

The cloud inevitably raises security risks because of the greater reliance on partners, which must be auditedPhoto: Shutterstock

Two years on and little has changed, despite the cacophony of hype surrounding on-demand computing reaching almost deafening levels. BT group CIO Clive Selley said his conversations with IT leaders show that most CIOs are now actively looking at the cloud but many of these executives also have common concerns about security, compliance and reliability.

Beyond the regulatory boundary

“CIOs want to know where data is being held because they can’t afford for information to go beyond the regulatory boundary,” he said. “Working in the cloud means you need to be able to guarantee physical location and data security.”

And those guarantees remain patchy for many CIOs charged with investigating the cloud. Take Malcolm Simpkin, CIO of the general insurance business at Aviva, who believes security is definitely holding back the cloud, as are concerns about quality of service.

“The point where both are solved is the point where the cloud becomes a sensible conversation,” he said. “At the minute, the costs outweigh the benefits and the necessary development surrounding the cloud will take two years at a minimum.”

That change is coming, with analyst Gartner’s 2011 CIO Survey suggesting that almost half, 43 per cent, of CIOs expect to operate their applications and infrastructures through the cloud within the next five years. At the same time, research from Forrester suggests 88 per cent of firms are focusing their IT security investments this year on data defence.

CIOs and data-protection priorities

Organisations, then, are allying a move to the cloud with a new focus on data protection. But despite this attention, Simpkin recognises there is nothing intrinsically new or different in terms of the significance of the security concerns associated with the cloud. Regardless of whether on-demand infrastructure is private or public, CIOs must always prioritise data protection. The alternative is simply anathema.

“We’ve always felt the pressure of security – making decisions about where data is held is always important. If we look after data ourselves, we have to have…

…strong private controls in place and the same is true of the public cloud,” he said. And it is the detailed management of cloud security that remains a work in progress.

Simpkin, like other IT leaders, can definitely see some software areas – such as email and commoditised hardware – where the cloud can be used to help push IT capability and delivery. But one executive will have to be the manager, understand the industry and challenge the supplier to ensure that innovation takes the business forwards.

“The CEO will always want someone to make sure that processes are right, and that person is the CIO,” Simpkin said. “You don’t give away the protection your business offers – you have to be responsible. If something goes wrong with the provider, the CIO will still be the executive that is responsible for data concerns.”

External service provides no guarantee of success

Just as in the case of outsourcing, an arrangement with an external service provider is no guarantee of success. Pushing a technical problem area beyond the firewall and into the arms of a third party will require much more than a hands-off approach, particularly if the business is to stay assured that crucial information is safe and secure.

“There’s a tendency for people to think of the cloud as someone else’s problem,” said CIO Trevor Didcock of easyJet, an airline that already uses on-demand email systems. Other potential areas of cloud development include human resource systems and the purchase of services through specialist third-party suppliers.

“You do have to think about management – it’s a distributed form of computing, so you can have a third party that’s working with your data on their own platform,” he said. “Therefore, the cloud does increase security risks because you’re necessarily more dependent on partners. You have to audit these partners if they’re managing your data. You can’t just rely on trust.”

Didcock’s concluding message to business leaders is similar to Simpkin’s at Aviva: the IT chief has to be in charge. “The buck stops with the CIO,” he said, before suggesting that the vendor community could help smooth out wider concerns. “There is a large degree of policy and there’s a nice potential niche for a supplier that can step in, fill the gap and help organisations to deal with these policy concerns.”

CIOs under pressure to compete

So, what of the suppliers? Joe Baguley, CTO of systems management specialist Quest Software, said the main thing he sees is CIOs under pressure to compete. Users regularly have better technology at home and in the cloud than they can get from their own IT department. He referred to the rise of file-sharing services such as Dropbox, which allow individuals to easily keep and share information online.

“The problem for CIOs is that more and more corporate data is moving outside their control and onto cloud services, and they tell me they are looking to provide similar services internally to compete,” said Baguley.

“If CIOs don’t start to put in place internal cloud-like offerings, or adopt external ones, then the average enterprise will get left behind. Trying to hold onto control of data and processes will be like trying to stop water with a sieve.”

Despite declarations to the contrary, then, the need for CIOs to maintain overall executive control of technology in an era of on-demand computing is stronger than ever. And their attention, above all else, must be on the secure means to allow a smooth transition to the cloud.