Cloud security: Why CIOs must tighten their grip

Organisations are allying a move to the cloud with a new focus on data protection...

Despite suggestions that the cloud would remove responsibilities from the shoulders of the CIO, the converse now looks to be true. Mark Samuels reports.

"The CIO is dead," screamed the headline to an article on's sister site, TechRepublic. The story suggested on-demand computing would quickly mean technology purchasing decisions could be decentralised to line-of-business executives, rather than being made by a dedicated IT department.

Two years later, the cloud remains a work in progress and the management reality behind on-demand IT has hit home. Someone, somewhere simply must be responsible for the policies and strategies associated to the use of the cloud - and that person is still the CIO.

As the executive charged with making the most of internal and external technology resources, the IT chief has to steer the organisation towards secure on-demand computing. And that remains a tricky path.

A further dip into the archives shows just two members of's 12-strong CIO jury said the cloud was part of their strategy to cut costs in March 2009. For many IT leaders, security concerns remained a considerable barrier to entry.

The cloud inevitably raises security risks because of the greater reliance on partners, which must be audited

The cloud inevitably raises security risks because of the greater reliance on partners, which must be auditedPhoto: Shutterstock

Two years on and little has changed, despite the cacophony of hype surrounding on-demand computing reaching almost deafening levels. BT group CIO Clive Selley said his conversations with IT leaders show that most CIOs are now actively looking at the cloud but many of these executives also have common concerns about security, compliance and reliability.

Beyond the regulatory boundary

"CIOs want to know where data is being held because they can't afford for information to go beyond the regulatory boundary," he said. "Working in the cloud means you need to be able to guarantee physical location and data security."

And those guarantees remain patchy for many CIOs charged with investigating the cloud. Take Malcolm Simpkin, CIO of the general insurance business at Aviva, who believes security is definitely holding back the cloud, as are concerns about quality of service.

"The point where both are solved is the point where the cloud becomes a sensible conversation," he said. "At the minute, the costs outweigh the benefits and the necessary development surrounding the cloud will take two years at a minimum."

That change is coming, with analyst Gartner's 2011 CIO Survey suggesting that almost half, 43 per cent, of CIOs expect to operate their applications and infrastructures through the cloud within the next five years. At the same time, research from Forrester suggests 88 per cent of firms are focusing their IT security investments this year on data defence.

CIOs and data-protection priorities

Organisations, then, are allying a move to the cloud with a new focus on data protection. But despite this attention, Simpkin recognises there is nothing intrinsically new or different in terms of the significance of the security concerns associated with the cloud. Regardless of whether on-demand infrastructure is private or public, CIOs must always prioritise data protection. The alternative is simply anathema.

"We've always felt the pressure of security - making decisions about where data is held is always important. If we look after data ourselves, we have to have...