Tackling a risk-averse corporate culture is critical for companies transitioning to the cloud, says a prominent CIO.
IT departments must effectively contrast their organisation’s risk appetite with the opportunities in cloud computing in order to be successful, according to Krist Davood, Group CIO, Court Services Victoria.
“It helps to influence people within the organisation as to why this is a beneficial and innovative journey to go on,” he said during his recent CeBIT presentation. “Many businesses are anchored in the past, and there are multiple reasons why they should be wary of the cloud."
While people tend to talk about the technical risks that need to be mitigated, Davood claims it’s just as important to be wary of governance and culture, as success depends more on the people surrounding you, rather than just the technology.
“If you get your governance strategy right, and you get your people and organisation right, you’re halfway there. Without the right people surrounding you, you’re dead in the water,” he says.
Davood explains how, in his former role as CIO for Schiavello Group, he managed to change the culture of the company after transitioning its network onto the cloud by what he calls the “slow boiling frog syndrome”.
“This involved transitioning various system layers within the company, so from that perspective our HR system was brought through this model as an example… then the business slowly began to go down this journey.”
Putting in place a strong governance model is very important, and often questions of roles, perspective, and even the abuse of high privilege roles can be mitigated by thinking outside the box, says Davood.
In order to protect the commercially sensitive data in the cloud, Davood refers to the hybrid model used, in addition to what he calls the “Whitehouse model”.Read more: Inside Coles' 'cloud first' policy
“About two and a half years ago, when the first CIO of the Whitehouse was here in Australia, an interesting point he raised was what the cloud journey would have meant from the Whitehouse point of view, particularly around privacy,” he says.
Davood said he followed in the footsteps of the Whitehouse CIO who advocated not only a hybrid solution, but one that meant he was able to go through a process of vetting who would have access to their data and to their infrastructure.
However, security and risk assessment is not just taking people and privacy into account, says Davood, but also communicating the risk of moving forward with or without cloud.
“Security issues are not just based on the risk of going into the cloud, but also what would happen if we just sit still.”