“Board members need a clear understanding of cloud computing benefits and how to maximize them through effective governance practices,” said Marc Vael, an ISACA board member and chief IT audit executive at Smals. “This requires the board to see cloud computing not as an IT project, but rather as a business strategy.” Bypassing established governance processes and failing to inform others within the enterprise about cloud computing initiatives may result in the enterprise assuming unknown risk and, thereby, increasing potential exposure. Without close monitoring and proper discipline, cost overruns may result if services are not turned off when they are no longer needed. Individually purchased services may conflict with established technology strategies. In some instances, acquisition of cloud services resulted in regulatory problems—problems that could have been avoided if usage plans were communicated and systematically considered beforehand.
According to ISACA, a nonprofit, independent association of more than 100,000 governance, risk, security and assurance professionals worldwide, boards should address five key questions to determine the strategic value that cloud services are expected to provide and the impact that the cloud may have on resources and controls:
- Do management teams have a plan for cloud computing?Have they weighed the value and opportunity costs?
- How do current cloud plans support the enterprise’s mission?
- Have executive teams systematically evaluated organizational readiness? For example, are the right skills available? Do cloud processes conflict with other established processes? Do cloud plans conflict with enterprise culture?
- Have management teams considered what existing investments might be lost in their cloud planning? Does the adoption of a cloud service nullify already-made technology investments that have not reached their planned end date, and is that noted and approved?
- Do management teams have strategies for measuring and tracking the value of cloud return vs. risk?
“The answers to these questions will help determine the enterprise’s readiness to adopt cloud computing and also help ensure that the necessary governance is in place,” said Vael. The challenge is for board members to have sufficient understanding of the opportunity that cloud presents so that they can effectively direct and monitor plans to leverage cloud and promote success.