The smoke screen dissipates and the clouds build

Posted on June 27, 2014 by Gavin Keeley

“The Central Intelligence Agency is stepping up its reliance on Amazon’s burgeoning cloud computing infrastructure as US spymasters look to use cloud based commercial software in their analytical work

In a rare public speech last tuesday, Doug Wolfe, the CIA’s Chief Information Officer addressing an Amazon conference in Washington cited AWS Kinesis and Redshift applications, which enable processing and analysis of massive streams of data, as the kind of software the CIA wants to use.

The spy agency already has a US$600 million contract in place with Amazon, which IBM challenged unsuccessfully in the courts.”

Source Financial Times ft.com

Given that the number one reason for organisations not moving to the Cloud is the concern over security and data privacy is this announcement the final ‘outing’ of the actual untruth in this unsecure claim?

The security concern is often pushed by incumbent suppliers and internal IT staff as the primary reason why the cloud can’t be used within an organization but as already stated by Nicholas Carr in his latest rant this is nothing more than a FUD (Fear, Uncertainty, and Doubt) tactic propagated by those who are set to loose most by the Cloud shift.

“So if it is good enough for the CIA it is probably good enough for me” should be the cry of business leaders who can now demand that their organisation seriously evaluate their cloud shift and the many advantages such a move can bring, without the fear of the Security Spectre.

My own experience in championing the run to the Cloud over the last decade is that any serious examination reveals a compelling truth, that a well engineered cloud approach is in actuality more secure than any home grown alternative, or indeed it is better than the reality of the security of the system that the organisation is actually running today. This was part of the argument I used with the Australian Prudential Regulatory Authority when we obtained the first Cloud approved approach back in 2008, that is, the proposed cloud solution was more secure and robust than the one in place at the organisation already and if APRA had approved the current platform for operation how could they possibly object to something that was demonstrably superior.

Well engineered does need to be stressed however because a poorly implemented cloud solution can yield higher security threats but the myth that cloud means insecure is now well and truly dead and I thank the CIA for their belated, but crucial support.

Posted in Uncategorized | Leave a comment

Board IT Governance

Posted on May 31, 2012 by Gavin Keeley

Is it time to consider an IT for the non-IT director course in the same way we have a Finance for the non-finance directors course? When I did the Institute Of Directors’ Diploma in Company Direction course in the UK this was certainly part of the syllabus, however, it wasn’t that long ago that senior executives and directors would openly boast as to their ineptitude with IT, and it is within this corporate culture that many of the current executives and directors have been groomed.

The key IT governance points for directors, I believe, are risk and board performance. On the risk issue, directors carry heavy personal penalties for failing to adequately manage risk, up to and including imprisonment for serious breaches. Given that many companies today face a ‘failure of IT equals a failure of business equation’ the risk issue cannot be underplayed. This has both operational and strategic dimensions in so far as inappropriate disaster recovery capability can lead to a business being unable to conduct its business and I have personally witnessed a number of successful businesses that have folded when an ‘event’ has occurred. The strategic failures are more difficult to quantify but equally many examples abound of how a new entrant to an existing stable market has used a technology enabled new business model to disrupt and ultimately drive out existing encumbent players. These are both issues that must be diligently and routinely probed by the directors albeit probably through the auspices of the board risk subcommittee, and I personally support that the CIO/head of IT for the organization should regularly attend the risk subcommittee.

The risk issue plays directly to the second issue of board performance and the debate about the benefits of diversity. Many directors still have a legal or financial qualification as the ‘usual’ prerequisite to being appointed. However, notwithstanding the point that many IT people fail to understand the business context, in an IT is from Mars and The business is from Venus context, there is certainly a growing recognition of the essential need for some of the directors to have deep IT understanding in order that the operational executive can be appropriately held to account in the same way directors would routinely probe the validity of the company’s financial statements. There was an excellent article in the AFR last year that looked at the record amounts of money being invested in IT programmes in the big four banks and the experience and background of the directors of the respective organizations, which left the journalist asking the question as to whether shareholders interest were appropriately being managed given the potential inability of the director’s to sufficiently probe the effective performance of the largest capital expenditure programmes in those organizations.

So I see this issue as one of education I.e. firstly how to convince current boards that new members must be sought with this specific IT capability, and secondly how do you convinced IT people to get the broader skills required that they can be a competent director as opposed to a technical consultant. In both instances I see a role for professional bodies such as AICD and the ACS to potentially collaborate on this.

Posted in Uncategorized | Leave a comment

Storm Clouds

Posted on April 19, 2012 by Gavin Keeley

With many Australian companies rushing to embrace the real benefits of cloud computing, many are failing to take account of the risks associated with this decision, risks which are very real for director’s liabilities. On the flip side are just as many companies who aren’t using the cloud, but could gain great benefits from doing so, simply because of perceived risks that are untrue.

For a cloud computing implementation to be successful in an organisation it requires solid planning that covers all aspects of the holy trinity – commercial, legal, and technical. As the song goes, “Two out of three ain’t bad” but in the case of cloud computing if all of these 3 aspects haven’t been covered and appropriately balanced there are bound to be problems. Cloud computing requires a true business IT partnership and either party going it on their own could lead to severe unintended consequences. For instance an IT lead initiative should give a solution that works and has good commercial arrangements but, as many are now discovering, leaves the organization exposed to legal or regulatory issues. Similarly business lead initiatives tend to fall fowl of some technical gotcha.

The most notable catch is the potential conflicts between the requirements of the Australian Privacy Act and the US Patriot Act. Specifically this will leave a company exposed to potential breaches of the Privacy Act if the information is stored on a cloud that is either within the US, operated by any US company, or a company that does business with the US, irrespective of where the information is actual stored. This means the issue of data sovereignty is more than which country is my data stored in, because an Australian company storing customer data on a cloud in Australia that is operated by a US company or company that does business with the US e.g. Google, Microsoft, Amazon, Telstra, Optus, Fujitsu would still be subject to the jurisdiction of the Patriot Act. Many companies in Australia are already deploying to cloud services, sometimes without even knowing by contracting services of another company e.g. accountancy firms using cloud based accounting software and haven’t checked or made appropriate changes to their privacy policy or service contract to reflect the Privacy Act requirements. Another issue for many Australian firms to consider is that many ‘clouds’ are offshore, especially in Singapore – which presents its own challenges in terms of jurisdiction on matters such as privacy.

Whilst a lot of this remains theoretical, in so far as no cases have yet been brought to trial and it isn’t known publically if the Patriot Act has been used on data related to Australians (either in Australia or the USA), regulatory breaches have already been recorded. One large Australian financial services company has fallen foul of a compliance issue by using a cloud service. In this instance the regulator didn’t object to the cloud service per se, but to the fact that the company concerned hadn’t followed a clearly defined due diligence process in their move to a cloud service. This case lead to an executive of the organisation declaring the cloud unsuitable for use in financial services companies. However, the benefits of cloud computing are probably most applicable to financial services companies and those that have followed the outlined process have gotten regulatory approval. Therefore in most instances it is not whether the cloud is ready for your company but rather is your company ready for the cloud!

There is still confusion as to what cloud computing actually is in both the business and the IT community. So called “cloud washing” where IT companies have repositioned and repurposed their existing offerings are still all too common, but a lot less of that now than a year ago, as the market becomes more mature and as real cloud services finally arrive. There are also excellent research reports now available that can help guide buyers which were not there a year ago and there is at least one international standards body providing a clear definition for cloud computing, one that can be used to assess a vendors offering for compliance, but it is surprising how many people, IT Professionals included, are simply unaware of this.

Cloud computing, just like previous advances in computing, has the IT industry awash with snake oil sales people leaving a lot of customers chasing an elusive pot of gold at the end of the rainbow, however, for those who plan and chart a course correctly there is definitely a silver lining to their cloud.Image

Posted in Uncategorized | Tagged | Leave a comment

Hello world!

Posted on February 22, 2011 by Gavin Keeley

A first step in the blogosphere…

Posted in Uncategorized | 1 Comment