Cloud computing: Risks outweigh the benefits

Research conducted across Europe, the Middle East and Africa (EMEA) by ISACA has found that a quarter of enterprises that already use cloud computing believe that the risks outweigh the benefits (a fifth in the UK), yet still carry on regardless.

This perhaps recognizes the relative immaturity of cloud computing usage and the uncertainty of the balance between risk and reward. Of the more than 1,500 professionals sampled across more than 50 EMEA countries, 33% already use cloud computing (40% in the UK).

According to ISACA’s survey, the IT Risk/Reward Barometer, EMEA, with regard to future use of cloud computing:

• 9.4% of respondents (8.9% in the UK) plan to use cloud computing for mission-critical IT services
• 8.8 % (9.6% UK) will only use the cloud for low-risk, non-mission-critical IT services
• 35.6% (31.8% UK) do not plan to use the cloud for any IT services
• 17.9% (23.6%) have not formalised their plans
• 28.2% (26.1%) were not aware of any plans for cloud computing.

The survey found that nearly two thirds (63%) of organizations claimed they are willing to take IT-related business risks in anticipation of a return for the business (64.3% UK) and 12.1% would take large risks to maximize business return.

When asked about integrating IT risk management with the organization’s overall approach to risk management:

• 4.8% admitted they do so without a formal approach to business risk management (3.2% UK)
• 22.2% said they did not effectively integrate IT risk management with their overall approach to risk management (22% UK)
• 24% said they are very effective at managing risk (20% UK)
• 48.7% reported being somewhat effective (54% UK).

ISACA acknowledges that to get ahead in business, there must be an element of risk, but warns it mustn’t be at any price.

In additional findings from the study, 61% of UK organizations reported that they believe the biggest risk employees pose to their organizations is failing to protect confidential data – although this is slightly lower elsewhere in EMEA, at 58%. In addition, the UK and EMEA both rate an employee’s use of non-approved software or online services second at 32% and 36%, respectively. Considered low risk by 46% of UK IT professionals (42% in EMEA) is an employee checking personal e-mail or visiting social networking sites from a work device. More than half the organizations questioned (56%) across EMEA believe that investments in IT services are not utilized to their full benefit.

Budget limits are an organization’s greatest hurdle when addressing IT-related business risk, say 34.2% (31.2% in the UK), followed by business lines that are not willing to fully engage in risk management – 28% in the UK and 24.2% in EMEA. Where the UK and EMEA disagree is on what is the most important action an organization can take to improve IT risk management -UK organizations place emphasis on improved coordination between IT risk management and overall enterprise risk management at 32.5% (29.4% in EMEA), whereas 31.5% in EMEA recommend an increase in risk awareness among employees (28% in the UK).