Navigating Trusted Cloud considerations: Establishing the cloud transition team

  • Article

This post was authored by Sean Pike, Program Director, eDiscovery and Information Governance, IDC.

If you’re planning on migrating certain IT resources or applications to the cloud or, perhaps, are still determining whether to move to the cloud, this blog is for you. Over the past couple of years, IDC analysts have had the opportunity to talk with a wide range of IT executives and professionals about their journey to the cloud.

The following showcases some common themes and questions resulting from those conversations. We also provide advice for building out a cloud transition team capable of meeting the most complex cloud challenges.

Question 1: How do I get started?

Chances are your enterprise has already started to embrace the cloud, whether you're prepared for its use or not. This is the typical Shadow IT problem. Business leaders and developers view cloud-based applications and platforms as low-cost, flexible alternatives to searching for customized platforms or waiting on other stakeholders to weigh in. So, today's business processes can look like a string of processes and applications that traverses internal applications, third-party cloud applications and cloud platforms. This brings us to the first tangible piece of advice for cloud migration and introduces the first member of our cloud transition team.

First, IT leaders must accept that their role has changed. IT is no longer able to be entirely prescriptive. This means democratizing IT and bringing business leaders into the fold to understand the exact problems and anticipated outcomes from new technology. The Business Process Leader is the first member of our new team. Of course, you can't tackle every business unit or process at the same time. Choose wisely. Look for business processes in flux, those actively engaging in conversations about new technology, and processes with distributed workforces. These make great candidates for an initial foray into the cloud.

Question 2: How do I know I'm banking on the right provider?

This question comes up more and more. Recognizing that there is a growing list of possible alternatives but that the cloud platform market is heavily dominated by a few key players, organizations can struggle finding the right mix of flexibility, price, service, security, and more. Most suppliers can provide a long list of their benefits, but identifying the right partner for your organization to capitalize on future opportunities while keenly identifying the potential for future challenges takes discipline and rigor... What's a company to do?

In these situations, I always turn to old reliable risk management. Sure, it can be a boring and tedious process to try to measure cloud risk, especially when you compare it to the more stimulating coin flip and dart throw methods. Fortunately, most companies already have someone trained in risk management that likely performs supplier/3rd party risk management functions for IT and other business units. This is the second member of our cloud transition team. In large organizations, this function may be part of the Chief Finance Officer (CFO), Chief Risk Officer (CRO) or Chief Compliance Officer (CCO) organization, so you may need to approach several different business units, but you're looking for the most senior individual in charge of evaluating risk. For larger projects, I absolutely recommend starting with an executive to gauge his/her level of interest in supporting transition. For smaller projects, there are likely a number of risk officers fully capable of executing supplier risk management evaluations for each potential supplier. Of course, you'll want to narrow options a bit before transitioning to the risk management phase, but performing a risk assessment for each of the final candidates is crucial. Chances are it won't make the initial discussions completely smooth, but it should help eliminate unanticipated turbulence later on.

Question 3: Can I even put that data/application in the cloud?

There's been a lot made of data breaches and fraud in the news over the past several years. Despite the fact that these are largely on-premises incidents, there's something about data moving away from the four walls of the enterprise that seems to challenge IT management. Moving to the cloud can change a company's risk profile. Understanding compliance needs and a cloud provider’s responsibilities are important conversations to have, especially for highly regulated enterprises that have seen regulation and enforcement increase and new standards develop that dictate where and how data can be stored. Compliance departments can help identify and gauge potential issues, attorneys can help decipher regulatory intent. The importance of legal input is one of the reasons that we've seen an upswing in corporations hiring attorneys focused in specific practice areas, such as privacy or technology transactions. Welcome to the team in-house counsel!

Question 4: Can we secure it?

Once you've made the determination that an application of dataset can be moved onto cloud-based infrastructure, questions will ultimately arise as to whether the enterprise can effectively secure the associated infrastructure or data. In some cases, major security functions may be province of a selected cloud provider but, even then, you'll want to understand just how secure the infrastructure and data will be. Here, the Chief Information Security Officer (CISO) plays an incredibly important role. Cloud infrastructure and applications can provide different security challenges when compared with traditional enterprise IT security. CISOs need to be able to answer one important question: "Do we have the knowledge to maintain or evaluate cloud security mechanisms?" This requires an honest assessment of security teams and their existing skillset. If a CISO is unable to definitively answer "yes," the company may wish to acquire, train or contract the necessary skills.

Question 5: What's the real purpose for moving to the cloud?

There are lots of reasons that companies have begun moving to cloud applications and platforms. Chief among those reasons is cost and flexibility. Both cost and flexibility apply to long term corporate goals of cutting IT cost, improving service and improving resiliency. They also apply to reducing risk related to new product lines. It’s much cheaper to spin up a new cloud-based virtual server to test out an idea than it is to maintain a product lab or acquire additional hardware. Whatever the goals are, CIOs, and perhaps, Chief Architects, are able to shed light on long-term corporate strategy. That strategy will ultimately affect everything from which cloud provider is selected to the length of certain contracts. In other words, cloud transition can't peer through a narrow lens. The cloud transition team must have an understanding of future goals or it will risk executing on a poorly thought-out transition plan.

Wrapping up

To summarize, we've enlisted 5 participants for our cloud transition team: a Business Process Leader, a Risk Officer, a Legal representative, the Chief Architect or CIO, and the CISO or a high-ranking member of the security team. Now that the team has been created, it should be fairly clear how these individuals must work together in order to accomplish long-term corporate goals. It takes the insight of corporate business leaders and application developers to envision the value of new delivery methods and production platforms. At the same time, there must be a counterbalance to prevent the enterprise from running headlong into an ill-timed project or ill-fitted provider.

To learn more, visit the Trusted Cloud website.