Risk, governance and cloud contract considerations

This is the transcript of the post conference CSO interview with Rob Livingstone on key risk, governance and cloud contract considerations 

The CSO CXO Series event was sponsored by Trend Micro and held in Melbourne on 31st July 2015.  Interview conducted by David Braue, CSO Moderator

David Braue (CSO): Well thanks for your time today.

Rob Livingstone: pleasure.

David Braue (CSO): I was very interested to hear your thoughts at the event, together with some people from different industries. We had a lot of perspectives. What was probably the main theme and takeaway for you from today’s event.

Rob Livingstone: The people at my event table represented a wide range of Industries. I think the common theme that came out was trust. Trust is built up from a well-educated and tech savvy executive, business leaders  together with business aware IT team that all talk the same language. Building this mutual trust is probably the most important thing to lead to a successful digital or transformation journey for any organization.

David Braue (CSO): Now, with this trust in the team members and the skills that you have within your organization,  what trust do you have in your cloud providers?

Rob Livingstone: It’s all of the above but includes and extends to the cloud services provider- or any outsource service providers.  Sometimes, companies managers bypass their own internal IT departments – called shadow IT  – in making cloud decisions. Where the trust is absent on any of these layers exposes the enterprise to risk.  Establishing and maintaining that trust largely through evidence-based decision making and appropriate due diligence,  is key. If yours is a high dependency, value, risk and complexity environment, then the appropriate level of due diligence needs to be applied. Whether it’s cloud or not. If it’s a low risk, low governance environment – you know,  where ‘close enough is good enough’ and one which doesn’t have onerous regulatory and legal compliance standards etc. you can adopt a more relaxed position.  The importance of trust of a cloud provider has to be a function of the context of business, and the situation that organization faces at that point in time.

David Braue (CSO): Certainly with the cloud environment in a cloud situation where you’ve got inbound services,  linked to the organization, it’s a different kind of relationship than you may have had in the past with partners who are often providing service to help you do all that work.

Rob Livingstone: Correct.

David Braue (CSO): Now you’re actually handing off and allowing them to curate part of your business.

Rob Livingstone: That’s correct.

David Braue (CSO): What are the controls and how do you build that trust to a level that satisfies your own requirements…

Rob Livingstone: Yeah I think the key thing is a visibility in and through their cloud ecosystem. With some cloud providers, you don’t know who they are using internally – or at their back-end – to maintain, monitor, manage and architect their own infrastructure.  Is it all their own staff, or do they use a revolving door of contractors from high-risk countries? What are their governance and management processes?  Looking for some evidence of internal staff satisfaction, staff engagement, turnover if the provider is critical to your business.

If they have a much higher high staff turnover rate and low staff engagement, the probability of having a disgruntled administrator is real. Take the Edward Snowden example.  It is a real and present danger, let alone all the technology risks which are one side of the vulnerabilities in that ecosystem. In essence, by having a clearer understanding in the context of your business and in the particular, your risk appetite and risk mandates should drive this degree of visibility.  And where vendors say ‘trust us’,  we are large we’ve got six billion trillion zillion clients customers,  and we’ve never had a data breach – well that trust needs to be based on some sort of evidence. How do you know?

Of course, the other fallback position and this to reply on your contract . What is the strength of your contract with your cloud provider? Is your contract likely to be enforceable? How much will it cost you to mount a legal challenge? Often when you go through the legal issues surrounding your contract it’s heavily skewed in the favor of the provider in terms of very limited liabilities etc.

David Braue (CSO): There has been a trend towards that in a lot of cases the cloud providers have thrived and in fact that’s what they offer is repeatability, predictability, consistency, but it’s almost always on their contract terms.

Rob Livingstone: Correct.

David Braue (CSO): how can organization make sure that they are represented in that contract and is it sometimes worth maybe locking away.

Rob Livingstone: Absolutely. Think in terms of price points. If you look at one of the challenges with the perception of cloud is that it is a cheap model, one that is marketed by my cloud service providers as a lower cost then you could do internally. That may or may not be the case. This is where the equivalent internal best of breed, on premise or managed / hosted IT service model needs to be stacked up against the total cost of ownership equivalent basis. For example, on a per user per month basis or per unit consumption basis, on a like-for-like competitive basis over three or four-year, or whatever the lifespan of that particular solution is. Only then can you then draw a ‘like for like’ comparison. But cost is not only the issue. Where is your competitive advantage in your organization vested, and where does your intellectual property lie?

Where does it sit in terms of the value add that your technologies can deliver to the front end of your business? How or where can you generate new business by virtue of your technologies? What places you at a higher-risk because if you’ve got a cloud services provider who has a limitation? For example – in the instance where you’re a going concern, and you secure a major new piece of business. This, however, requires a far higher standard of security. Think data jurisdiction, privacy and PII, for example, or any other sort of issues which elevates your risk. Your intrinsic risk profile hsa to shift. What would you do if you run your entire business in the cloud where you could not change much? So that is one example where organizations are often caught where they are thinking in the here and now rather than what is likely to happen in the foreseeable future should things change.

David Braue (CSO): Certainly has the potential to get things very wrong initially, and I suspect that’s no different than any other technology, to say this this will deliver a benefit, they go and try to implement it and realize during the process that it’s a lot harder than they think,. Do you envision – and certainly in your dealings with companies that are out there trying to do this – that these things will temper the enthusiasm for cloud?

Rob Livingstone: Yeah I think it’s all part of the hype. I’m surprised the cloud bandwagon hasn’t moved on because cloud is still talked about at length with some uncertainty.

There’s also an asymmetry of perceived success with cloud in that successful implementations are marketed and promoted by both the client organizations as well as the vendors, and that’s great, the failures are not visible, unless they end up in the press and the media such as occurs from time to time

So with this asymmetry of success and indeed I’m aware of a number of organizations where nearly lost control of their business, because of an inappropriate adoption of cloud technologies. Because it was easy to take on with a low entry threshold.  The asymmetry of perception makes it harder for non IT executives to make a balanced decision, and therein lies the challenge.

David Braue (CSO): That will definitely be testing times going forward, it’s a process issue, it’s a cost issue, its expectations, and of course the security elements.

Rob Livingstone: Correct

David Braue (CSO): And that, how long would you say, based on what you’re saying,  will be before we have an understanding that we have good governance standards to work by, good policies and we can make that decision with a bit more certainty either yes or no.

Rob Livingstone: I think if I look at the internal IT department and the ICT landscape within organizations who rely on their ICT services, and if you look in the over the decades, how things have changed.  The EDP Department of old, was where everyone had to go to the them to get there computing work done, such as invoicing runs, reporting, or whatever. Now we’re in the consumerization of technology age where anyone can use any technology anywhere. It’s part of the evolutionary process. To understand why you’re using IT,  for what purpose, and what your risk profile is.  As boards of organizations become more digitally aware, they must take into account their own IT team’s insights, observations and perspectives, and have those included as a peer discussion. If they are ignored, that then they’re exposing the business and themselves to substantial risk.

If on the other hand that the IT department is poorly run, badly engaged, and are running things are hindering the business – executives have to fix that first. So, the risk of bypassing a well-run and effective IT department exposes boards too much more risk than they would otherwise initially recognize.

Rob Livingstone: So the recognition overtime will drive that?

David Braue (CSO): Absolutely especially as the lawsuits start surfacing. As I often say to non IT executives “in your business,  which one of your executives will be in the dock in the court – defending your company’s position to use this particular cloud vendor. If you have clarity over that – then that’s fine, but do not rule this out from occurring at some point if your due diligence is not good. You only have to look at the recent instance of the bank of Queensland Salesforce issue.  There was a significant multimillion-dollar write-off of by the Bank of Queensland because they went so far down the line with their enthusiasm for Salesforce before APRA, the regulatory authority pulled the pin. They said .. well you really can’t do that as it would breach legislation. So this illustrated the lack of the most fundamental contract due diligence issues which boards, and their executives should be acutely aware of.

David Braue (CSO): Most definitely and with the discussion about things like data breach laws on the table as well, the contract visibility.

Rob Livingstone: Yeah absolutely and the double-whammy with the mandatory breach notification legislation is its effectiveness. It offers no guarantee, because all the evidence is the vast majority of  breaches are not known for some time, and that deficit between detection and remediation can be some months, in which case the damage is already done. It’s not only the data breach but what else has been lost, stolen or compromised? This is the real issue, and in our ephemeral online world, it’s quite uncertain – versus the bricks-and-mortar physical theft of physical assets.

David Braue (CSO): Much food for thought, thank you so much for your time.

Rob Livingstone: It’s a pleasure not a problem.

The video of the interview is available here