As enterprises adopt and adapt to cloud computing there is a need for a new governance role. This is on the basis that this shift is a business shift, with the potential to open up new business opportunities, and not just an IT infrastructure shift as it is commonly portrayed and discussed. This governance is the role of the Cloud Review Board, and here we lay out 5 key responsibilities, and where the Board fits in the corporate scheme of things.
In particular we focus on what's been missed in discussions about "cloud governance" to date - that it's not a technical issue- that's just more of the same - but it's a business issue and in particular an information management issue. Technology governance is level playing field. Cloud governance is value-additive and it's about having an effective governance framework that facilitates coordination between various IT and business teams.
While the potential of cloud computing in the core of the enterprise is to drive efficiency and flexibility in the deployment of IT resources, its real potential lies more at the edge in enabling business innovation and employee empowerment. That's already manifesting itself in many organisations with business units or groups within them taking their credit cards and buying IT services over the cloud.
If you think about "solutions" to that issue, which keeps CIOs up at night, there are two ends of the spectrum:
- a policy banning any 3rd party systems without "high-level" authorization, and no company data to be stored in any unauthorized cloud system; or,
- an embracing of cloud services, and a proactive effort to coordinate those which are deemed to be worth coordinating in terms of business benefits.
The first approach locks the stable door, but it has some challenges:
- the horse may have already bolted - cloud apps are out there - so-called "shadow IT" - and will go underground, without an alternative this policy will discourage business innovation at the edge; and,
- competitors who adopt cloud services proactively will be progressing up the learning curve.
Sometimes the restrictive policy is accompanied by the news that "we will be providing our own in-house cloud service" - so-called "private cloud". That's neat, it answers the needs of your in-house developers, and in 3 or 4 years you'll be able to provide them what they can buy off the web today with their credit cards. But this doesn't solve the problem of business users buying software as a service to solve active problems or to deliver new services today.
The proactive approach recognizes the potential of cloud computing and the reality that cloud-apps are going to make their way into the organisation, especially in those areas where IT has been unable to respond or deliver the required functionality. It may sound like encouraging IT anarchy, and perhaps that is part of the revolution which cloud offers.
It's the old story, if the business users feel like they have been being held hostage to IT, then they'll break away. On the other hand if there are positive and constructive relationships in place then there'll be coordination as users approach cloud apps.
Whatever happens there is now a need for a new IT oversight or governance role, what I call the Cloud Review Board.
The Cloud Review Board (CRB) exists to optimize the diverse and disparate investments the organisation is making in cloud computing and applications and in particular with respect to information assets.
Why information assets? Because those are the key to what cloud computing is actually all about. While the provision of IT infrastructure as a service, across the web, is a tremendously complex and challenging ambition it is not what makes the cloud so fundamentally important as a new business catalyst. You see the business power of cloud computing isn't actually the "computing". It's the data, the information!
Think of it this way, Scott McNealy, co-founder of SUN Microsystems (now part of Oracle) was known for saying "the network is the computer". That was a paradigm shift in thinking at the time, when mainframes and central processing power were the focus of attention and the network merely connected terminals to this central power. SUN was the "dot" in ".com" and its gear powered a lot of the initial Internet build-out. That was Web1.0.
We've moved on the the point where the Internet is industrial and it's no longer just "the computer" but is the database. The Internet is the database.
"Cloud computing" provides an industrialized approach to gaining access to that database. And by the way that doesn't mean just the data you own, that's the whole point. You gain access to everyone's data who gives you permission to have access, whether it be Facebook or another firm's SAP system.
Just as mainframes still exist, and provide lots of horsepower in and connected to the Internet, the Internet has also well and truly already become the computer, as SUN predicted. Each step doesn't negate the former, it's just that they don't represent the mental models needed to drive business innovation forward. The Internet is the database is now.
And that's why I believe that the key purpose, or goal, of the Cloud Review Board should be to effectively govern an enterprise's information assets.
I see 5 key objectives for the CRB - the agenda items for its meetings:
- Security. This agenda item is not about whether you can or can not put your data in the cloud from a legislative, privacy or location perspective. That's a decision for a task group which presumably has a reasonably clear outcome, and one not based on FUD but fact. You're here because there are some things you can do in cloud.
This agenda item addresses the collation of what information is out in the cloud, the business importance of that information, and what backup and recovery plans are in place. In other words the item is to discuss the risk/reward of securing information in the cloud.
- Data synchronization. Of all the projects we have in the cloud and those apps in-house, which information needs to be synchronized between them, who owns that information, and how is it governed?
- Corporate view. Of the synchronized information, how is corporate view being achieved which is consistent, complete, accurate and timely? Who is the owner of that view?
- Platforms. Of those cloud applications which are being used or proposed, which are built on architectural platforms, which if exploited more widely, could deliver us competitive benefits in the leverage of our information assets?
How do those platforms fit into our extended business systems architecture and platform architecture e.g. Software Oriented Architecture and other middleware. This is where platforms like salesforce.com's force.com have an advantage over traditional data silos or standalone hosted apps. With an open design and readily available APIs, platforms like salesforce.com's spur application ecosystems.
That idea of "application ecosystem" is key - that's the lever. Besides salesforce.com there's a multitude - Jive, Google Apps, cloud Sharepoint, LotusLive, Oracle's Beehive etc etc. Consider anything with an apps marketplace as a platform, and yes that includes mobile phone platforms. And don't overlook cloud messaging platforms and cloud VAN/EDI platforms.
Where a suitable ecosystem is in place, businesses are able to leverage those platforms to quickly offer new solutions to new or old problems in new or old markets. What's on offer to you?
- Projects. This agenda item reviews all internal development and systems acquisition proposals and asks why are we not doing this in the cloud, or harnessing a cloud-based application to solve this problem? In other words which parts of our business systems architecture is best in the cloud, and how are we tracking in making the transition?
And the reason we are asking this, in relation to the Review Board's goal, is because the Board needs to know if these new projects would be better in the cloud to harness the platforms discussed in point 4 above. Would they therefore be able to yield greater potential and value if they were part of our cloud ecosystem going forward?
At this moment, I consider these 5 agenda items to be the most crucial concerns of a Cloud Review Board.
The key payoff from an effective Cloud Review Board that it enables an organisation to proactively take advantage of the cloud shift in a way which optimizes business outcomes, at a known level of risk. Most importantly it allows organisations to leverage the Internet as the database, while maintaining data integrity for the purpose of competitive advantage.
Where the Cloud Review Board sits
The make-up of the CRB should not be dominated by IT folk. It should be IT-literate, information aware, and business-oriented folk, and the CRB itself should be aligned and perhaps report to the business group or steering committee governing overall IT strategy and business systems.
Typically a "Business Systems Steering Committee" will comprise the business owners of all the key systems. The Cloud Review Board would be a subcommittee of that Committee so that it would not become technology-focused for the cloud's sake or focused on technical cloud governance but a group that's responsible for supporting business and business information in their journey into the cloud.
While there could be many variations of a Cloud Review Board, and its priorities will change over time, it's most important that it not be bogged down in dogma, philosophy and arguments about whether the organisation can do cloud or not due to legislative, privacy, location or governance issues. That's not the role of a Cloud Review Board (that role is a much wider one which has to be driven from the very top through a very focused and tight cross-functional task force).
I believe that for the foreseeable future the goal of a Cloud Review Board will remain as this: to effectively govern an enterprise's information assets.
Do you have a Cloud Review Board or it's equivalent?
Is its role to govern the information assets?
Do you think such a Board is necessary or unnecessary?