A recent American Banker article on cloud technology raises an absolutely crucial issue for readers: Does the unauthorized user of cloud-based information technology services create a security risk literally out of sight of the chief information officer (CIO)?
While the story did a great job of discussing the security concerns of corporate CIOs, in the case of data-intense, highly regulated industries such as financial services, information is actually highly guarded. Bank executives are well aware keeping customer information confidential is the lifeblood of their business. Additionally, regulatory pressures ensure these businesses take virtually no chances even with extreme pressures for new solutions to address the latest customer engagement method. To date, financial institutions have maintained their security by generally relying on tried and true methods of information management: managing costly legacy systems far beyond their usefulness.
In fact, a very real issue for professionals dealing with information overload in banks is not just that cloud services would be used in an unauthorized manner, which, of course, could happen, but rather that cloud solutions might not be considered at all. While this kind of thinking may have kept information protected, the more likely outcome is inaccessible and unknown records stored throughout an organization. Ironically, the lack of real information governance could contribute to the temptation to use unauthorized cloud services as a workaround to access needed information out of sheer convenience.
So how should CIOs manage their companies' information governance policies? Clearly, cloud services developed for financial services organizations would have to meet a very high standard of safety; not one that is an off-the-shelf solution for less-regulated industries. Not all clouds are created equal.
CIOs looking at cloud solutions should consider the type of customers already using the solution, and whether those customers have equivalent security and regulatory concerns. A good question would be whether these solutions have been architected from the ground up to ensure the security and accessibility required by regulators. The idea that cookie-cutter applications developed for all industries will meet the tough requirements of financial institutions is simply not going to hold. However, bank CIOs cannot continue to tie the hands of their businesses in need of data management, nor can these institutions continue to be hampered by costly, ineffective legacy systems that are not up to evolving needs. It's time for a change.
While a strong response to security concerns is completely understandable, bank CIOs and executives would be better served by taking time to learn more about available, relevant solutions that have the needed security and access measures in place.
One area that information governance experts will often stress as a solution is the development of private or “corporate clouds” vs. public clouds. In an informal survey conducted by my company during IBM's "Information on Demand 2011" conference, we asked attendees to compare their overall interest in public vs. private clouds. Perhaps not surprisingly, a vast majority of the respondents (all of whom were IT professionals and executives focused on information data) indicated a private cloud solution would be considered by their organizations as opposed to a public cloud. However, a good number indicated they were "not sure" in response to the cloud question, which told us, even within the industry itself, there is a lack of understanding of the various levels and standards of cloud services available.
Two industry organizations that chronicle these issues and help keep professionals apprised of the various options out there are Association for Information and Image Management (AIIM) and ARMA International. They offer definitive research around information governance and training for professionals. One area they carefully scrutinize is cloud services: how they are used and managed, as well as best practices. I would recommend CIOs and business-line executives take a look at some of the research and guidance offered by these industry associations when considering which cloud services to use in their organizations.