Cloud CIO: Security vs. dangers of analysis paralysis

In his book "Predictably Irrational," Dan Ariely cites a study conducted at an upscale Menlo Park grocery store (speaking of which, how irrational is it that the Kindle version of this book costs $9.99, while the paperback version costs only $9.29 ... but I digress). The two professors published a paper based on the outcome of the study. Its title: Choice is Demotivating.

The study examined behaviors of shoppers when viewing a display of jams. When there were only six different types of jams, shoppers purchased one flavor or another 30 per cent of the time. However, when 24 jams were display, only three per cent of shoppers purchased a jar of jam.

The conclusion of the researchers was that too much choice actually caused people to refuse to make a decision, preferring to not have any jam rather than make a choice that somehow might leave an even better choice unselected. Essentially, confronted by too many choices, people are confused and befuddled and, feeling anxious about making the wrong choice, refuse to do anything.

I'm reminded of that study during many conversations I have with people who work at cloud computing vendors. Nearly all of them acknowledge that there is terrible confusion about cloud computing present in end user organizations; IT leaders feel overwhelmed by the options and therefore choose to put off making any decision.

This reaction is completely understandable. The incessant bombardment by vendors about how their product embodies, enables, creates, optimizes, accelerates, secures, integrates cloud computing environments would cause anyone to feel drowned.

Cloudwashed and Overwhelmed

Truthfully, vendors bear a lot of the responsibility for this. The flood of new (or "rebranded") products characterised as "cloud computing" seems ludicrous. The overreach of vendors to get on the cloud computing bandwagon has led to the coining of the term "cloudwashing," indicating a product that has had cloud terminology inserted into its description in hopes of somehow increasing sales.

Faced with such a ridiculous deluge of "cloud computing" products, IT buyers respond by being reluctant to take any meaningful steps in any direction, fearful that today's choice might be made obsolete by tomorrow's option marketed by a new vendor.

Much like the shoppers faced with a multitude of jam choices, IT executives opt to put of a decision in favor of more study, hoping that additional information will clarify the correct selection.

However, most IT executives face a much worse situation than a jam shopper. While too many choices of jam caused internal anxiety and a concomitant reluctance to choose, the downside of making the wrong choice was pretty minor: the cost of a jar of jam (although anyone who has shopped at Draeger's, the site of the study, might understand that the cost of a jar of jam there might well be not-inconsequential!).

Imagine, by contrast, the anxiety associated with trying to choose the "right" cloud computing product when the selection might cost millions of dollars and, perhaps, dictate the success or failure of one's career. It would be enormous -- and the motivation to wait for the "perfect" product might prove irresistible. The temptation to wait until things settle down and the winners emerge might also seem irresistible.

There's only one drawback to this temptation: it may be unsustainable in the face of pressure to do something about cloud computing. In his blog this week, well-known commentator David Linthicum points out "IT's cloud resistance is starting to annoy businesses." He notes that "a new study from Accenture and the London School of Economics and Political Science's Outsourcing Unit shows that IT people still see issues like security and privacy as a barrier to cloud adoption." The conclusion of the study: "There's a gap between business and IT. Businesspeople see the excitement and business benefits of cloud computing, so they're pushing for it. However, IT people see cloud computing as causing issues with security and lock-in, so they're pushing back."

David describes the current situation as business units experiencing frustration with the poor agility of IT and perceiving the focus on security and privacy as reluctance to embrace a solution that can improve IT speed and responsiveness.

Certainly one can relate to this. I had the misfortune of participating in a cloud computing panel recently that included a security expert and I have to say his endless repetition of security "issues" and "challenges" (that could be addressed, needless to say, merely by engaging him to consult on the topic) reminded me of a famous Winston Churchill's quotation: "A fanatic is one who can't change his mind and won't change the subject."

Nevertheless, it seems to me that, despite the tireless, endless recitation of cloud computing security issues, there exists a genuine concern on the part of IT organizations regarding cloud computing security and privacy.

Which raises the topic of asymmetric risk. In looking at the opportunity to adopt cloud computing for a particular initiative, the rewards and risks associated with the decision are asymmetrically divided. The business unit, which typically presses a reluctant IT organization to get with the program and adopt cloud computing, stands to gain most of the benefits associated with a successful rollout of the initiative. The quicker response to customers, increased revenues, reduced costs, all adhere to the business unit. Any positive outcomes will redound to the business unit, and the motivation to press for cloud computing are significant.

Meanwhile, should any security or privacy problems develop with the cloud computing initiative, the responsibility for those shortcomings will overwhelmingly fall upon the IT organization. The business unit executive will, quite reasonably, point out that ensuing the security and privacy of the application must lie with the experts -- IT. Any penalties meted out will naturally fall upon IT members of the project team.

In an environment such as this, it makes perfect sense that IT would be extremely cautious about cloud computing. After all, there's little upside for it by quickly moving to cloud computing, while there is considerable downside should it embrace cloud computing with the outcome being a security or privacy breach. Asymmetric risk/reward distribution practically guarantees that the different parties associated with a decision will focus on different factors and be motivated to behave differently.

And one can't say that IT delay in adopting cloud computing is therefore irrational or petulant. It's a natural reaction to an environment in which negative outcomes fall disproportionally upon IT. Regarding cloud computing, IT organizations might, quite reasonably enough, avoid absorbing additional risk as long as possible.

Frankly, it's not clear how the problem of asymmetric risk can or should be addressed. The proper reaction to one group (business units) overenthusiastically embracing a technology without considering its risk is not to prescribe that the group charged with evaluating risk also join the party and throw caution to the winds.

On the other hand, I see many IT organizations citing security and privacy concerns as reasons to not move forward with cloud computing when, I suspect, they are really suffering from the surfeit of choices facing them. It would be better to acknowledge the "choice paralysis" and address that rather than citing security and privacy as justifications for delaying moving forward.

It is for this reason that we typically recommend that IT organizations begin working with cloud computing with the explicit recognition that the initial choice of cloud computing platform might very well not be the long-term selection. Given that perspective, it makes sense to move forward aggressively with some choice, while architecting the initial applications so that migration to other clouds is possible. The learning generated by actually implementing and rolling out a cloud computing application far outweighs anything that can be grasped through meetings, webinars, sales meetings, conferences, and the like.

Bernard Golden is CEO of consulting firm HyperStratus, which specializes in virtualization, cloud computing and related issues. He is also the author of "Virtualization for Dummies," the best-selling book on virtualization to date.

Follow Bernard Golden on Twitter @bernardgolden. Follow everything from on Twitter @CIOonline

Join the CSO newsletter!

Error: Please check your email address.

Tags cloud computinginternet

More about Accenture AustraliaStratus

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bernard Golden

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts