Conversations with the CFO about cloud and consumer technologies go beyond the IT budget. CIOs need to apprise CFOs of any compliance and corporate governance implications that arise from new approaches to provisioning IT. (For more about how to talk to CFOs, see “What CFOs Need to Hear about Cloud Computing and Consumer IT.”)
At most companies, CFOs have direct responsibility for complying with regulations that cover data privacy, maintenance of financial records, and security of financial reporting systems. Under the 2002 Sarbanes-Oxley Act, a CFO convicted of signing off on misleading or inaccurate financial statements could go to jail for 20 years. Companies that carelessly allow employee health records to be lost or stolen face large fines and public humiliation because they are required to notify major media outlets of any breach.
Other countries may have data privacy regulations that further complicate moves to the cloud. Vendors say that Germany’s laws mandate that individuals’ records can’t be physically kept outside of Germany. Other countries’ laws require that personal data be protected from access by unauthorized people. (Read more about privacy in “Why CIOs Should Care About Privacy.”)
Many CIOs have nevertheless moved into the cloud despite compliance concerns. Software security vendor Courion surveyed 384 large users and found that 48 percent of respondents weren’t confident that a compliance audit of their cloud applications “would show that all user access is appropriate.”
At the very least, CIOs should be able to outline the risks of cloud and consumerization and explain the steps IT is taking to make sure the company’s data management is as secure as ever. When you’re no longer locking everything down in an on-site data center, for instance, you need to negotiate terms of service covering access to data and create ways to audit cloud and software-as-a-service providers.
Robert Petrie, vice president of IT with Pharmaceutical Product Development, which manages the data-intensive chore of running clinical trials for pharmaceutical companies, says, “People are very sensitive about their data. If we are using multi-tenant, hosted applications, our clients audit us and make sure we have the appropriate [security].” He adds: “This isn’t a reason that you can’t move to the cloud, but you have to perform due diligence and do security assessments.”