by Bernard Golden

Cloud CIO: Security vs. the Dangers of Analysis Paralysis

Apr 25, 2011
CIOCloud ComputingSecurity

With vendors flooding the market with a surplus of options, many "cloudwashed" to sound new, it's no wonder that IT departments struggle with the security and privacy risk equations. However, says,'s Bernard Golden, your first choice doesnt have to be perfect for all time.

In his book “Predictably Irrational,” Dan Ariely cites a study conducted at an upscale Menlo Park grocery store (speaking of which, how irrational is it that the Kindle version of this book costs $9.99, while the paperback version costs only $9.29 … but I digress). The two professors published a paper based on the outcome of the study. Its title: Choice is Demotivating.

The study examined behaviors of shoppers when viewing a display of jams. When there were only six different types of jams, shoppers purchased one flavor or another 30% of the time. However, when 24 jams were display, only 3% of shoppers purchased a jar of jam.

The conclusion of the researchers was that too much choice actually caused people to refuse to make a decision, preferring to not have any jam rather than make a choice that somehow might leave an even better choice unselected. Essentially, confronted by too many choices, people are confused and befuddled and, feeling anxious about making the wrong choice, refuse to do anything.

I’m reminded of that study during many conversations I have with people who work at cloud computing vendors. Nearly all of them acknowledge that there is terrible confusion about cloud computing present in end user organizations; IT leaders feel overwhelmed by the options and therefore choose to put off making any decision.

This reaction is completely understandable. The incessant bombardment by vendors about how their product embodies, enables, creates, optimizes, accelerates, secures, integrates cloud computing environments would cause anyone to feel drowned.

Cloudwashed and Overwhelmed

Truthfully, vendors bear a lot of the responsibility for this. The flood of new (or “rebranded”) products characterised as “cloud computing” seems ludicrous. The overreach of vendors to get on the cloud computing bandwagon has led to the coining of the term “cloudwashing,” indicating a product that has had cloud terminology inserted into its description in hopes of somehow increasing sales.

Faced with such a ridiculous deluge of “cloud computing” products, IT buyers respond by being reluctant to take any meaningful steps in any direction, fearful that today’s choice might be made obsolete by tomorrow’s option marketed by a new vendor.

Much like the shoppers faced with a multitude of jam choices, IT executives opt to put of a decision in favor of more study, hoping that additional information will clarify the correct selection.

However, most IT executives face a much worse situation than a jam shopper. While too many choices of jam caused internal anxiety and a concomitant reluctance to choose, the downside of making the wrong choice was pretty minor: the cost of a jar of jam (although anyone who has shopped at Draeger’s, the site of the study, might understand that the cost of a jar of jam there might well be not-inconsequential!).

Imagine, by contrast, the anxiety associated with trying to choose the “right” cloud computing product when the selection might cost millions of dollars and, perhaps, dictate the success or failure of one’s career. It would be enormous — and the motivation to wait for the “perfect” product might prove irresistible. The temptation to wait until things settle down and the winners emerge might also seem irresistible.

There’s only one drawback to this temptation: it may be unsustainable in the face of pressure to do something about cloud computing. In his blog this week, well-known commentator David Linthicum points out “IT’s cloud resistance is starting to annoy businesses.” He notes that “a new study from Accenture and the London School of Economics and Political Science’s Outsourcing Unit shows that IT people still see issues like security and privacy as a barrier to cloud adoption.” The conclusion of the study: “There’s a gap between business and IT. Businesspeople see the excitement and business benefits of cloud computing, so they’re pushing for it. However, IT people see cloud computing as causing issues with security and lock-in, so they’re pushing back.”

David describes the current situation as business units experiencing frustration with the poor agility of IT and perceiving the focus on security and privacy as reluctance to embrace a solution that can improve IT speed and responsiveness.

Certainly one can relate to this. I had the misfortune of participating in a cloud computing panel recently that included a security expert and I have to say his endless repetition of security “issues” and “challenges” (that could be addressed, needless to say, merely by engaging him to consult on the topic) reminded me of a famous Winston Churchill’s quotation: “A fanatic is one who can’t change his mind and won’t change the subject.”

Nevertheless, it seems to me that, despite the tireless, endless recitation of cloud computing security issues, there exists a genuine concern on the part of IT organizations regarding cloud computing security and privacy.

Which raises the topic of asymmetric risk. In looking at the opportunity to adopt cloud computing for a particular initiative, the rewards and risks associated with the decision are asymmetrically divided. The business unit, which typically presses a reluctant IT organization to get with the program and adopt cloud computing, stands to gain most of the benefits associated with a successful rollout of the initiative. The quicker response to customers, increased revenues, reduced costs, all adhere to the business unit. Any positive outcomes will redound to the business unit, and the motivation to press for cloud computing are significant.

Meanwhile, should any security or privacy problems develop with the cloud computing initiative, the responsibility for those shortcomings will overwhelmingly fall upon the IT organization. The business unit executive will, quite reasonably, point out that ensuing the security and privacy of the application must lie with the experts — IT. Any penalties meted out will naturally fall upon IT members of the project team.

In an environment such as this, it makes perfect sense that IT would be extremely cautious about cloud computing. After all, there’s little upside for it by quickly moving to cloud computing, while there is considerable downside should it embrace cloud computing with the outcome being a security or privacy breach. Asymmetric risk/reward distribution practically guarantees that the different parties associated with a decision will focus on different factors and be motivated to behave differently.

And one can’t say that IT delay in adopting cloud computing is therefore irrational or petulant. It’s a natural reaction to an environment in which negative outcomes fall disproportionally upon IT. Regarding cloud computing, IT organizations might, quite reasonably enough, avoid absorbing additional risk as long as possible.

Frankly, it’s not clear how the problem of asymmetric risk can or should be addressed. The proper reaction to one group (business units) overenthusiastically embracing a technology without considering its risk is not to prescribe that the group charged with evaluating risk also join the party and throw caution to the winds.

On the other hand, I see many IT organizations citing security and privacy concerns as reasons to not move forward with cloud computing when, I suspect, they are really suffering from the surfeit of choices facing them. It would be better to acknowledge the “choice paralysis” and address that rather than citing security and privacy as justifications for delaying moving forward.

It is for this reason that we typically recommend that IT organizations begin working with cloud computing with the explicit recognition that the initial choice of cloud computing platform might very well not be the long-term selection. Given that perspective, it makes sense to move forward aggressively with some choice, while architecting the initial applications so that migration to other clouds is possible. The learning generated by actually implementing and rolling out a cloud computing application far outweighs anything that can be grasped through meetings, webinars, sales meetings, conferences, and the like.

Bernard Golden is CEO of consulting firm HyperStratus, which specializes in virtualization, cloud computing and related issues. He is also the author of “Virtualization for Dummies,” the best-selling book on virtualization to date.

Follow Bernard Golden on Twitter @bernardgolden. Follow everything from on Twitter @CIOonline