Two years ago Quocirca published a research report, The Adoption of Cloud-based Services, which looked at the attitude of Europe organizations had regarding the use of public cloud platforms.
The research showed two extremes: among the UK respondents, 17% could not get enough cloud, we dubbed them enthusiasts, whilst another 23% were proactive avoiders. In late 2014 Quocirca ran another UK-focused research project, From NO to KNOW: The Secure use of Cloud-Based Services, which asked the same question. How things have changed.
The latest report shows the proportion of enthusiasts to have risen to 32% whilst the avoiders has fallen to just 10%. Changes were observed between these extremes as well. Those that evaluated cloud services on a case-by-case basis had risen from 17% to 23%, whilst those who regarded them as supplementary to in-house IT had fallen from 43% to 35%. These two groupings, not really distinguished between in the first report turned out to be more interesting than expected when we looked at the nitty gritty of approaches taken to security.
To be clear, what we like to think are snappy terms, such as avoiders and enthusiasts, are applied during the analysis. The research questionnaire used drier and more nuanced language, for example enthusiasts actually agreed with the statement “we make use of cloud-based services whenever we can, seeing such services as the future for much of our IT requirement” rather than the avoiders who agree either “we avoid cloud-based services” or “we proactively block the use of all cloud-based services”. So the research is a reasonable barometer for changing attitudes rather than a vote on buzzwords.
The report goes on to look at a range of benefits that are associated with positive attitudes to cloud, such as ease of interaction with outsiders (especially direct connections with consumers) and the support for complex information supply chains (which was the subject of the a second report, Weak Links, and this blog post). It also showed the confidence in the use of cloud-based services was under pinned by confidence in data security (the subject of a first report, Room for improvement, and this blog post).
Looking at the extent to which respondents’ organizations had invested in 20 different security capabilities, the research found that enthusiasts were more likely than average to have invested in all 20, with policy based access rights (based on device and location etc.) and next generation firewalls topping the list. However, avoiders were no laggards; they were more likely than average to have invested in certain technologies too: data loss prevention (DLP) topped their list followed by a range of end-point controls as they sought to lock down their users cloud activity.
There was clear differentiation in the middle ground too. Supplementary users of cloud services took a laissez-faire approach; they were less likely than average to have invested in nearly all 20 security measures. Case-by-case users had thought things through more and were more likely than average to have in place a range of end-point security measures and to be using secure proxies for cloud access.
What does all this tell us? First, that the direction of travel is clear; there is increasing confidence in, and enthusiasm for, cloud-based services. Second, that for many it is one step at a time, with more and more turning to cloud services for specific use cases. The appropriate security measures are being put in place to enable all this, often, as the new report’s title points out, not to block the use of cloud services (by saying NO) but to be able to control them ( by being in a position to KNOW what is going on).
This reflects two realities that no organization can ignore. First, digital natives (those born around 1980 or later) have been rising as a proportion of the workforce over the last two decades and many are now in management positions; they bring positive attitudes to cloud services with them. Second, regardless of what IT departments think, digitally native or otherwise, users and their lines-of-business recognize the benefits of cloud services and will seek them out. This so-called shadow IT is delivering all sorts of benefits to businesses.
Why would any organization want to avoid that?