Firms balk at moving critical IT systems to cloud due to security worries

“Many people agree that the cloud is important, beneficial and a good idea, but few are willing to move their key capabilities out to the cloud at this point”, Pironti told Infosecurity.

While companies are hesitating to move key capabilities to the cloud, more of them are willing to try the cloud for non-critical services and systems, according to the 2011 ISACA IT Risk/Reward Barometer survey.

This year’s survey found that the number of companies that do not use the cloud for any IT services has decreased 5 percentage points to 21% from last year’s survey. This year, ISACA surveyed 2,765 members worldwide, including 712 US respondents.

“Our leadership teams want us to [use the cloud], but out security teams and risk management teams are not sure that the vendors have figured out any better than we have at this point on how to do this….We definitely have seen that the risk outweigh the benefits for mission-critical stuff, but at the same time we can’t ignore the fact that there are business benefits”, Pironti said.

In addition, the survey found that respondents are becoming increasingly concerned about personal mobile devices on the corporate network. More than half of US respondents said that they believe employee-owned mobile devices pose the greater risk to the company.

At the same time, 27% of US respondents felt that the benefits of employees using their own mobile devices outweigh the risks, and another 36% view risks and benefits as evenly balanced. More than 8 out of 10 have a security policy in place for mobile computing – although 32% of those admit their policy needs updating or communicating.

“Organizations have begun embracing mobile computing such as smartphones and tablets and updating policies and capabilities. They are trying to bring up risk awareness and education among employees, which is probably the best answer. Education is the key to this”, Pironti observed.

“Some of the challenges we are still trying to figure out is: How do we manage this? To what degree do we manage these devices? Since they are personally owned, the ultimate capabilities lie with the end user to enable or disable the managing technologies”, he added.

“These devices do have the potential of causing a lot of risk and there are a lot of pieces of malware and malicious software are being written for them. Adversaries are targeting these devices as high-value targets”, Pironti said.

Survey respondents felt that increased coordination was needed between IT risk management and enterprise risk management, Pironti said. These groups need to be brought together to understand what are the risk and benefits to using personal mobile devices in the workplace.

Overall, this year’s survey indicates that striking a balance between reducing risk and enabling reward is evolving toward a more strategic, cross-enterprise view, ISACA said.

While compliance (26%) and avoiding negative incidents (22%) are still the primary drivers behind managing IT risk, aligning functionality with business needs (18%) is a close third.

“We are resetting the scales. We can’t be as draconian as we once were on security because the users are trying to work harder and faster. They are asking the right questions, instead of allowing the security guy to say ‘no’. A default ‘no’ is no longer an appropriate or viable answer for the organization when something new comes along”, Pironti concluded.

What’s Hot on Infosecurity Magazine?