Wednesday, December 7, 2011

CIO Midmarket Summit - Day 3

Yesterday was the third and final day of the CIO Midmarket Summit. Though only a half day agenda, it was still packed with some very good sessions including the Think Tank I had been asked to lead.

Following breakfast was an informative session on Box, presented by Lesley Young, Vice President of Inside Sales. Painting an interesting backdrop of the evolving new work environment enabled Lesley to highlight how Box fits into and helps the CIO provide real value, meet increasing demands and leverage investments in other systems without losing control.

While a few participants went to one-on-one meetings or dealt with local, home or work related issues, the vast majority of the group remained for my session on security in the cloud. As usual, I started with a couple of stories to drive home the point we have been dealing with the so called cloud for over 40 years. Certainly, there  are subtle differences and nuances, however, the fundamental issues associated with the selection and contracting of cloud services are virtually identical to any third party provider. Moreover, many of the operational concerns are the same as you have with your own internal data centers.

The session was a lively debate, not without skeptics. We managed in the short half hour time span to work up a list of top concerns for the contract with a cloud provider. In each case, it reinforced the notion that these contract provisions could and usually do apply to every agreement with outside vendors.

Many thanks to my scribe who diligently noted the following list of key provisions. This is by no means an exhaustive list but the items that were top of mind with this group:

  1. Service Levels : What is the cloud service providing (scope) and what are the guarantees around time to provision, add/delete resources, support (hours of operation, support) and key performance metrics (response time, up-time.)
  2. Privacy Issues: Is my data protected and do we meet any regulatory requirements (PCI, HIPPA)
  3. Ownership: Who owns/can use these data? Are there intellectual property issues or rights issues?
  4. Accessibility: Account, password, token. VPN, mobile, etc. 
  5. Term: How long am I committed? How fast can I get out? Can they end the agreement?
  6. Liability: Who is holding the bag? Indemnification. Insurance. 
  7. Exit Strategy: Am I prepared if I want to get out? If I am forced to get out? If they fail?
Given more time we could have easily doubled or tripled this list and we still wouldn't have gotten them all. Matthew Karlyn, partner at Foley & Lardner had an hour and over 100 slides at the C3 conference in November yet didn't get past the first few discussion points before he ran out of time. 

The fundamental lesson comes down to the recognition that we as IT professionals have been contracting for third party services for most of our professional lives. The Cloud is just another service that deserves our consideration for use from a technical or functional perspective. Just like other products and services, it may hold value and provide benefits to our companies. But we must treat the procurement of these services in the same manner as we treat any others by developing a clear understanding of the risks and rewards, costs and benefits, and ultimately documenting a clear and comprehensive agreement among all parties involved. Moreover, we have to consider the implementation, migration, operation and contingencies, and we must communicate these efficiently and effectively throughout the organization for the life of the project.

Please comment if you agree or take issue with the perspective. What are key provisions or concerns you have that we may not have covered here?

Tomorrow we will cover the balance of the last day of the conference in the final column on this wonderful event. 

Captain Joe

Follow me on Twitter @JPuglisiLLC