You’ve got your own technology budget, and you’re running your marketing, sales or product applications. Using systems in the cloud would be great, except for one small hurdle – your CIO is concerned about security and control and prefers an on-premise solution. Unfortunately, this is a reality many SiriusDecisions clients face, and it’s a battle that some lose before it even starts. Being well informed is key to overcoming a CIO veto against the cloud.

Information in the CloudWhile the majority of cloud service vendors (e.g. Amazon, Google, HP, IBM, Microsoft, Oracle, Rackspace) – and the vendors that deliver their software-as-a-service solutions on them – provide a high level of security and sophistication, that still might not be enough to ease your CIO’s concerns. Here are five key points for making the case for cloud-based solutions to your CIO:

  • Know your requirements. Before even looking at vendors, ask the CIO to provide (in writing) the specific security requirements and risk concerns to be applied to every vendor the organization evaluates. Certain industries (e.g. financial services, healthcare, the public sector) have higher security and privacy concerns than others. Not complying with regulations (whether federal, state or international) places the enterprise at risk and can result in security breaches and loss or theft of data, legal violations and associated penalties (monetary and otherwise) and a loss of customer confidence.
  • Know your customers’ requirements. Ask current customers if they have specific data and security requirements that might preclude the use of certain vendors or delivery models. For example, several firms in Europe and Asia will not do business with cloud providers that cannot guarantee that their data will be housed in a data center outside the United States, due to concerns about U.S. government surveillance. While some requirements might seem extreme, the chief risk officer and the CIO must foresee these types of issues and plan accordingly to keep the business running smoothly.
  • Think hypothetically. Open a dialogue with the CIO by inquiring whether a cloud service vendor that was validated and/or demonstrated its ability to meet these security requirements could be considered – or is there a corporate policy or legal regulation explicitly barring this? This helps weaken the “no cloud” argument. Presumably, if a vendor meets all the requirements, it should at least be considered.
  • Understand integration points. Determine what internal systems (if any) that your new, cloud-based solution would need to be integrated with. Determine whether IT has the skills to execute on these integrations, or whether a systems integrator will need to be involved. Additionally, determine what types of security measures (e.g. encryption) might be needed to transfer data between these systems.
  • Consider value beyond your immediate needs. Are cloud solutions used elsewhere in the company serving similar needs? For example, if a cloud-based sales asset management solution has been deployed in Asia, can it also be leveraged in North America? Determining this is important for three reasons: It helps build the case for your cloud solution if one has already been deployed. It can also limit redundancy and complexity of the application portfolio. Finally, it may reduce cost by limiting redundancy or leveraging existing vendor relationships (via discounting) for other solutions.