Is risk-aversion holding back cloud maturity?
As we all know by now, the "cloud" is not just another "IT thing" that only IT people should care about. This is because every organization that has understood this principle has triumphed. Unfortunately, a significantly higher number have merely paid lip service to this idea. To them, the cloud is just another IT thing. The cloud enables a pace of change that companies of the past could have only ever dreamed of. Instead of waiting 6 months to deploy a new app, you can have the idea in the morning and have it deployed company-wide by the afternoon.
At least that’s the theory. But how many of us have seen this happen in reality? The problem is not a technical one. Most organizations could work at this "cloud pace," but most don’t. They might have the technology, leadership support, budget etc. to operate at this "same day" pace, but they don’t. Why not?
Legacy attitudes stifle cutting edge technology
The main bottleneck to cloud-enabled innovation are legacy attitudes and the processes they create, particularly when it comes to their heavy focus on risk management.
What are the priorities for an IT project for example? In most organizations, the ultimate goal of IT (when you strip everything back to its core) is to make changes which minimize risks to the organization's reputation. "Is this new app safe, secure and legal?". Since IT projects were traditionally very large in scope, this emphasis on risk mitigation made a lot of sense, since the changes such a project would make to the organization would be so significant that, if it failed, it would fail big time. You can’t hide an IT failure when your entire organization uses it every day.
Traditional IT did a very good job at ensuring the necessary security, safety and legal checks were taken -- but the process is just too slow when you want to deliver a solution quickly. The good news is that the cloud doesn’t necessarily forego these steps -- it is just more efficient at them; most PaaS or IaaS solutions for example have all the safe and legal steps built into them already through their functionality (see Amazon’s shared responsibility model for example, where AWS provides the infrastructure so the customer only has to focus on the software).
A new approach to risk management is needed
The other critical difference between traditional IT and the cloud is that changes are made more gradually in the cloud. Thanks to its DevOps approach, cloud projects are the polar opposite to the waterfall / monolithic IT projects of the past. With iterative development and deployment, changes are delivered in much smaller increments which can be tested quickly and rolled back relatively easily. DevOps ensures the risk to the organization is reduced significantly. While most organizations will recognize this difference in a purely academic sense, it is often not borne out in changes to process or in how they measure risk.
The solution is to measure IT differently, shifting the primary focus of a project away from risk management, and onto outcomes. Ultimately, what outcomes will this project deliver to my customer? This is the only question to ask.
The real risk is not doing anything at all
Given the option, most people try to avoid change. But we live in a world where change is a constant and is only getting faster. The over-emphasis on "what could go wrong," instead of "what value will this bring?" often leads to organizations talking themselves out of a necessary change, or delaying it so long that the inevitable change eventually becomes a firefight. The better question to ask is "What could happen if we don’t make this change?"
- Employee frustration?
- Loss of market share?
- Employee walk out or strike?
- Irrecoverable damage to brand?
Could you afford not to make the change if these are the potential outcomes if you do nothing?
Romy Hughes is director, Brightman, the business change specialist with expertise in Service Integration and Management (SIAM), business transformation and IT Service Management (ITSM and ITIL).