This blog post is part 2 of a 3-part blog series on taking the journey to the cloud and understanding how to approach the risks involved.

I mentioned in my last post the need to assess many types of risk. Security is often highlighted as one of the primary ones. Let’s start with a well-acknowledged fact: Cloud Service Providers (CSPs) are the most cyber-attacked entities on the planet. Therefore, they have the greatest single conglomeration of security experts, who know the ins and outs of security, which you’ll find anywhere (with the possible exception of government agencies). For example, even back in 2016, Microsoft invested $1Bn on security alone – a spend non-CSP companies cannot match or justify. And since then, all CSPs have continued to invest and grow their security capabilities in a similar fashion and will continue to do so in 2020 and beyond.  

While arguably, Cloud may introduce some new risk to you, the total value from working with these hyper-scalers in Cloud is unparalleled. They are solving problems that non-CSP companies haven’t even begun to conceive. Going Cloud native with a CSP has a much lower level of overall risk because you are leveraging the experience and expertise that comes from building Cloud infrastructure, fabrics, and security on a global scale. Since their solutions affect millions of customers with a presence across multiple countries all around the globe, and in different jurisdictions, hyperscaler CSPs put in an enormous amount of engineering effort that is just not possible in one-off builds. Therefore, when you use just for example in Data services such as AWS Aurora, or Google BigQuery, or Azure Synapse, you know that it works – and that it works much better than anything you could build in-house. You can rest easy knowing that they have been designed based around the accumulated challenges and lessons of those millions of customers around the world, in aggregate.

This focus and investment makes Cloud safer and more reliable than on-premise models with the added benefits of cost effectiveness, manageability, stability, predictability, reliability, and transparency.

Why is Cloud risk such a big decision factor then? Well, mostly because companies are looking at risk through the wrong lens.

Risk needs a multidimensional lens

As we mentioned in the previous post, most companies make the mistake of looking at Cloud risk like they look at Cloud cost. Cost is two-dimensional – you have the number of applications, you have the average cost per application, you multiply that, and you get the total cost of applications. Similarly, if you reduce the number of applications or reduce the cost per application, your total cost goes down proportionately. I will talk more about cost implications of Cloud in my next article.

Risk on the other hand is three-dimensional and even a small reduction in risk in one area can have a significantly higher impact on the overall risk exposure (See Fig. 1). Total organizational risk is often based around complexity. 

When you move applications to the Cloud using Cloud services built on a global level, the complexity and the risk of your environment goes down. In a multi-dimensional model, tackling one area and reducing it by half through cloud, can reduce total risk/complexity exposure by 4x-8x. A 25% reduction in application risk factors can lead to a 75% reduction in operational risk. In addition, the operational risk you reduce by moving to Cloud outweighs the risk of lock-in and portability.

As mentioned above, one of the biggest challenges in assessing risk is using the right lens to look at it. Based on my personal experience in dialogue with CSPs, clients and other parties, when 10 risks are called out, then usually, out of every 10 risks for Cloud:

• Four do not exist and are based around incomplete information
• Another four or five risks may exist but have specific mitigation actions already worked out through CSPs and GSIs like Wipro.

So only one or two risks remain. And even in that, the biggest risk we see is not the Cloud itself but the successful transition of the organization into a Cloud-powered organization. Think of it this way – you are driving on a highway and want to change lanes. Both the lanes are safe by themselves, but the change may come at some risk. Now imagine if you make this change while changing your steering console AND changing the driver! That is the risk that organizations should really focus on – the risk that comes with a combination of technology improvement, process improvement, operational improvement, and upskilling and cross-skilling of existing resources for a migration. It is all simply about change and there is nothing inherently risky or different on cloud versus legacy - the risk is the organizational journey.

Please note:  We are not saying that the cloud is riskless or that any journey is riskless, but rather that the unreliable/unknown dependencies and failure items have had much more engineering into their reduction/elimination.

Are you making the right decisions? A click down on risks

A typical application landscape in an organization is often a big ball of mud of organically grown legacy.  This is not a criticism but a reflection of the well-known truism that technical debt increases over time. Let us not forget, for example, that COBOL turns 60 today, and some applications in your enterprise may not be much younger.  The total number of things that interact with each other inside a major enterprise application platform can be almost mindboggling. Everything is touching everything and connected in a complex way in all directions. What you have here, is change risk. If you change anything, you have no idea what it might impact. It could affect code stability and create security, latency, or people risks.

Terrified of what might happen if they meddle with the system, organizations resist change, and that costs them in terms of strategic growth – which is a higher cost to pay. This was happening to one major financial client of ours. They had a host of legacy applications and the bank’s change budget for them was surprisingly low and didn’t present a lot of saving opportunity. But when we dug deeper, we realized that the change budget was low because they didn’t want to open that can of worms. Every time that they had tried to make changes in the past, it had cost them millions of dollars while messing up other parts of this complex ecosystem. So, all this while they chose to not change, accepted that limitation, and instead ended up risking business growth.

Another aspect organizations often consider is business knowledge. They believe they know more about their systems, processes, and their complexities than an external provider ever will. This leads them to believe that moving to Cloud will mean a loss of this knowledge. This was a concern that yet another major bank voiced when discussing Cloud transition. They had people with over 30 years of experience on their systems, who knew their application processes inside out. And they were reluctant to let go of this control. But what they failed to consider was that they were dealing with a much greater risk, this is particularly (and tragically) relevant in today’s COVID-19 world. If you have a high people dependency, you have higher risk. What if the key people you depend on retire, resign, or meet with an unfortunate accident? What is your fallback option? It’s much less risk to move key applications away from terribly complicated environments to the Cloud.

It doesn’t help that people are also resistant to change. Change is inconvenient. It means they have to learn to do things a new way. If they have been working on something a certain way, they don’t want to change it no matter how great the new option is.

On the other hand, the transformation to Cloud involves one of the most exciting opportunities for enterprise application owners and developers to not only improve the stability of their applications but also to stand on the shoulders of giants in terms of automation and service innovation. This also allows them to spend their time on business improvements and on learning new (and highly market valued) skills instead of mitigation activities that have already been solved by CSPs.

Break the mould to unlock business gains

Traditional decision models are not suitable when it comes to evaluating a move to the Cloud. CIOs need to adopt multi-dimensional thinking and look at the impact of each scenario on the business KPIs. Isn’t it worth investigating whether you can trade 10 old risks for three new ones? Either way, you are dropping seven of them! In the next article, we’ll talk a little more about these models and how a right approach can fast-track your business toward achieving ambitious goals. 

Please click here to read part 3 (The key to achieving ambitious Cloud goals, bringing Costs and Risks together) of the blog series.

References:

1. https://www.reuters.com/article/us-tech-cyber-microsoft-idUSKBN15A1GA
   
2. https://www.microsoft.com/security/blog/2017/08/02/5-reasons-why-microsoft-should-be-your-cybersecurity-ally/
3. https://www.cybersecurity-insiders.com/microsoft-to-invest-1-billion-per-year-on-cyber-security/

Gavin Williams 
Senior Partner
Cloud Consulting

Gavin has 25 years of experience with enterprise customers, helping them drive business success through innovative technology solutions. He works with different customers throughout the UK and Europe to understand their business needs and help them set technology strategy and direction. He also has in-depth and extensive knowledge of customer business challenges with board-level messaging.