Guest blog: cloud services and data security

19 May 2015, 12:04 pm

by Dr Andy Hopkirk, Head of Research, Society of IT Management (Socitm)

Following a recently-published ‘IT Trends‘ report from Socitm, Hopkirk discusses the adoption of cloud services among local public service organisations and why some organisations are still wary. In this guest article, he suggests ways for buyers, sellers and interested others to address the status quo.

Socitm members are acutely aware of the need to be careful with any person-related data or information that is stored in or merely passes through the IT systems they are responsible for.

Andy Hopkirk, Head of Research, SocitmResponsibility lies with the organisation to ‘do the right thing’ but inevitably this in fact means that the professionals inside these organisations have decisions to make and they will make these decisions by balancing off a complicated, complex even, set of variables.

Before externally hosted services were a technical option, most organisations managed the risks by (mostly) owning their own IT systems and thus feeling themselves able to be in control of how they were used and who could access the data and information.

Networked externally hosted services by definition are that much more distant from immediate control and, especially if not owned by the organisation directly, are subjectively at least possibly more risky for the organisation and its decision makers to choose.

However, new technical and economic imperatives can combine to press the case for externally hosted services – for example, cloud services – and this is clearly the case now generally in the economy not just in the use of computing services by Socitm members in the public or third sectors.

Cloud services of various kinds are undoubtedly serious candidates to take on significant and important public service workloads but matters of safety and confidence have to be satisfied too.

But detailed knowledge and understanding of the national, EU and wider legal and regulatory environments for data storage, transferring and processing is a very specialist area and not one that Socitm members are usually professionally expert in so, unsurprisingly, they are likely to seek advice and move slowly and carefully. And indeed this is what we found respondents telling us in the IT Trends survey.

A few have been relatively bold and are the early adopters ‘in at the deep end’, but the majority are not and, we’d conclude from their response to the survey, would like to see how they get on before joining in more deeply themselves. In that respect, the adoption of cloud services into this community is simply following the usual pattern of new technology adoption and it is early days yet hence fears around organisations’ personal and corporate business risks remain.

So whose responsibility is it to help this community properly assess the risks of cloud services adoption and make wise decisions?

The selling community cannot rely upon purely economic arguments to be successful, for public servants simply cannot choose to ignore data protection matters without incurring those reputational and legal risks that can be thought better managed by other ‘more conventional’ choices.

Those who are neither the direct buyers or sellers of cloud services here and who wish the adoption curve to be traversed more quickly will need to consider expending some of their own energy and money to that end by facilitating the two parties meeting each other’s needs better more quickly than the natural rate of progression.

That facilitation could take several forms, for example, by:

  • smoothing the pathway through the legal and regulatory frameworks for those expected to navigate them and be accountable.
  • providing expert guides or expert people
  • offering good quality, authoritative information, for example, plain English myth busting and explanations of what the real risks are and how to deal with, mitigate or avoid them
  • capturing, and promulgating widely, many relevant examples of successful practice, such as buying practice, contracts practice, on-boarding practice and cloud supplier exiting practice.

So the answer to the responsibility question has to be a multi-party solution. For its own part, Socitm has a role to play here as a professional society. We can help members in local public services to understand the potential and the risks of these technologies and we can help partners and others in the selling community to build confidence in their products and services.

Dr Andy Hopkirk leads the development and delivery of Socitm’s research services portfolio including benchmarking services, performance assessment services and the research programme which includes Socitm Insight, IT Trends, and the Technology Challenge. He also contributes to Socitm’s policy and consultancy works.