Close to half of U.S. IT professionals say that the risks of cloud computing outweigh the benefits, according to the first annual ISACA IT Risk/Reward Barometer survey.

CXOs are increasingly interested in cloud computing because of its potential to deliver lower total cost of ownership (TCO), higher return on investment (ROI), increased efficiency and pay-as-you-go services. Analyst firm IDC says that cloud services will outpace traditional IT spending over the next five years and will represent $44.2 billion by 2013.

Yet IT professionals see risks in entrusting information assets to the cloud, according to the survey of 1,809 U.S. IT professionals who are members of ISACA. The IT Risk/Reward Barometer found that only 10% of respondents' organizations plan to use cloud computing for mission-critical IT services and one in four (26%) do not plan to use it for any IT services.

Consistent with this attitude is the appetite for overall IT-related risk in 2010. In the face of continued economic uncertainty and despite the potential to drive greater rewards, more than three-quarters of those surveyed believe that projects should offer the same or lower level of risk in 2010. Similarly, 79% will invest the same amount or only slightly more in risk management and compliance in 2010.

"The cloud represents a major change in how computing resources will be utilized, so it's not surprising that IT professionals have concerns about risk vs. reward trade-offs," says Robert Stroud, international vice president of ISACA and vice president of IT service management and governance for the service management business unit at CA Inc. "But risk and value are two sides of the same coin. If cloud computing is treated as a major governance initiative involving a broad set of stakeholders, it has the potential to yield benefits that can equal or outweigh the risks."

IT Risk Management

The online survey also gauged organizations' attitudes and behaviors related to IT risk management. According to IT professionals, only 22% of organizations are very effective at integrating IT risk management with their overall business risk management. The most common reason for practicing IT risk management was regulatory compliance (28%) versus business drivers such as improving the balance of risk taking with risk avoidance to improve return (8%).

"While compliance is critical, it is unfortunate that more enterprises do not see performance improvement as a primary reason for implementing effective risk management," said Brian Barnier, principal at ValueBridge Advisors. "On the performance side, about 16% see cost management as a driver for risk management; 9% see business change as the most important driver; and 8% choose improving risk-return balance. From the CFO, COO, CEO or board perspective -- just like in personal investing or sports -- the main driver should be balancing risk vs. return to drive profitable growth. As the one-third of IT professionals who are more business-focused already seem to know, robust risk management is a powerful tool to create that value. We hope to see more enterprises shift from a compliance to performance view of risk management."

High-risk Employees

The Barometer also looked at what IT professionals thought about employee behavior. According to results, the top three high-risk ways in which employees contribute to "risky business" are:

  • Not protecting confidential work data appropriately (50%)
  • Not fully understanding IT policies (33%)
  • Using non-approved software or online services for their work (32%)

To view the report visit www.isaca.org/cloud