Survey: Cloud computing risks outweigh reward

Almost half of the IT professionals questioned in recent ISACA survey say safety and security risks outweigh the cloud's cost-saving benefits.

Lance Whitney Contributing Writer

Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.

See full bio

Lance Whitney

April 7, 2010 10:08 a.m. PT

2 min read

Though cloud computing is often touted as a cost-saver for companies, IT pros still have lingering doubts about the safety and security of working in the cloud.

Around 45 percent of IT professionals recently surveyed by the ISACA (formerly known as the Information Systems Audit and Control Association) said the risks involved in cloud computing outshine any benefits. A global organization focused on the auditing and security of information systems, the ISACA conducted its first annual IT Risk/Reward Barometer survey (PDF) in March.

Questioning more than 1,800 IT professionals in the U.S. who are members of the group, the ISACA found that only 10 percent of them plan to use cloud computing for mission-critical IT services, 15 percent will use it only for low-risk services, and 26 percent don't expect to tap into the cloud at all.

"The cloud represents a major change in how computing resources are utilized, so it's not surprising that IT professionals have concerns about risk vs. reward," said Robert Stroud, vice president of ISACA, in a statement. "If cloud computing is treated as a major initiative involving many stakeholders, it has the potential to yield benefits that can equal or outweigh the risks."

Beyond the specific topic of cloud computing, the survey also measured the general risk management policies of IT professionals. Only 22 percent of those questioned said their companies are very effective at incorporating IT risk management into their overall risk management strategy. Of the organizations that do pay attention to IT risk management, many do it more because of the pressure of regulatory compliance than because of any perceived benefits or improvements to the business.

"While compliance is critical, it is unfortunate that more enterprises do not see performance improvement as a primary reason for implementing effective risk management," said Brian Barnier, a member of ISACA and principal at ValueBridge Advisors, in a statement.

IT also found that employees often engage in behavior that puts themselves or the business at risk. Among those surveyed, 50 percent said that people at their companies don't adequately protect their confidential documents, 33 percent said that employees don't understand IT policies, and 32 percent found that workers use nonapproved software and online services.

The ISACA compiled the results for its IT Risk/Reward Barometer from an online poll that received responses from 1,809 ISACA members in the United States.