Interestingly enough, after having given the first „Sourcing Governance Foundation” (http://goo.gl/gH41s) class in Middle-Europe last week, the topic of how to govern service provided by external providers seems to be an ongoing concern amongst CIOs and IT Directors.
In an article for the CIO.com magazine (http://goo.gl/L7Lk1), I read a reflection on a most recent survey of the Uptime Institute, where the respondents are still addressing their most prominent concerns related to Cloud Computing – being „Security„, „Governance“ and „Reliability„.
So I did ask myself: Why is there always a distinction between the areas of concerns and what is the difference between “Security”, “Governance” and “Reliability”? From my point of view, “Security” and “Reliability” belong to certain stages in the service lifecycle. “Governance” would be the span of control over all those lifecycle stages. In this sense, the governance of cloud computing services, from service/sourcing strategy via service design and transition to service operation, is simply on a higher management level than its “control” instances like “Security” and “Reliability”.
The picture below is illustrating the fundamental link between the Service Lifecycle stages (ITIL®) and the Sourcing Lifecycle model facilitated by a Governance Frame. Both areas of concern, “Security” and “Reliability” can be seen as areas of the standard process management set within the service and sourcing lifecycle.
In theory, instead of IT leaders being concerned about “Security” and “Reliability” issues of Cloud Services, they should better be bothered about how to ensure and control, that:
A) “Security” and “Reliability” requirements have been defined based on business requirements, legal constraints, industry wide compliance measures, corporate policies and IT best practice references,
B) such requirements are becoming an essential part of the Service Design Process, meaning, they have been part of the Cloud provider selection process and they are integrated (as terms and conditions as well as service agreements) in the contract with the Cloud Service Provider,
C) the “Security” and “Reliability” agreements as defined in the contract will get implemented during service transition and the service acceptance contains a dedicated section ensuring the conformance and operational readiness,
D) the status of the “Security” and “Reliability” agreements is being reported frequently and any deviation from the original definitions is being managed and corrected,
E) the original requirements are being revisited on both, customer and service provider side regularly to ensure adherence to changed business and technology conditions.
That is the meaning of “Governance” for Cloud Services: Ensuring, structures and processes exist throughout the lifecycle for enabling the service to deliver according to the strategy and the business objectives.
Instead of being concerned about the details of “Security” and “Reliability”, IT leaders should focus on implementing the right governance approach and the respective capabilities of their organizations – the details of “Security” and “Reliability” can then be left with the subject matter experts, the like Architects, Security Officers, Process – and Service Managers.
How to define and implement the right governance approach for Cloud Services will be taught and can be learnt in a newly designed (class room) course “Cloud Governance Foundation” (http://goo.gl/1CVqa), available now for Middle Europe.