So, in summary, Hoff adds, these first two points suggest what is tiresome about the seven deadly sins article: This logic is already apparent in IT in general, and the industry has done a lot of writing on the subject.
Now the third premise. "When we look at why we are still required to bring this up over and over again," Hoff explains, "it is [because] we tend to generalize. Your article talks about CXOs and kind of almost indicts [them] as a group ... and not just your article, but lots of them, right?"
If there is a segment with members who could benefit from the seven deadly sins feature, Hoff continues, it's the SME / SMB market. "Where your article rings true and is probably more realistic is with the smaller enterprise that doesn't actually have a CIO or a formal, rigorous [security planning] process. They listen to stories and hype and take [them] at face value and they make make those mistakes because they don't have the process, the bandwidth, and the expertise" to avoid them, says Hoff.
Go Forth and Stop Doing That
Rather than the generalization, Hoff would like to see some specificity broken down by market segments.
"If I take survey studies based on market segments of SMBs / SMEs or startups vs. established enterprises, how do they map against these concerns, these seven sins?" Hoff asks. Which market segments are making these cloud mistakes? Does each cloud sin really have the same potential outcome--the same risk associated with it based on the types of applications, activity, intellectual property, and business impact it may generate--in each market segment?
"So, say I am a Mom & Pop plumbing supply store," Hoff says by way of illustration. Hoff's store balances its risk and exposure against the seven deadly sins. In this scenario it will cost the store $25 a month, plus associated risks, for a service that it would otherwise have to spend thousands of dollars on to properly administer and buy the right hardware (and everything else). "Your sins are irrelevant to me. I am going to commit every single one of them and 200 more," Hoff says, laughing.
"Now, if I am an enterprise, it is a different story," Hoff continues. There is more complexity; the enterprise is more highly regulated. It has different priorities, different assets to protect, and the customer base is different.
"Here is the thing of interest," Hoff summarizes: "Tell me what I can do as measured against the target market. You say, hey, you shouldn't sign up a cloud solution product without going through IT security enrollment. But what if I do? What does that mean? What are the potential outcomes?" Do likewise for all the sins.
Sign up for CIO Asia eNewsletters.