Every company has its reason for embracing or not embracing the cloud. In the case of companies in heavily regulated industries such as healthcare and financial services, regulatory compliance is a convenient excuse for luddites to shun the cloud and its potential benefits.
And consultants who serve those markets say that while CIOs and other IT managers cite compliance as the reason for not embracing cloud services and applications, it's really an excuse by managers who just don't want to move to the cloud for whatever reason.
"There's a perception that has existed that the cloud is less secure," said Tom Crawford, CIO strategic advisor and president of the consultancy AVOA. "Part of that stems from the basis, wrongfully so, that I cannot secure something unless it's inside my own data center. For the most part that no longer holds water. Internal systems are often less secure."
In fact, Crawford says the cloud providers are often more secure because they dedicate themselves to security in ways many firms don't, since a loss of security credibility would be death for a cloud provider.
"When you think of internal security, security tends to be a line item in a job description. Cloud-based providers have departments and teams where all they do is security. That is their sole focus. So the extreme there is an average enterprise, where people have security as one line in their job description versus a department with a dedicated focus," he says.
Paul Castiglione, senior product marketing manager of Ipswitch File Transfer, a maker of secure file transfer and data monitoring software, says cloud vendors often know the compliance rules as well or better than many compliance-governed customers.
"Cloud vendor providers like us spend a lot of their time understanding regulations. We're certified for PCI and HIPAA. So we're pretty expert at it. Companies attempting compliance on their own are having to invest in the education, all of the requirements related to it, penetration testing, access control, all of the physical requirements around compliance," he says.
Crawford says that more often than not "people use compliance as an all-encompassing excuse" to reject the cloud when compliance is only for specific apps and data sets, not the whole company.
"When you break down the problem it only governs a specific piece or component of data and only those apps," he says. "They aren't breaking down the problem and laying out the workloads and data sets."
As it turns out, the excuses for not embracing the cloud are numerous. One cause is generational. People have been running internal data centers for decades. Good luck convincing a CIO in his or her 50s who fears being cut out of a job in the first place that data and applications should be moved off-site into a data center somewhere across the country.
Sign up for CIO Asia eNewsletters.