Press Release

About ISACA

ISACA US IT Risk/Reward Barometer Survey: More than 45% Say Risks of Cloud Computing Outweigh Benefits

2010 ISACA Risk Reward Barometer Results US

Video on cloud computing findings | Video on risk management findings
Cloud Computing Graphic | Risk Reward Barometer Graphic

Rolling Meadows, IL, USA (7 April 2010)—Close to half of US IT professionals say that the risks of cloud computing outweigh the benefits, according to the first annual ISACA IT Risk/Reward Barometer survey.

CXOs are increasingly interested in cloud computing because of its potential to deliver lower total cost of ownership (TCO), higher return on investment (ROI), increased efficiency and pay-as-you-go services. Analyst firm IDC says that cloud services will outpace traditional IT spending over the next five years and will represent $44.2 billion by 2013.

Yet IT professionals see risks in entrusting information assets to the cloud, according to the survey of 1,809 US IT professionals who are members of ISACA. The IT Risk/Reward Barometer found that only 10 percent of respondents’ organizations plan to use cloud computing for mission-critical IT services and one in four (26 percent) do not plan to use it for any IT services.

Consistent with this attitude is the appetite for overall IT-related risk in 2010. In the face of continued economic uncertainty and despite the potential to drive greater rewards, more than three-quarters of those surveyed believe that projects should offer the same or lower level of risk in 2010. Similarly, 79 percent will invest the same amount or only slightly more in risk management and compliance in 2010.

“The cloud represents a major change in how computing resources will be utilized, so it’s not surprising that IT professionals have concerns about risk vs. reward trade-offs,” says Robert Stroud, international vice president of ISACA and vice president of IT service management and governance for the service management business unit at CA Inc. “But risk and value are two sides of the same coin. If cloud computing is treated as a major governance initiative involving a broad set of stakeholders, it has the potential to yield benefits that can equal or outweigh the risks.”

The risks and rewards of cloud computing are examined in the ISACA white paper, Cloud Computing: Business Benefits with Security, Governance and Assurance Perspectives. The paper is a collaboration between ISACA and the Cloud Security Alliance and is available as a free download at www.isaca.org/cloud.

Next Level in Risk Management: Shifting from Compliance to Performance

The online survey also gauged organizations’ attitudes and behaviors related to IT risk management. According to IT professionals, only 22 percent of organizations are very effective at integrating IT risk management with their overall business risk management. The most common reason for practicing IT risk management was regulatory compliance (28 percent) versus business drivers such as improving the balance of risk taking with risk avoidance to improve return (8 percent).

“While compliance is critical, it is unfortunate that more enterprises do not see performance improvement as a primary reason for implementing effective risk management,” said Brian Barnier, member of the team that developed ISACA's new Risk IT: Based on COBIT and principal at ValueBridge Advisors. “On the performance side, about 16 percent see cost management as a driver for risk management; 9 percent see business change as the most important driver; and 8 percent choose improving risk-return balance. From the CFO, COO, CEO or board perspective -- just like in personal investing or sports — the main driver should be balancing risk vs. return to drive profitable growth. As the one-third of IT professionals who are more business-focused already seem to know, robust risk management is a powerful tool to create that value. We hope to see more enterprises shift from a compliance to performance view of risk management.”

High-risk Employees

The Barometer also looked at what IT professionals thought about employee behavior. According to results, the top three high-risk ways in which employees contribute to “risky business” are:

Not protecting confidential work data appropriately (50 percent)
Not fully understanding IT policies (33 percent)
Using non-approved software or online services for their work (32 percent)

“Many employees are working around controls and using non-approved devices and programs so they have the tools they need to do their jobs,” said John Pironti, member of ISACA’s Certification Committee and president of IP Architects LLC. “Instead of prohibiting certain technologies, organizations should try to learn why their employees feel they need these technologies and train employees to use them safely.”

The areas studied in the IT Risk/Reward Barometer will be among the topics discussed at the upcoming 2010 North America Computer Audit, Control and Security (CACS) conference, taking place 18-22 April 2010 in Chicago. North America CACS attracts IT audit, security, risk and governance professionals from around the world who gather to discuss the latest challenges and solutions for critical industry issues, including risk management, cloud computing and virtualization security, and fraud. Risk management leaders will provide guidance based on ISACA’s new Risk IT framework, and real-world case studies will be shared to provide attendees with practical, tested guidance. For more information or to register, visit www.isaca.org/nacacs.

About the ISACA IT Risk/Reward Barometer

The ISACA IT Risk/Reward Barometer is based on online polling in March 2010 of 1,809 members of ISACA located in the United States. The study was designed to gauge today’s attitudes and organizational behaviors surrounding risks and rewards associated with information technology projects. Similar versions of the survey were executed in India and Europe. To see the full results, visit www.isaca.org/news.

About ISACA^®

With more than 86,000 constituents in more than 160 countries, ISACA^® (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969, ISACA sponsors international conferences, publishes the ISACA^® Journal, and develops international IS auditing and control standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA^®), Certified Information Security Manager^® (CISM^®), Certified in the Governance of Enterprise IT^® (CGEIT^®) and Certified in Risk and Information Systems Control™ (CRISC™) designations.

ISACA offers the Business Model for Information Security (BMIS) and the IT Assurance Framework (ITAF). It also developed and maintains the COBIT^®, Val IT™ and Risk IT frameworks, which help IT professionals and enterprise leaders fulfill their IT governance responsibilities and deliver value to the business.

For more information and free resources about cloud computing, visit www.isaca.org/cloud.

Media Contacts:

Kristen Kessinger, +1.847.660.5512, kkessinger@isaca.org
Marv Gellman, Ketchum, +1.646.935.3907, marv.gellman@ketchum.com

ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008
USA


What is CISA	What is CISM	What is CGEIT	What is CRISC
How to Become Certified	How to Become Certified	How to Become Certified	How to Become Certified
Register for the Exam	Register for the Exam	Register for the Exam	Register for the Exam
Prepare for the Exam	Prepare for the Exam	Prepare for the Exam	Prepare for the Exam
Taking the Exam	Taking the Exam	Taking the Exam	Taking the Exam
Apply for Certification	Apply for Certification	Apply for Certification	Apply for Certification
Maintain Your CISA	Maintain Your CISM	Maintain Your CGEIT	Maintain Your CRISC