Twitter
Facebook

10-Dec-2011

Risk Evaporation Part 2

Risk Valuation

Corporate financial resiliency in the dawn of the Information Age is inextricably linked to the use (or mis-use) of sensitive corporate secrets, customer data and technology reliability. Whether it’s accounting information, sales data, a proprietary manufacturing process, e-commerce hosting, healthcare data processing or a range of other services, adaptation to cloud technology results in a need to identify, quantify and develop risk-transfer solutions designed to meet the individual needs of cloud clients – matched to their specific relationship with cloud technology.

The metrics to quantify the amount and breadth of data liability in a specific cloud is derived from a simple formula. This formula is based on a three-pronged approach: how long the cloud company is the custodian of a client’s information, the risk profile of the client’s data set moved into the cloud, and the client’s relative dependence on the cloud to sustain normal business operations. As the cloud industry is already geared to measure and map any moment in time, the ability to do so as it relates to the liability of hosting client data and infrastructure already exists.

Developing value ranges for specific types of cloud infrastructure and data services identifies that risk-transfer facilitation is possible. Stolen accounting information does not have the same liability to a cloud client as a lost medical file or an eight-hour e-commerce system outage. As cloud clients ask the “what If?” scenarios when assessing the cost-benefit analysis of moving into the cloud, the industry’s continued organic growth and fundamental economic success depends on a mutually beneficial financial protection plan in the event of unforeseen cloud liabilities. Bringing these potential liabilities “out of the closet” and onto company balance sheets should be considered a welcome event. As more data is lost and as outages continue, with the repercussions of such beginning to echo louder and louder in the U.S. and other court systems, the ability to quantify the real and implied financial liabilities resulting from a decision to turn to the cloud will only be enhanced in the future. The United States is a world leader in technology and through its insurance industry boasts the capabilities already in place to effectively and efficiently disperse risk, regardless of the type of risk.

A recent survey by Mimecast found that 83 percent of IT managers (and potential cloud clients) understand the importance of good data management and recognize that data management is a major factor in whether a firm will succeed or fail. And 71 percent of managers agree that the value of the data their organizations hold exceeds the cost of storing and managing it (1). Enabling clients to individually determine the value of their information assets and business-dependent functions allows for an identification of their pain threshold (i.e. real or estimated losses) that would result from an unexpected cloud liability event. Engaging the cloud client begins to identify what the economic loss sustained from a cloud liability event ultimately represents. As supported by leading security industry analysts Greg McLean and Jason Brown, an important metric for determining security ROI is including a “peace of mind” element, dependent upon each individual company determining its own risk tolerance. (2)

Risk Transfer

Businesses continue to acknowledge that something can happen when they look to the cloud -- whether it’s a cognizant or implied liability realization, with clients asking the basic privacy, security and business interruption questions during drawn-out contractual negotiations and sales discussions. As 70 to 80 percent of the value of any knowledge-intensive organization is solely attributed to the value of the information assets it carries, it’s easy to understand why cloud clients are asking. (3)

Most, if not all, cloud companies hold security processes in high regard as confidential and proprietary competitive advantages. Like any other for-profit organization, clouds should not have to reveal or prove their intrinsic and core competencies in order to achieve successful and time-efficient client acquisition. Revealing every proprietary security method makes it difficult for one cloud to distinguish itself from the next. Conversely, if the clouds are not fully disclosing these proprietary security processes, clients are left with little choice other than to rely on the trust factor in engaging any cloud service. Cloud companies find themselves relying heavily on the best-in-class security discussions and up-time guarantees to win market share. If the top cloud providers are going to remain on top, the inherent de-minimization of security-process competitive advantages needs protection against commoditization, and clients will need an alternative to the ‘trust factor’ and ‘marketing’ aspect of SLA’s.

Look Beyond Security and Technology for the Answer

Ultimately, why not just rate the clouds on performance over time and alleviate the high focus on security as a metric of service capability? If one is truly more secure than another, that would be demonstrated by performance as related to a “coefficient of breach” and other loss history metrics, thus allowing the cloud industry to focus on its core competencies of software, platform and infrastructure services. Note that proper security protocols are still needed as a basic measure of cloud company insurability; otherwise the insurance industry would not want to assume the risk of cloud companies that lacked investment in security controls. That said, security alone is not an efficient and sustainable measurement of successful cloud service performance.

As cloud companies cannot guarantee with 100 percent certainty that technology and security protects against liabilities, it cannot be the sole reliance for the successful negotiation and execution of service level guarantees. Just as it is not realistic to base security effectiveness on a lock-out model, assumptions must be made that a malicious insider or flawed program code already exists within any IT environment (including the cloud), and another alternative to security must be considered. Noted security expert Bruce Schneier has long popularized designing IT systems to “fail well” rather than to “fail badly.” Failing well, or preventing unacceptable loss by compartmentalizing risk, is clearly a much more sensible approach to dealing with the threat of system failure than simply trying to eliminate it altogether. (4) Cloud clients need to be provided with an effective method to identify, quantify and disperse their risk at the point of entrance into the cloud, supplementing the ROI calculation discussion of moving into the cloud.

Cloud Insurance is the Answer: CloudInsure™

Compartmentalize the risk. Contain the failure. Limit the financial failure. Reduce potential volatility. Insurance will support accelerated adoption of cloud technologies by clients because it allows for a quickened time-to-market cycle and offers clients an alternative solution to the sole reliance on MSAs/SLAs and costly litigation. It also aids in answering the cost-benefit analysis of cloud adoption. Cloud insurance answers the inherent risk assumption questions and disperses these liabilities to insurance companies willing to underwrite the risk with an effective and time-efficient distribution channel that is able to keep up with the pace of cloud service adoption.

Into the clouds we all go; Time to bring insurance into cloud.

Cloud Insurance risk mitigation allows:

Cloud Companies to de-risk their business model against client litigation and start protecting their proprietary security and infrastructure competitive advantages. Clouds are the custodians of client data. Clouds cannot carry or be perceived to carry the financial liabilities associated with all of the data privacy, security or outages their customers experience. Perception is reality. In the absence of an effective risk mitigation strategy, paying clients will look to the cloud company for meaningful indemnification to match sustained losses.

Cloud Clients to choose (or not choose) their level of insurance based upon their individual “pain threshold” of operational or reputational business risk associated with cloud services adoption, at the point of entrance to the cloud. They have their indemnity questions answered affirmatively independent of the security discussions, and they have the opportunity to build a concrete financial resiliency for their proprietary and business-dependent information. They can eliminate the liability of the cloud companies on their balance sheets.

Insurance Companies to focus on their core competency of offering insurance coverage to small and mid-sized businesses at a managed, under-writable risk profile that can be tailored to the specific risk appetites of various cloud companies and clients. They can match the cloud companies and clients to the insurance companies best suited to accept and price the liability of the various risk profiles represented, thereby drastically reducing the insurance companies reliance on underwriting a large cloud anytime an individual organization outsources to the cloud. Also, the diversification benefits to the insurance companies create a far more compelling environment to manage the implied cloud liabilities of all cloud client participants, rather than the systemic risk of one cloud.

Insurance in its most simple form is arbitration – the core competency of this industry. Bring insurance companies into the cloud computing free-trade economic equation and improve the speed of the cloud-adoption process, while taking the pressure off the opportunity cost to the cloud’s sales teams during the client acquisition process.

The cloud companies that offer a differentiating risk-transfer solution to IaaS, PaaS and SaaS clients will enjoy a heightened insulation against increased market competition, with the current market saturation conditions driving the ultimate need. Whether clients are consuming on it, building on it, or running on it, the cloud is where businesses, national governments and the global economies are heading.

Risk does not evaporate simply because of the movement to the cloud. The responsibility is now simply shared. Cloud insurance allows both the cloud client and cloud company to build and protect their financial resiliency against risk uncertainty.

Insure to ensure cloud success.

Real Time Web Analytics