Reach for the cloud

Sunday, 01 November 2015

Alexandra Cain photo
Alexandra Cain

    With technology changing at a rapid pace, understanding the business benefits of cloud computing, big data and social media is vital for all directors entering the boardroom. Alexandra Cain reports.

    Technology is top of mind for directors as boards around the country continue to grapple with the opportunities and risks megatrends such as big data, social media and cloud computing are producing. In fact, tech concerns are some of the most pressing issues directors are facing right now.

    Many boards are figuring out how to get the right governance structures in place to ensure their businesses are tackling important trends such as digital disruption head on. Directors that are not paying attention to this risk their business model becoming redundant, potentially leading to massive shareholder value destruction.

    One of the first trends directors need to contemplate is the right approach to cloud computing. There has been much debate about whether cloud computing leads to greater cyber-security risks. But experts in the field are quick to point out the cloud’s security benefits.

    Karl Adolfsson, partner, business advisory, Crowe Horwath Sydney, says cloud computing actually enhances an organisation’s security. “Companies that provide cloud services invest far more money into security than individual companies could possibly afford,” he notes.

    As Garry Back, managing director, INX Software notes, cloud computing essentially moves responsibility for control of corporate data outside the enterprise and hands responsibility to specialist providers of those services.

    “Cyber security then becomes a shared responsibility. Having specialists managing cyber security can be a good thing. But any vulnerabilities in the cloud provider’s offering will expose a large number of their customers. So careful management of outsourced providers remains the responsibility of all corporations.”

    Nevertheless, Greg Spencer MAICD, principal consulting partner, Beyond Technology Consulting, does acknowledge cloud computing can lead to the perception the business is exposed to greater risks.

    “But the reality is that risks are not significantly different no matter if information is placed inside or outside the cloud. The emergence of sophisticated, commercially focused criminal enterprises has recently significantly changed the risk profile for all organisations.

    “These crime gangs don’t really care if you have cloud-based infrastructure or not. In fact they probably assume that you are taking more precautions in the cloud, which means local infrastructure, managed internally by organisations, is probably a softer target,” he argues.

    Andrew MacKenzie, cloud and collaboration advisor, Professional Advantage, points out that although there have been high-profile attacks on businesses such as Sony and Ashley Madison, whether or not their information was stored in the cloud made no difference to the hackers that wanted to infiltrate these systems.

    As Tessa Court, CEO, IntelligenceBank notes, the cloud’s perceived security risk is actually more of a branding issue than a real risk. “It could be argued that the worst thing the cloud computing industry did was name their service ‘cloud’. Many people unfamiliar with cloud computing think that their data is ‘out there on the internet somewhere’ when in fact, all cloud hosting companies actually run physical servers, with virtual partitions to store data,” she notes.

    “The best way to think about cloud computing is in terms of infrastructure outsourcing. Cloud hosting is a cheaper and more scalable way to manage information. But for some organisations it’s difficult to entrust their most important asset, which is information, to a third party,” she says.

    According to Court, when there are data breaches in IT systems, the root causes usually have to do with weak or stolen credentials, email phishing, point of sale hacking, and insider misuse. “These types of cyber attacks can easily happen to data that’s hosted in the cloud or by internal servers – it all has to do with an IT department’s management of the infrastructure, versus where the infrastructure lies.”

    That said, Court explains that depending on data sensitivities, most companies are on a spectrum in terms of what they want to store on outsourced cloud services and what they wish to manage inhouse. For instance, customers’ personal data is often not stored in the cloud. But business process- management tools and marketing solutions are routinely placed in the cloud.

    Importantly, as Mark Taylor MAICD, director at Taysols notes, there is now a quality assurance standard available for cloud providers known as ASAE 3402, which should give companies that choose a service provider that has achieved this certification comfort their data is being as securely held as it possibly can be. This standard is administered by the Auditing and Assurance Standards Board and refers to controls at a service organisation.

    “This is an internationally recognised standard and good organisations hold it. It’s very difficult to receive certification and organisations that achieve this typically have their controls and governance audited by the big four accounting firms,” he notes.

    The rise of big data

    A related technology trend to cloud computing is known as big data. This refers to the massive amounts of information produced by organisations that can be used to generate business insights. Toll road companies have access to huge reams of data generated each time a car passes a toll point, which they can use to identify peak travel times, for instance. Another example is banks, which produce massive amounts of data thanks to the transactions their customers perform each day. It’s only since the advent of powerful computing techniques that businesses have been able to analyse this information and use it to improve business performance.

    Boards need to understand the potential for big data to improve the information they have to make great decisions for their company. As Adolfsson explains: “It gives directors the ability to make more informed, faster decisions in real time.”

    Court says big data also gives organisations the ability to make decisions based on facts and trends, rather than by gut feel. “Not only can it look at the past, but data modelling, if done well can literally predict the future. Businesses that are driven by analytics don’t simply look at the data and try to find the answer. Rather, they choose the right data for the business problem, get the appropriate IT support and then implement the right software and models to get the answers. While it is important for the board to have access to big data analytics, it is equally important for operational line managers to be equipped with the latest metrics that affect the business.”

    Worryingly, Michael Lang MAICD, managing director at SG Partners, argues that big data isn’t playing enough of a role in assisting companies to make the right decisions.

    “The real issue is what boards are doing with data because companies are not looking for the right patterns. Boards should be demanding to see the data and they need to be asking the right questions related to it,” he says.

    Taylor agrees. “Big data is still in its infancy and has not yet permeated every board. At the board level it must start to involve converging data from outside the organisation such as social media with internal information such as bank transaction data.”

    For instance, a commercial property manager of a shopping centre will have internal systems that tell them how many stores are leased, the rent and when leases expire. This can be combined with information provided by banks that show purchasing traffic in store, such as the break up between male and female customers, which will give the centre information to negotiate a lift in rent with certain stores.

    This information can also be combined with social media information about likes and dislikes of certain stores. “It’s all about mashing unstructured and structured data,” Taylor says.

    According to Spencer, predictive and advanced analytics are where many organisations are currently focused in Australia. “Certainly, insights from big data are providing businesses with newly identified opportunities. But leading organisations are trying to change their culture to be more evidence based and data driven.”

    He notes that previously, many organisations relied largely on gut feel to make decisions, based on years of experience. “Demographic and generational change is making this a less viable future option, so replacing this with predictive and advanced analytics-based decision support has become a priority.”

    Says Back: “Good decisions depend on good information. Access to the real data affecting customer purchase decisions is already changing the customer experience. Organisations that are taking advantage of that are showing a return on investment. We are now beginning to see the big-data concepts being applied internally within organisations and leading to changing corporate behaviour. Timely and meaningful dashboards help with decision-making and we are now seeing predictive algorithms providing a view of a possible future. This makes interventions more timely and effective. We will continue to see developments in this space.”

    Data and decisions

    The question for directors, however, is what is the potential for them to use big data to guide board decision-making and governance? Ideally, boards will use big data to make stronger, real-time governance decisions. So, how should directors best invite big data into the boardroom?

    As Taylor notes, in the traditional board model, financial data is an account of what has already occurred and is delivered on a retrospective basis. The advent of big data means that’s no longer good enough. “Now, boards need to be able to drill down to detailed information to help them make timely decisions. The provision of that information needs to be current, accurate and complete, and when combined with predictive analytics, insightful too.”

    Spencer notes insights provided through big data are providing businesses with newly identified opportunities, giving them the ability to make faster decisions based on what shareholders expect.

    “Boards are increasingly expecting to review the evidence available to support a proposed project or strategy to ensure that they are not authorising significant expenditure based on individual bias or wishful thinking,” he says.

    According to Court, several of her board clients are investing significantly in business intelligence dashboards for decision-making at a board level. “They are also linking these dashboards into their board portal software to have instant access not only to sales trends, but also to resource utilisation and risk data. Directors cannot simply wait until the next scheduled board meeting to be aware of issues impacting the business.”

    Says Back: “Boards make decisions based on their view of the economic landscape and the strategic options presented by their executive. The options are enriched by better-informed strategic planning, which is enhanced by empirical data from the real world rather than supposition and hypothesis. Boards will continue to do what they have always done. But thanks to big data the quality of the choices they have should improve.”

    Social media

    The third technology trend boards must focus on is social media. This is especially the case given that a negative issue that spreads virally through social media, has the potential to wipe out substantial shareholder value.

    As MacKenzie notes, with social media, customer relationships are easily exposed. “These relationships used to be one-on-one between businesses and customers but now it’s more like one to millions. So the risk is there’s a ripple effect if a customer has a bad experience, which can severely impact a business’s brand, trust and share price.”

    Adolfsson adds: “Boards need to navigate the social media landscape and use what’s relevant to them. It’s important to use multiple platforms to get a good overall view of the world. But don’t rely solely on social media to base decisions on. And consider whether responding in real time is the best response.”

    There is debate about the right level of involvement of directors in social media. Should directors be talking about the businesses they govern on social media? Whatever approach they take, directors do need to be across the opportunities and threats that social media creates. They also need to consider how they might need to sharpen their skills in this area.

    As Lang notes: “The question is whether it is the board’s role to get involved in social media. They should be across it, but not playing in it.”

    However, Back explains social media offers unfiltered access to the world of customers, investors and other stakeholders. “It is both opportunity and distraction for boards. Most organisations are exposed in the social media world either via a well-managed strategy or through unregulated commentary. Boards need to know that their commercial interests are sufficiently well protected by proactive management of their web presence.”

    However, he also says it’s important to differentiate between the role of the board and the role of the executive. “As managing director, I would hate to think my board was looking over my shoulder in real time, checking every decision against some algorithmic big brother. The board has to stand back and set the parameters for the executive to work within. Even worse would be board members taking to social media as representatives of the company. It would be like herding cats.”

    As Court points out, social media is necessarily affecting boardrooms because of its pervasiveness. “Being educated about social media is crucial for directors. It is a critical force in activism, crisis management, shareholder relations, employee relations and customer relations.

    “Importantly, boards need to truly understand how social media works. Traditional risk frameworks are based on risk avoidance versus active risk management, which is required when there is a data leak or reputational issue that has come out of social media.”

    That said, Court says directors do need to be able to ask the right questions about social media in terms of risk management, culture and leadership, communication strategy and crisis management. “They should receive formal training on social media to truly understand the network effects of the media, and different use cases that can impact risk and governance.”

    Notably, boards have to be conscious of how quickly social media commentary can escalate. “We advise organisations to consider formal incident response planning so that staff know exactly how to react when a situation begins to escalate and how they can defuse it – or when they need to activate emergency response plans,” says Spencer.

    He says the centrality of social media in our society means directors need to be more tech savvy than ever before. “But there are concerns in terms of governance when boards think they can develop enough knowledge to get by. Technological change is at such a rapid rate that boards should be focused on understanding the right business questions to ask and when to bring in independent external advice, rather than trying to keep up with the rate of change.”

    Regardless of directors’ own engagement in social media, they do need to be able to access information about the business’s presence on social media, on a real time basis.

    Says Court: “By incorporating news feeds as part of the board portal application, directors can always be plugged into the latest trends – even in between regular board meetings.”

    It’s also important for the board to be across the business’s planned response to any crisis that emerges through social media channels. As Spencer notes, the board needs to be able to identify what a business-impacting event looks like and know how the business will respond.

    Converging tech trends

    As cloud computing, big data and social media become more mature, they are also becoming more aligned. So how are these trends converging and what does this mean for boards?

    “Ultimately, boards need to understand these megatrends and embrace them as they are here to stay, and understand what it all means from a risk and governance perspective. IT-related topics truly have a place in the boardroom, as IT is the enabler for everything. The board needs to have a compliance framework around all things IT, and not leave it up to the IT department,” says Court.

    These trends are causing business to move at a faster pace. And, as Spencer notes, it does mean large market opportunities are opening up, but the window is opening for shorter periods of time.

    “Boards have a responsibility to review and understand the organisation’s IT strategy and ensure that it is being executed effectively. Often an independent external IT review is commissioned to report to the board to ensure that IT is aligned to the business strategy and that requirements are being met in a manner that is close to best practice,” he explains.

    From Lang’s perspective, boards need to be asking relevant questions about security of data and exactly who can access it. Often, former employees can access information they should not be able to retrieve.

    Says Adolfsson: “Cloud allows boards to use big data to look at different social trends. With social media, people now have direct access to directors, which they never did before, which means boards have more direct responsibility to the public. Boards also have the ability to interact with the whole organisation on a real-time basis. This allows the board to have an immediate understanding of what the business is doing. So governance needs to be able to adapt to this real-time approach and boards need the ability to change strategy based on current events.”

    As Court notes, the question is not whether the board should embrace technology-based strategies, but rather how. “Depending on the size of the board and the nature of the company, new committees, risk frameworks and policies will need to be considered to manage technology considerations at board level.”

    Five cloud tips for boards

    1. Look for a service provider that has achieved ASAE 3402 certification.
    2. Consider which parts of the business are suitable to be placed in the cloud and which parts should remain with the business. Some businesses choose to maintain sensitive information like customers’ personal information themselves, while others are comfortable outsourcing this.
    3. Smart directors will ask questions about service-level agreements from cloud providers to ensure the board understands what the provider has committed to.
    4. The board needs to understand the business’ privacy obligations when it comes to maintaining customer data.
    5. The board needs to be aware of the business’ contingency plans should a hack or data breach occur.

    Five big data tips for boards

    1. Ideally the board should have access to a portal that delivers key business analytics drawn from big data on a real-time basis.
    2. However, big data is still in its infancy for many businesses. So if a company is just starting out on its big data journey, the jumping-off point is a discussion about the data the board needs to make better decisions.
    3. Then, decisions need to be made about additional data the business needs to collect.
    4. It’s up to the board to sign off on the overall data analytics strategy and review this regularly.
    5. It’s an idea to make one director accountable for analytics.

    Five social media tips for boards

    1. The social media approach of directors will depend on the business.
    2. Directors need to decide how or even if they will engage in social media on behalf of the business.
    3. Directors need to be across crisis management plans in the event an issue concerning the business erupts on social media.
    4. Directors also need real-time oversight on how the business is being portrayed on social media.
    5. If the business does not have the right internal resources, it’s worth investing in experienced, external counsel to ensure social media is managed appropriately.

    Latest news

    This is of of your complimentary pieces of content

    This is exclusive content.

    You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.