Cloud CIO: Security vs. dangers of analysis paralysis

In his book "Predictably Irrational," Dan Ariely cites a study conducted at an upscale Menlo Park grocery store (speaking of which, how irrational is it that the Kindle version of this book costs $9.99, while the paperback version costs only $9.29 ... but I digress). The two professors published a paper based on the outcome of the study. Its title: Choice is Demotivating.

The study examined behaviors of shoppers when viewing a display of jams. When there were only six different types of jams, shoppers purchased one flavor or another 30 per cent of the time. However, when 24 jams were display, only three per cent of shoppers purchased a jar of jam.

The conclusion of the researchers was that too much choice actually caused people to refuse to make a decision, preferring to not have any jam rather than make a choice that somehow might leave an even better choice unselected. Essentially, confronted by too many choices, people are confused and befuddled and, feeling anxious about making the wrong choice, refuse to do anything.

I'm reminded of that study during many conversations I have with people who work at cloud computing vendors. Nearly all of them acknowledge that there is terrible confusion about cloud computing present in end user organizations; IT leaders feel overwhelmed by the options and therefore choose to put off making any decision.

This reaction is completely understandable. The incessant bombardment by vendors about how their product embodies, enables, creates, optimizes, accelerates, secures, integrates cloud computing environments would cause anyone to feel drowned.

Cloudwashed and Overwhelmed

Truthfully, vendors bear a lot of the responsibility for this. The flood of new (or "rebranded") products characterised as "cloud computing" seems ludicrous. The overreach of vendors to get on the cloud computing bandwagon has led to the coining of the term "cloudwashing," indicating a product that has had cloud terminology inserted into its description in hopes of somehow increasing sales.

Faced with such a ridiculous deluge of "cloud computing" products, IT buyers respond by being reluctant to take any meaningful steps in any direction, fearful that today's choice might be made obsolete by tomorrow's option marketed by a new vendor.

Much like the shoppers faced with a multitude of jam choices, IT executives opt to put of a decision in favor of more study, hoping that additional information will clarify the correct selection.

However, most IT executives face a much worse situation than a jam shopper. While too many choices of jam caused internal anxiety and a concomitant reluctance to choose, the downside of making the wrong choice was pretty minor: the cost of a jar of jam (although anyone who has shopped at Draeger's, the site of the study, might understand that the cost of a jar of jam there might well be not-inconsequential!).

Imagine, by contrast, the anxiety associated with trying to choose the "right" cloud computing product when the selection might cost millions of dollars and, perhaps, dictate the success or failure of one's career. It would be enormous -- and the motivation to wait for the "perfect" product might prove irresistible. The temptation to wait until things settle down and the winners emerge might also seem irresistible.

There's only one drawback to this temptation: it may be unsustainable in the face of pressure to do something about cloud computing. In his blog this week, well-known commentator David Linthicum points out "IT's cloud resistance is starting to annoy businesses." He notes that "a new study from Accenture and the London School of Economics and Political Science's Outsourcing Unit shows that IT people still see issues like security and privacy as a barrier to cloud adoption." The conclusion of the study: "There's a gap between business and IT. Businesspeople see the excitement and business benefits of cloud computing, so they're pushing for it. However, IT people see cloud computing as causing issues with security and lock-in, so they're pushing back."

David describes the current situation as business units experiencing frustration with the poor agility of IT and perceiving the focus on security and privacy as reluctance to embrace a solution that can improve IT speed and responsiveness.

Certainly one can relate to this. I had the misfortune of participating in a cloud computing panel recently that included a security expert and I have to say his endless repetition of security "issues" and "challenges" (that could be addressed, needless to say, merely by engaging him to consult on the topic) reminded me of a famous Winston Churchill's quotation: "A fanatic is one who can't change his mind and won't change the subject."

Nevertheless, it seems to me that, despite the tireless, endless recitation of cloud computing security issues, there exists a genuine concern on the part of IT organizations regarding cloud computing security and privacy.

Which raises the topic of asymmetric risk. In looking at the opportunity to adopt cloud computing for a particular initiative, the rewards and risks associated with the decision are asymmetrically divided. The business unit, which typically presses a reluctant IT organization to get with the program and adopt cloud computing, stands to gain most of the benefits associated with a successful rollout of the initiative. The quicker response to customers, increased revenues, reduced costs, all adhere to the business unit. Any positive outcomes will redound to the business unit, and the motivation to press for cloud computing are significant.

Meanwhile, should any security or privacy problems develop with the cloud computing initiative, the responsibility for those shortcomings will overwhelmingly fall upon the IT organization. The business unit executive will, quite reasonably, point out that ensuing the security and privacy of the application must lie with the experts -- IT. Any penalties meted out will naturally fall upon IT members of the project team.

In an environment such as this, it makes perfect sense that IT would be extremely cautious about cloud computing. After all, there's little upside for it by quickly moving to cloud computing, while there is considerable downside should it embrace cloud computing with the outcome being a security or privacy breach. Asymmetric risk/reward distribution practically guarantees that the different parties associated with a decision will focus on different factors and be motivated to behave differently.

And one can't say that IT delay in adopting cloud computing is therefore irrational or petulant. It's a natural reaction to an environment in which negative outcomes fall disproportionally upon IT. Regarding cloud computing, IT organizations might, quite reasonably enough, avoid absorbing additional risk as long as possible.

Frankly, it's not clear how the problem of asymmetric risk can or should be addressed. The proper reaction to one group (business units) overenthusiastically embracing a technology without considering its risk is not to prescribe that the group charged with evaluating risk also join the party and throw caution to the winds.

On the other hand, I see many IT organizations citing security and privacy concerns as reasons to not move forward with cloud computing when, I suspect, they are really suffering from the surfeit of choices facing them. It would be better to acknowledge the "choice paralysis" and address that rather than citing security and privacy as justifications for delaying moving forward.

It is for this reason that we typically recommend that IT organizations begin working with cloud computing with the explicit recognition that the initial choice of cloud computing platform might very well not be the long-term selection. Given that perspective, it makes sense to move forward aggressively with some choice, while architecting the initial applications so that migration to other clouds is possible. The learning generated by actually implementing and rolling out a cloud computing application far outweighs anything that can be grasped through meetings, webinars, sales meetings, conferences, and the like.

Bernard Golden is CEO of consulting firm HyperStratus, which specializes in virtualization, cloud computing and related issues. He is also the author of "Virtualization for Dummies," the best-selling book on virtualization to date.

Follow Bernard Golden on Twitter @bernardgolden. Follow everything from on Twitter @CIOonline

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags cloud computinginternet

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Bernard Golden

Show Comments

Cool Tech

Bang and Olufsen Beosound Stage - Dolby Atmos Soundbar

Learn more >

Toys for Boys

Sony WF-1000XM3 Wireless Noise Cancelling Headphones

Learn more >

Nakamichi Delta 100 3-Way Hi Fi Speaker System

Learn more >

ASUS ROG, ACRONYM partner for Special Edition Zephyrus G14

Learn more >

Family Friendly

Mario Kart Live: Home Circuit for Nintendo Switch

Learn more >

Philips Sonicare Diamond Clean 9000 Toothbrush

Learn more >

Stocking Stuffer

Teac 7 inch Swivel Screen Portable DVD Player

Learn more >

SunnyBunny Snowflakes 20 LED Solar Powered Fairy String

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?