5. Learn to Live With Nuance
"If you want to embrace the cloud, you have to live with ambiguity," but it takes a mature organization to do that, Heiser says. "If the people making the decision truly understand that it's a nuanced decision and it's perfectly all right to run an acceptable level of risk, they can make good decisions. The organization needs to have a healthy culture that can handle an ambiguous decision. You can't have the CIO thinking, 'If it breaks, it will be my fault.'"
You should also have a nuanced view of the bad events that could occur if something goes wrong, Heiser adds. Target's experience notwithstanding, not all breaches are created equal. "Most security failures are not noticed and life goes on," he says.
Still, some IT leaders, careful of safeguarding both their companies' networks and their own jobs, try to get as close to "secure" as they possibly can. "Some technologists consider the concept of 'acceptable risk' to be an oxymoron. They're perfectionists," Heiser notes. At the other end of the spectrum are what he calls "fig leafers" — people who figure that the standard security provided is likely to be good enough.
"The successful organization manages that conflict," he says. "The answer is somewhere between these extremes."
6. Start Sharing Both Credit and Blame
One profound problem with the way technological risk is often managed is that credit for the good outcomes and the bad outcomes isn't fairly apportioned. If IT approves a new cloud service that a business department wants, and the service increases sales or otherwise benefits the bottom line, then the business department that's using it will likely get the kudos and perhaps financial rewards as well. On the other hand, if the new system leads to a security failure or other malfunction, IT will get all of the blame.
With nothing to gain and a lot to lose, IT leaders might have little incentive to explore the risks and benefits of a new product, especially since they're running in place already, trying to keep up with the rapid pace of technological change. "When you're a CIO, the reaction can be 'wait a minute, I have zero minutes to think about this now, I'm just going to say no,'" Petersmark says. "CIOs get conditioned to doing that."
Ideally, an IT department that evaluated a new technology and determined it was a good idea should reap some reward when that new technology has a positive impact on the bottom line. More important, IT shouldn't have to stand in the spotlight alone if something goes wrong. And smart organizations are increasingly creating an environment where they don't.