Efficient, connected and secure companies — regardless of industry — tend to have one thing in common: they’ve embraced digital transformation. Being digital-first helps facilitate product development, reduce costs, improve automation, scale operations, as well as augment security, compliance and risk management processes. Cloud computing, widely recognized as a key enabling technology to support digital transformation, can help realize these benefits.
Digital transformation isn’t a quick fix, however. Organizations cannot simply “flick a switch” and become fully integrated into the cloud computing environment. It requires careful planning and thoughtful consideration. And many organizations struggle to find the right balance of supporting legacy information technology (IT) systems and emergent cloud solutions.
Interac, a leading payment processing firm in the heavily regulated financial sector, partnered with MaRS to better understand how businesses are approaching cloud adoption and to determine what factors are essential to successful transitions. “We went on a journey with MaRS to better understand digital transformation through the lens of cloud migration,” says Samah Chowdhury, senior manager of innovation partnerships at Interac. “There are certainly technical challenges, but there are equally important cultural and behavioural obstacles to overcome along this path.”
Here are three important lessons to keep in mind.
The decision to migrate to a cloud environment should not be taken lightly. As a major IT project, it must be supported by a comprehensive business plan complete with clear business objectives, risk management strategies, costing, timelines and organizational endorsement. Failure to fully scope a cloud migration project increases the likelihood of delays, cost overruns and organizational resistance.
As part of this planning process, organizations should consider regulatory implications tied to the adoption of new technology, including cloud computing, given the increasing importance of data privacy and security.
“At Interac, we are acutely aware of the risks posed in the post-pandemic, hyper-digital economy,” says Greg Kliewar, assistant vice president of technology architecture and strategy at Interac. While he and his team, as well as many others in the innovation economy have been busy keeping up with burgeoning demand, bad actors who would steal, ransom, or otherwise exploit without permission the sensitive data of citizens and their financial services providers, have also been busy innovating on their craft. Organizations need to be proactive, advises Kliewar. “Anyone embarking on a program of digital transformation is well advised to take a Security First posture with corresponding objectives and KPIs to raise the information security profile into the transformation program itself.”
Cloud computing in Canada is not governed by any specific “cloud computing law” or any associated regulations. Instead, the legal and regulatory landscape around cloud computing is largely composed of a matrix of different rules, guidelines and practices. Where cloud computing can become the subject of regulatory oversight is in how the technology is used as part of an organization’s operations.
Given this context, a best practice among regulated entities is to proactively develop regulatory expertise within the organization. Regulatory expertise is not a single skill set, encompassing such disparate areas as corporate strategy, legal, information technology and government relations.
Organizations can adapt their internal governance structures and processes to help manage regulatory compliance as part of their day-to-day operations. Examples of action that could be taken include:
Data residency, the physical or geographic location of an organization’s data holdings, is a top-of-mind topic in cloud computing discussions. Data residency restrictions are usually the focus of the conversation as it is assumed that cloud computing solutions may not be able to satisfy the rules around the physical location of where data must be stored. However, many IT experts point out that there are an array of residency solutions, such as hybrid cloud approaches, data flow restrictions, encryption, and third-party solutions that can be facilitated by cloud providers and still fulfill regulatory compliance and security requirements.
In-depth organizational research around data residency requirements (aligned with its internal data management policies) is the first step in overcoming early-stage implementation barriers to building appropriate architecture design and developing strategies for cloud adoption. Clear articulation of these data residency requirements and/or other potential data restrictions to cloud providers is critical to setting up a customized cloud solution. Solutions, such as modular deployment of cloud computing capability, enable portions of an organization’s IT infrastructure to remain on premise. In doing so, it allows for adherence to data residency rules while not restricting or limiting the benefits an organization could reap from having other parts if its data holdings within a cloud infrastructure.
“It is easy to fall into churn on questions of exactly what residency requirements exist for the data your organization is handling,” says Kliewer. “For that, you will need the close involvement of governance, risk and compliance disciplines on the team to help you catalogue and classify the data with respect to risk and compliance implications to a high degree of precision.”
It’s also important to engage your regulators in an open dialogue, so that you can collaborate on a framework for moving forward where regulations are absent or not perfectly clear, adds Kliewer. “Your mission is to identify and document the risks inherent in the data and solutions you are providing, as well as the controls necessary to mitigate all such risks.”
Like many other in-demand professions in the technology sector, experts with skills in managing cloud migration are hard to come by. This issue should be a priority addressed within a comprehensive cloud migration business plan — organizations should anticipate that skills shortages and training may require special attention. As such, they could consider creating and implementing a talent development program to internally cultivate organizational expertise; developing a formalized training program for corporate units involved in managing cloud infrastructure, product development, regulatory compliance, and other issues; and strategically complementing organizational capacity with experts from external vendors.
Another factor to consider in any type of cloud migration project is organizational adoption resistance. Employees often present a challenge with any large undertaking because these projects inherently bring change and disrupt the status quo within an organization. Minimizing adoption resistance can be managed through a number of tactics:
In the long run, the cost of cloud migration almost always makes good business sense. However, organizations are often faced with competing priorities and costs — for example, investing in cloud migration while also rationalizing their on-premise investments. This situation is often likened to a sunk cost fallacy; with so much money invested into in-house systems over the course of an organization’s existence, it becomes difficult to rationalize de-servicing these systems and opting to deploy onto the cloud. While most organizations plan for and accept costs associated with the actual migration, they should also plan to incur costs in areas such as:
There is a certain “art and craft” associated with a successful digital transformation, including cloud migration. Organizational and human factors are as much a part of successful transformation efforts as the technology itself. “It’s not just a technical challenge, but a cultural one,” says Chowdhury. “Success depends on how well you can navigate the implicit challenges of changing mindsets and attitudes.”
It’s critical that companies take the time to plan and realistically assess the organization’s readiness, placing special emphasis on regulatory requirements. Understand the options around data residency in order to customize a solution that works for your organization’s unique circumstances. And, invest in the people and supports that will help with long-term adoption and develop a resilient, high performing organizational culture.