Cloud computing’s next step — Recognizing, managing risk

The prevalence of cloud computing has increased to the point of transforming IT and business models in every industry, including the not-for-profit sector. In fact, cloud computing has garnered enough attention in the not-for-profit sector to now be considered a technology paradigm shift. Although not-for-profits are not yet matching the adoption rate of for-profits, investments in cloud computing are increasing, while spending on traditional hardware infrastructure is decreasing.1

Cloud computing is the technology that enables access to a shared pool of information, applications, infrastructure and/or services. Irrespective of whether the cloud is internal and hosted by your IT staff or externally run by a third party, your organization must remain responsible for ensuring that appropriate controls are in place and maintained. Similar to their counterparts in for-profit companies, many not-for-profit organizations have generally chosen to start with cloud deployments (e.g., software or infrastructure as a service) in less-sensitive areas and in those that pose low risk (due to either low complexity or non-business critical functions). Some, however, are venturing further, housing critical systems (e.g., accounting/finance and fundraising) in the cloud for technology staffing cost savings and other benefits (scalability, ease of upgrades, stronger redundancy, enhanced processing capabilities, etc.). Some smaller organizations with fewer staffing options are choosing to completely outsource their entire IT infrastructure and applications.

Regardless of the size of your organization and its commitment to the cloud, consider adopting these risk management strategies and best practices:

1.    Prepare your IT function to embrace the cloud Conventional constituent management and fundraising methods are being replaced by online community building and engagement, and crowdsourcing. Even more fundamentally, the rapid evolution and increasing affordability of alternative technology resources is allowing organizations to change their methods of providing programs and services to their constituents.

To be successful within this complex reality, IT needs the appropriate talent, architecture and governance to provide solid support while offering a high degree of agility and flexibility. Provide IT with the budget and personnel required to both manage external providers — outsourced services and applications — and operate and support the internal infrastructure, maintaining appropriate interfaces between the two environments. IT must also have the resources to evaluate, select, develop and implement new technology.  Your IT infrastructure and organization need to be adaptable to changing demands, and your IT budget needs to reflect that greater investments in cloud technology may be needed to achieve downstream operational savings, generate new revenue streams and deploy new organizational strategies to remain competitive.

2.    Ensure IT and business area management are working collaboratively In navigating this technology shift, success depends on efforts being orchestrated across the organization. Bring together IT and functional departments to properly identify needs, manage risks and support change.

IT and management must partner on selecting cloud services and remain in close communication throughout implementation and continued operation. Business areas should drive the selection of cloud computing vendors, applications and services from a functional requirements standpoint. IT must remain responsible for ensuring that any selection is compatible with the overall technology environment and architecture, and that potential solutions meet technical requirements of integrity, reliability, recoverability, etc. A strong relationship between functional and technology areas will help to ensure that cloud decisions are made in line with both business and infrastructure needs, and that the technology budget is set at the right level.

3.    Elevate security, risk management and compliance Even with heightened focus on information security, given the extensive media attention to recent breaches, many not-for-profit organizations have yet to adopt an IT risk management program or methodology. The need to do so is even greater when deploying cloud technologies and using resources that are the responsibility of third-party vendors.

Your organization takes on regulatory and compliance risks in relying on a service provider’s adherence to regulations, such as the Payment Card Industry Data Security Standard and HIPAA. Other risks worth taking seriously relate to business continuity (ensuring key operations are not disrupted during extended system downtime), cybersecurity and malicious insider attacks, commingled data, and compatibility issues with existing infrastructure.

To maximize protection of your organization in ensuring data privacy, consider the security risks that are introduced when information leaves the confines of your organization’s security environment. Establish a comprehensive risk assessment structure for identifying, evaluating, and mitigating or managing IT risks, including potential for loss of control of data placed in cloud technologies. Make sure you understand how third parties secure your data and which controls remain your responsibility.

Adopting cloud computing brings benefits, but also challenges and risks. The protections you put into place will help your organization move more securely into this environment.   

1 NTEN. The 8th Annual Nonprofit Technology Staffing and Investments Report, July 2014.

Trends shaping the future of cloud computing in the not-for-profit industry
  • Hybrid cloud: This is a computing environment in which an institution owns and manages some technology resources, either internally or hosted externally by a third party exclusively for the organization, and has others on the Internet provided by a public third-party vendor. Gartner states that “while actual hybrid cloud computing deployments are rare, nearly three-fourths of large enterprises expect to have hybrid deployments by 2015.1

    Not-for-profit organizations will not be an exception to this trend. We expect that while certain systems and services will continue to be kept within an organization’s internal infrastructure (or on private clouds) due to mission criticality, complexity, cost or risk issues, other services or applications will be shifted to external clouds. The need to develop, implement and maintain the interfaces between these two environments will become a key IT management challenge.
  • Computing everywhere: With the advancement of mobile technology and the power of cloud computing, smartphones will increasingly be used to deliver centrally coordinated applications from the cloud. Organizations that invest now in cloud computing will be ahead of the curve. Because of extended reach and interaction, they can benefit from greater connected audiences and constituents.
  • Advanced data analytics and big data: Organizations can leverage advanced analytics and big data to better understand constituent behavior, improve engagement, and increase campaign response rate and fundraising outcomes. This can be accomplished by tapping into current organizational data and the data from various other sources, such as social media, blogs and surveys.

    1 Zeng, Evan, and Bittman, Thomas. “China Summary Translation: Private Cloud Matures, Hybrid Cloud Is Next,” Gartner, Oct. 17, 2014. Gartner subscribers can read the report.
Back to The State of the Not-for-Profit Sector in 2015