Calculating Cloud ROI
This is the title of the new ISACA document in relation with cloud computing that has been published last July. It addresses ROI calculating issue in order to evaluate in a right way an investment in this kind of service, considering all the costs and gains involved.
We would like to highlight some aspects of this document from our perspective as security rating agency that helps to simplify ICT services procurement processes, in general, and cloud computing services, specifically.
- "We must stay within the enterprise's risk tolerance". It means, as defined in the methodology proposal of ISACA, a risk analysis of current service model should be performed for including in the further cost estimation all the investments needed to assure that risk tolerance is the same at the end of the process (this is useful to assure that comparison is made between "apples and apples").
- Intangible risks and benefits should not be included in the formula, unless "the business is able to assign a value based on historical or statistical data.
From our point of view, ISACA document is right when including the risk profile of services into the formula, because it is wrong to invest in cloud with the only "excuse" of savings if, as result, entreprise ends with a higher risk that its tolerance level. And it is also incorrect, not to invest in cloud, considering the costs of a service that has a lower risk profile than our own service. It means, know the risk profile of the cloud service is a key aspect to take a good decision (and precisely, there is where a security rating agency helps).