• No results found

Information governance in cloud computing

N/A
N/A
Protected

Academic year: 2021

Share "Information governance in cloud computing"

Copied!
36
0
0

Bezig met laden.... (Bekijk nu de volledige tekst)

Hele tekst

(1)

INFORMATION

GOVERNANCE IN

CLOUD

COMPUTING

Master Thesis

Danny Wadolowski

Student number 11426152 Date of submission: 23/06/2017

Msc. Business Administation- Digital Business Track Amsterdam Business School

(2)

The most valuable commodity I know of is information.

– Gordon Gekko, Wall Street (1987)

This document is written by Danny Wadolowski who declares to take full responsibility for the contents of this document.

I declare that the text and the work presented in this document is original and that no sources other than those mentioned in the text and its references have been used in creating it.

The Faculty of Economics and Business is responsible solely for the supervision of completion of the work, not for the contents.

(3)

I would like to express my gratitude for a number of people who have helped make this thesis in its current scope and quality.

First and foremost I would like to thank my (company)supervisors Prof Dr Hans Borgman and Dr Hauke Heier for their incredible backing, ideas and engagement that went far beyond what I could have expected for this thesis.

I would also like to thank the whole project team from my time at Accenture ASG. They always found time to help and ultimately contributed greatly to the quality of this study. Last but not least, I would like to thank all of my friends and family who incredibly supported me in the best possible way on this rewarding journey from the beginning on.

(4)

Table of Contents

Abstract ... 4

Introduction ... 5

2. Conceptual Foundations and Hypotheses ... 8

2.1. Information Governance ... 8

2.2. Research Hypotheses ... 10

3. Research Methodology ... 14

4. Research Results and Discussion ... 16

5. Conclusions and Future Research ... 24

(5)

Abstract

The purpose of this paper is to explore how cloud adoption influences an organization’s information governance maturity. Technological innovations, attractive business cases, and quick turnaround times have fueled the popularity of cloud computing in recent years. Soaring investments go hand-in-hand with growing volumes of data and information and multiple connections between internal and external stakeholders - creating challenges for information management, integration and compliance. With data collected from 20 international firms, this study explores the particular impact of popular cloud configurations on governance mechanisms. Our research model has been grounded in previous academic and industry research and examines three aspects of cloud computing: first, source and stack choices, second, the impact of agile deployment methodologies, and third, management practices applied. This study closes with implications for IT governance policy and cloud adoption strategies.

(6)

Introduction

Starting in the 2010ies, executives around the world were questioning the impact and role of cloud computing to their organizational IT infrastructure.(Heier, Borgman, and Bahli 2011) As recently as in 2017 leading industry analysts claim the technology is inevitable, arguing adoption is a necessity for survival in the digital world (Heudecker and Reynolds 2017). Evolving market dynamics stimulated by technology innovation and the need for agility have significantly contributed to the uptake of cloud adoption (Heneghan and Ellis 2016; R. Wexler 2017). Investment in cloud-computing are soaring, with a top rank on corporate agendas. These trends resulted in increasing volumes of data and information streams gathered in organization, and being exchanged between various internal and external stakeholders.

Those dynamics have created challenges for information management, integration and compliance. Consequently, executive concerns have shifted from cloud pilots and early implementation projects to information governance. For the purpose of this study we define cloud computing as “both the applications delivered as services over the Internet and the

hardware and systems software in the data centers that provide those services (Armbrust et al.

2010)”.

From a cost perspective, cloud computing’s benefits comprise scalability - allowing to only pay for what is required at a certain point-in-time. Economies of scale allow public cloud providers to offer computing resources at competitive prices in contrast to company-owned data centers, adding the benefits of maintenance-free usage (Zafar et al. 2017). From a strategic perspective, cloud computing facilitates cross-departmental work and partnerships across organizational boundaries.

(7)

In recent years, specific trend dynamics have particularly contributed to widespread cloud adoption (Bharadwaj et al. 2013; Heneghan and Ellis 2016; Muse 2017; R. Wexler 2017):

• Innovations, e.g. Internet of Things (IoT), bring your own device (BYOD), or access from anywhere-concepts require resource-independent infrastructures where data is not stored on a single user device and can be accessed simply and in real time;

• New value propositions, created by evolving digital business models, create new organizational ecosystems;

• Data analytics, allowing to create new and valuable information from combining different sorts of data attributes and sources;

• Bimodal IT management, the notion of structuring an organization's IT capabilities to simultaneously achieve economies of scale and scope;

• Agility and iterative work approaches since they enable responsiveness - crucial for achieving digital ambitions. Given these approaches require cross-departmental teams and (outside) stakeholder cooperation, cloud computing has significantly increased their effectiveness as data can be shared in real time and independent of location(Manuja 2014).

With an increasing number of service providers providing solutions for every business function and for any IT stack (from infrastructure-as-a-service - IaaS to software-as-a-service), cloud adopters are facing a set of challenges:

• Integration: all cloud solutions have to be integrated with the organization's IT infrastructure and technology backbone. Increasing dependence on technology leaves no room for even the slightest slip-up in operations. Adding new functionality to poorly designed existing landscapes will result in overly complex architectures impeding

(8)

operational maintainability and continuity. IT executives have an increasing responsibility to prevent data leaks, which could lead to the loss of valuable business information Inadequate integration can also cause data inconsistencies and illicit data exposure with potential regulatory consequences.

• Return of shadow IT: certain cloud applications make it easy for business functions or corporate divisions to acquire their own IT functionalities- outside of the existing IT service catalog and established governance mechanisms. Most cloud solutions require relatively little technical skills and offer simple payment options. However, this resurgence of shadow IT opens the door for security leaks, architectural inconsistencies, and inability to manage a total IT baseline (spend).

• Waste: the easy access tends to increase the amount of waste, i.e. unutilized capacity and functionality which can offer lead to a cloud “sticker shock”.

Attempting to better manage above complications, an increasing number of firms have embraced information governance initiatives(Holtschke, Heier, and Humme 2009). Utilizing the IT governance definition (Heier, Borgman, and Mileos 2009) (Korac-Kakabadse and Kakabadse 2001)and the studies on information/data governance of (Kooper, Maes, and Lindgreen 2011) (Khatri and Brown 2010) and(Tallon, Ramirez, and Short 2013), we define information governance as a “framework with mechanisms to guide the creation, collection,

storage, analysis, use, distribution, and deletion of business-relevant information in order to achieve value creation.”

While many executives have declared information governance as a top priority, only few definitions and empirical studies exist. Existing approaches typically comprise elements of “control”: data privacy regulation, data lifecycle management, information security policies, and electronic records management(Donaldson and Walker 2004). According to Newman and

(9)

Logan, effective information governance can yield a range of benefits: Organizations will have better transparency, trust, and lower risk - while improving cycle/throughput times as a result of speedier information flows. Such capabilities also fosters the recognition of information as a prime organizational resource. Finally, information will be consistently handled within and beyond organizational boundaries.

Our research will explore the impact of cloud adoption architectures and practices on an organization’s study will address key areas derived from academic literature and industry reports and aims to explore the specific impact of each of them. The remainder of this paper is organized as follows: The second section will present the fundamental theories relevant to this research and the grounding of the hypotheses. The third section describes the research methodology in more detail. The fourth section will address the results of the study and the final section closes with conclusions, implications for organizational practitioners, and suggestions for future research.

2. Conceptual Foundations and Hypotheses

2.1. Information Governance

For the purposes of this study, the theory of IT-governance has been taken as point of departure. The traditional notion of IT governance involves the definition and implementation of processes, structures, and relational mechanisms in organizations to enable both business and IT people to achieve business-IT alignment and the creation of business value from IT-enabled business investments . However, the traditional concept of IT governance is being challenged as IT-infrastructure capabilities transfer towards resource-independent units and large quantities of information.

(10)

Furthermore, innovative development and deployment methods might be calling for new flavors of governance as noted by Yousif et al. “existing IT governance may be regarded as

optimized for non-agile delivery, with the tendency to strive for economies of scale at the cost of economies of scope.”

This study aims to contribute to the evolving paradigm of IT governance and its developing sub-discipline - information governance - by building on the work by (Borgman et al. 2016) Using the afore mentioned information governance definition provided by the authors. The intention of this study is to explore how cloud adoptions differ among typical settings in cloud architectures. There are four main categories, including some moderating variables. The research framework is depicted in Figure 1.

(11)

2.2. Research Hypotheses

The first group of hypotheses comprises the number of cloud vendors a firm has selected - e.g. to avoid vendor lock-in - and the three most common cloud deployment models being(Ramgovind, Eloff, and Smith 2010):

• Private cloud: a platform which is dedicated to a single organizational use, often chosen

due to a belief that is will be being easier to align with compliance and regulatory requirements. The higher level of in-house control offers improved security - yet comes with higher initial investment and reduced elasticity.

• Public cloud: cloud resources owned by a cloud vendor which distributes them among multiple clients. The main benefits include flexibility with a pay-per-use model, industrialized and fully remote management, and enriched functionalities.

• Hybrid cloud: a private cloud linked to one or more external cloud providers, often selected to have the best of both worlds.

Choosing an appropriate deployment model might be crucial in retaining maximal business value; wrongful architectures might lead to secondary migrations which are costly or can cause the exclusion of cloud resources. According to various industry reports, roughly 70% of organizations select a hybrid cloud environment, 20% opt for a public cloud, and 10% for a private cloud. Several studies suggest public cloud as the most vulnerable model since data is stored in off-site locations and the model imposes dependencies that might harm business continuity in downtimes. The involvement of outside parties could introduce another source of malicious activities. Additional layers of governance have to ensure legitimate access and protection (R. Wexler 2017)(Al Morsy, Grundy, and Müller 2010).

(12)

Building private clouds and appropriate storage can be costly in both setup and maintenance, as well as reduce deployment speed. In consequence we explore whether the type of cloud, i.e. the deployment option - has an impact on information governance maturity (IGM): H1a - The

more information is governed internally, the more positive the influence on IGM will be.

Governance standards and policies have to be adjusted to an organization’s business model, to regulatory requirements, and to the desired degree of IT security. When integrating cloud solutions from different vendors (in a multi-sourcing arrangement), the cloud infrastructure is prone to interoperability challenges with subsequent challenges for IGM. Though there are industry-wide efforts to provide open standards for cloud infrastructures, implementations remain difficult, given that many cloud deployments are customized to clients’ needs and/or still use proprietary technologies (Buyya, Toosi, and Calheiros 2014).

Logically, fewer cloud providers allow for a more comprehensive and well-designed

information flow and better governance mechanisms.

Consequently we postulate: H1b - A smaller number of cloud providers will have a positive

impact on information governance maturity.

The second group of hypotheses addresses the depth of the cloud solution, i.e. the cloud stack. Cloud adopters can choose between three common stack types: Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS). The stacks differ by which responsibilities remain on the vendor side, and which on the client side. With IaaS, the business critical (data) components in-house since organizations only source infrastructure services up to the hypervisor level.

In contrast, SaaS accounts for almost 50% of new investments in cloud given its functional scope and moderate technical skill requirements[3](Ramgovind et al. 2010). With SaaS, all cloud layers remain in the control of the vendor, thus increasing the risk for operational

(13)

dependency and data hazards (Fernandes et al. 2014). Consequently we have derived the second research hypothesis: H2a - A higher proportion of

SaaS use is negatively related to IGM - or the more cloud layers are sourced, the lower the degree of IGM.

SaaS vendors often provide a full-service package (including the application logic layer), ensuring fast implementation and end-to-end support. Thus, it might provide an incentive for business units to acquire applications beyond IT policy, prompted by better alignment with business problems and swift deployments. Such creation of shadow IT resources might contribute to cloud waste and have a negative impact on an organization’s enterprise architecture. Hence, it is interesting to explore whether the maturity level differs by organization size, following the logic that a larger firm is more complex, thus increasing the chance for shadow-IT. H2b - A higher proportion of SaaS use is negatively related to IGM and

moderated by company size.

The third group of hypotheses concerns the type of cloud adoption. Agile working approaches, such as Scrum, Lean, or Extreme programming, are gaining popularity as project management methods. Agile methods are characterized by collaborative development cycles, in which the project scope and requirements can change at any time throughout the process (Dingsoyr et al. 2012). In comparison to traditional IT project management, agile methods actively engage the customer throughout the development phase, such as prototyping at different stages of the project. Requirements and deliverables can evolve throughout the process since agile methods allow for uncertainties.

Given that project resources are focused on quick delivery of innovation, this approach might undermine governance policy design in the initial stages of development. In traditional IT project management, the levers to determine information governance policy tend to be more

(14)

direct and often receive attention in the initial stages of the project ( Borgman et al.2016)When using agile methods, such levers are more indirect. There is also the additional risk that, within the short time cycles, there is less time for feedback from cross-functional stakeholders, and therefore this topic is shifted to the next iterative cycle (Borgman et al. 2016)

Furthermore, involving external parties - such as consultancies - which is common with agile project management, heightens the risks of unauthorized data access and losses. Therefore, it can be argued that cloud adopters, who use agile methodologies as delivery methods, risk overlooking the standard compliance review process, and lose focus on information governance: H3a - Use of agile adoption influences IGM.

The agile approaches allow for rapid incorporation of new innovations into existing and new products. It allows to generate the best achievable customer value proposition relative to time responsiveness: something that is often critical in these industries. This time responsiveness might provide challenges for information governance structures of when it comes to the management of stakeholders. A clearly defined responsibility matrix for stakeholders can positively impact the information governance capabilities and maturities.

However, when the number of stakeholders increases, or stakeholders join (unexpectedly) at a later stage of the development, the governance processes might be disrupted. Involving too many stakeholders might lead to loss of control of stakeholders’ management, beyond the defined boundaries of the responsibility matrix. For the purpose of this study we consider the number of involved stakeholders a moderator to research hypothesis 3: H3b - A reduction in

the number of stakeholders - when applying agile approaches - has a positive impact on information governance.

The fourth group of hypotheses addresses the type of cloud management. It could be stated that a centralized IT department for cloud management has a positive effect on the governance

(15)

structures. Literature (Grembergen 2004) (Borgman 2013) proposes that more centralized IT governance allocates decision-making responsibilities to a central function, thus increasing control and coordination. A central function allows for a comprehensive overview and execution of effective policies, lowering risks related to data leaks and faulty integration. Furthermore, IT functioning as a central cloud brokerage can limit the growth of shadow-IT and limit cloud waste. In consequence we postulate H4a - A higher degree of centralization will

be positively correlated with IGM.

The presence of legacy infrastructure and applications may pose challenges to the process of governance policy design and to overall IT performance. Industry experts introduced the concept of dual-speed IT, a process to manage heterogeneous systems simultaneously. Customer-centric applications are front-end managed to ensure responsiveness; slow-speed legacy processes at the back-end (Bossert 2016)(Petri and Cannon 2017). Managing a mix of innovative/cloud and legacy solutions in a bimodal fashion might suggest an improved information governance, i.e. H4b - Dual-speed IT is positively related with IGM.

3. Research Methodology

The empirical research and testing of the hypotheses are based on information gathered through semi-structured questionnaires. Given that there was no other available dataset suitable for the scope of the study - including agile development and deployment methodologies - semi-structured interviews have been chosen as applicable research method. The questionnaires were developed with the aim of rendering relevant, reliable, and quality data and attracting high-level executives to participate in the study. Given time constraints as often-cited obstacles, the intention was to complete the survey within 10 to 15 minutes.

(16)

A total of 5 iterations of the instrument and the questionnaire have been developed and tested with senior managers and consultants to ensure a precise understanding of the content and to improve the comprehensiveness. Though it was intended to guide respondents through interviews in person, the survey was not dependent on this approach. To build on a tried and tested approach, several questions were taken from Accenture’s high performance in IT survey, a continuous survey that had been run from 2005 to 2013 (Daugherty 2013). The 30+ pages survey offered a range of questions which fitted well with the study’s objective.

The semi-structured questionnaire was augmented with questions measuring an organization’s IGM. Since existing maturity schemes - such as Luftman’s maturity model (Luftman 2003) - did not incorporate address the full scope of our study we choose the enterprise information maturity (EIM) framework. To assess IGM, a COBIT scale is used, which is a well-known maturity level framework both in academia and business (Grembergen and Haes 2009). A study by Hausmann et al.(Hausmann et al. 2014) revealed the three most important themes in EIM are: data management, compliance, and obtaining business value. Those themes have been integrated into our research instrument. The EIM framework also provided the closest fit with our definition of information governance.

The final survey consisted of 15 questions divided into four topic clusters. The first section comprises seven questions concerning the background of the company and how its cloud infrastructure is set up. The second topic clusters consists of three questions addressing IGM and instruments to assess how effectively information is being governed. The third section consists of two questions dealing with the impact of agile methodologies. The fourth and final topic clusters includes questions exploring the day-to-day management of cloud and information governance.

(17)

The survey respondents came primarily from the authors’ professional network, encompassing predominantly global companies from a wide range of industries. Given the authors’ regional focus, respondents are predominately from Europe with the participation of firms from healthcare, manufacturing, financial services, IT/technology, and professional service). Furthermore, it is worth noting that the dataset primarily includes organizations with revenues of €1.0 billion or higher.

Our interview partners were selected on the basis of their experience in cloud computing. For every company at least one the authors made an appointment to guide the respondents through the interview, to provide explanations and examples, as well as to address pints of concern. The initial dataset consists of 20 companies with 14 interview partners. Data collection is still in progress and it is expected to gather a larger number of responses in the second half of the year and integrate these results into the final HICSS paper and presentation in January 2018.

4. Research Results and Discussion

The initial dataset includes 20 responses, all of whom have experience in cloud adoption. Given the small sample size, non-parametric tests such as Mann-Whitney were used whenever possible. Furthermore, given that the results of the initial phase of the study were somewhat surprising, additional practitioners from within the industry have been targeted to grant further insights. Six interviews were scheduled with practitioners from the industry with multiple years of experience in cloud computing, ranging from 5 to 25+ years in the cloud division. This includes two managing directors, three senior managers, and one manager. During these interviews, we presented table 2 and asked the interviewees for evidence from their own experience.

(18)

An analysis of the mean of the three tested information governance domains demonstrates that "obtain business value" has more often selected than all other responsess. For "data management", 70% of respondents ranked their maturity at levels 4 or 5. For compliance, 65% of respondents ranked their capability at levels 4 or 5. For "obtaining business value", only 30% of respondents ranked their maturity at level 4 or 5. The difference in mean is significant for the other two domains at 0.05.

The results indicate that gaining business value from information governance is the least mature domain in practice; thus, organizations are still in the early stages of attaching value to information and handling them as a strategic asset. For the calculation of information governance maturity an average of the two domains, "data management" and "compliance", was used. Respondents assessed these domains and justified their choice by means of examples. The domain "obtain business value" was left out given the majority of respondents indicated their choice on this domain as a guess.During the post results interviews, one of the respondents indicated that obtaining business value out of information governance is contradictive to high maturity in the other two domains, arguing that comprehensive compliance and data management frameworks impede business value creation. Another explanation is that obtaining business value is mostly related to emerging technologies such as big data, which is still in its early phase of adoption and particularly leveraged by single sectors

(19)

such as technology firms. Another interviewee told us, from past experience “we had systems years ago which set the ground for generating value from data, yet little people knew what to do with them”.

Regarding H1, our interview partners were asked whether they govern their information internally. The answer possibilities were on a 5-point Likert scale ranging from “disagree” to “agree”. Two groups were created for the test; the first with respondents who filled out "tend to disagree" or a lower value, indicating that they do not pay attention the location of information. The second group were respondents who selected 4, "tend to agree" or a higher value, indicating that they place value on governing business critical information internally. The mean differences between the two groups are statistically significant at 0.05. Results are in line with our hypothesis, H1a - The more information is governed internally, the more positive

the influence on IGM will be. Given that the majority of respondents selected the use of a hybrid

cloud model, the result indicates that the private cloud component in such architectures is used to govern business critical information internally. It can be argued that the additional investment in a private cloud component is reflected in a higher IGM level. Factors could include ensuring operational continuity in case of downtime of external parties and compliance reasons. Again, from the post results interviews, one respondent indicated that the positive effect on IGM might be related to the way an organisation is governed. Arguing this hypothesis in favour of a centralised structure, whereas, in a decentralised infrastructure this could be negative given that it is hard to establish clear data streams and align policies and their execution in such governance. Another respondent indicated agreement with the hypothesis, yet rather more from a compliance perspective to signal adherence to the accepted rule, considered to be data not crossing boundaries of organisations. Multiple respondents indicated that the management of internal IT is often relatively weaker than the established public clouds and agreed that for now, this might be the best practice, yet this may change in future as compliance rules might change

(20)

and allow for public clouds and their cost and scale advantages. Furthermore, one respondent noted that governing information internally might trial IGM, given that doing so, information has the risk of being outdated and from experience, this appears to occur often with few effective solutions in place.

The subsequent hypothesis proposes that a smaller number of cloud providers will have a positive impact on information governance maturity. Two test groups were created based on the variable "number of number of applications in the companies’ infrastructure”. Group 1 encompasses respondents with 1-4 cloud applications, group 2 with 8 or more. A similar test was repeated with one other variable which specifically addressed the cloud adoption strategy, with answer possibilities including "single vendor strategy", "multiple vendor strategy", and "multiple vendor best of breed technology strategy". Both multiple vendor strategies have been tested against the single vendor. No significant statistical conclusion can be drawn for either of the two test variables. From post results interviews, multiple respondents agreed with this hypothesis, arguing that with more vendors, especially those based in the public cloud, a connecting middle point is necessary where data might be lost in translation. The more vendors that are added into an architecture, the higher the complexity will be and the higher the risk for exposure. While industrywide SLA’s and practices are improving, they are not considered fully efficient yet. It is indicated that harmony in the infrastructure depends on which vendors are involved.

Regarding hypothesis 2, we expected that higher usage of SaaS would have a lower impact on information governance maturity. The survey included a question in which respondents were able to rank their service model according to use. The possible answers were: one; ranked as most used, three; least used, and zero; not used. We created two groups for the statistical analysis: group one which included those who indicated 1 or 2 (i.e. most used or second most used) and group two, those who answered with 3 or 0 (i.e. least used or not used).

(21)

The Mann-Whitney test indicated a significant difference in the means between the two groups, thereby showing support for our hypothesis H2a - The more cloud layers are sourced, the lower

the degree of IGM. This is in line with our thinking and indicates that organizations should be

aware when selecting their service model, especially when it concerns regulated information categories. It is more difficult for users to preserve access control to data and information, if such admittance is agreed, the control over the data can be quickly lost or even conveyed to entities. (Géczy, Izumi, and Hasida 2012)

A comment from one of the respondents is worth mentioning: "some large SaaS providers offer probably the most comprehensive security frameworks and requirements to be connected to the whole infrastructure.” However, this relies on statements of the SaaS market leaders, which respond to consumer concerns on their service models. Possibly, we will find support for this statement in our subsequent hypothesis, in case the result are contrary to our argumentation. Given that large companies would probably acquire applications from larger SaaS vendors, this should then be reflected in the overall IGM score. From post results interviews, all respondents unanimously agreed with our hypothesis, especially finding consensus when multiple SaaS applications are added to the infrastructure; each application vendor has their own governance requirements and mechanisms where in practice this leads to increasing complexity and heightens the chances of negative impact. On the question of whether SaaS would indeed have the best security frameworks, they might indeed be well-established from a security perspective but not entirely from an information governance perspective given that companies are isolated from their data. Furthermore, the interviewees implied that security would rather be vendor specific, who see possible hazards as a business risk, thus related to SaaS. To quote “It would be hardly imaginable that Microsoft would defer on their governance framework just because they are offering a PaaS solution”. On the first interview, the respondent suggested that the upcoming European regulation in 2018, which requires companies to know where sensitive

(22)

client information is stored, connected, distributed etc. might have a negative effect on SaaS adoption, arguing that the law prescribes that the company be ultimately liable for any wrongdoing, thereby more hesitant in adopting this service model. All other interviewees agreed with this statement, adding that they expect to either raise security quality given vendors cannot afford to fail or opt for much longer implementation types given much more architecture work will be necessary, a connecting middle point is required where data might be lost in translation.

H2b - A higher proportion of SaaS use is negatively related to IGM and moderated by company size. Two new clusters were created from the group used for H2a, "most or second most used

in SaaS." The first cluster included those respondents with more than 50.000 employees and the second those with less than 50.000 employees. The test was deemed insignificant, and, additionally, the sample size of n=9 was not sufficient to properly perform this test. From post results interviews, this hypothesis has been viewed differently. In section 2, we presented this as a possible moderator for shadow-IT. One respondent suggested that the moderator would be the degree of cloud adoption which would have a positive relation to IGM. Following this logic, a higher adoption receives more top management attention in terms of governance mechanisms and business/IT alignment, thus simultaneously lowering shadow-IT resources. In general, shadow-IT has been related to a business and IT alignment problem. One respondent mentioned that from his practical experience, SaaS is certainly one of the enablers.

Regarding hypothesis H3a - The use of agile adoption influences the IGM our questionnaire explored the scope of agile used within firms. Respondents could choose between 0%, 0-25%, etc. up to fully incorporated (100%) on a 5 point Likert scale. Again, two groups were created: the first with those who adopted between 1 & 25 % and the second from 25-75%. No one answered below 1% or above 75% and the statistics appeared significant, however, they were contrary to our line of argumentation. There we proposed that the characteristics of agile

(23)

development methodologies, with evolving deliverables, and requirements, could impede information compliance and control.

Several explanations were provided, e.g.: Large organizations which embrace agile methods could establish procedures within their development approaches which ensure adherence to IT governance. The review process for delivered IT artefacts can be designed in an iterative way to ensure that the information governance is adjusted to any change in project scope. From another perspective, traditional IT project management established the required information architecture and governance at the beginning of a project, given all requirements and stakeholders are known.

However, when entering later stages of the development process, expectations and requirements may not be as complete as assumed in the initial phases, thus the design may change over time, changing the balance of involved parties and integrations Given that there is no or little attention to information governance at later stages of sequential delivery methodologies, it might result in uncontrolled data flows, often passed on to the operations team after completion. From post results interviews, respondents were divided based on their regard for the impact of agile methodologies in general. Explanations for a higher IGM are in line with our argumentation provided above, suggesting mainly the continuous adjustment of governance mechanisms to changes. Furthermore, companies working to a large degree with agile might be much more adjusted with the processes from the beginning.

For the subsequent hypothesis H3b we postulated that a reduction in the number of stakeholders in agile methodologies will have a positive impact on IGM. All respondents were classified as agile users. Two groups were created based on the test variable “interconnected third parties”, group one with 1-5 and group two with 20-30. No significant statistical conclusion can be drawn for either of the two test variables. In the post results interviews, some respondents agreed that

(24)

more stakeholders do increase complexity. Others, in turn, argued that it is not the number of stakeholders but the type of stakeholders, given a well-established team composition might result in a successful project on a large scale.

For hypothesis H4a - A higher degree of centralization will be positively correlated with IGM

we argued that - in line with traditional IT governance theory - a centralized approach would

have better controls. The survey incorporated a question relating to how the infrastructure is governed and there were three possibilities offered with explanations: Centralized, federated, or decentralized. Only one respondent selected the last option; all of the others were governed by the two alternative choices. Two groups were created, one for centralized and one for federated. The difference in mean was tested significantly at a level of 0.05.

However, contrary to our line of argumentation, a federated model had a higher IGM mean. Following the body of IT governance literature, federated arrangements offer the possibility to optimally align with specific business needs. This was confirmed by one respondent, who stated that a centralized infrastructure is hard to maintain within a large organization, which is active in multiple countries or lines of business, therefore a federated architecture was preferred. A centralized governance often involves standardized processes and policies, which do not cover all aspects that business units have to deal with in their environments. Our results indicate that this might by similar for information governance arrangements. From post results interviews interpretations varied. Generally, everyone agreed with our proposed hypothesis arguing that it is the proposed best practice. The main support for a federated approach would be, in line with our argumentation, to allow for environmental factors affecting the business units such as compliance or additional applications. One should note the perhaps extreme interpretation of a purely federated infrastructure, some acknowledging that the optimal way would be between centralised and federated. Furthermore, it is interesting to observe there was a general agreement on the fact that a centralised IT might provide more room for Shadow-IT

(25)

given the highest possibility of a misfit on business/IT alignment. Additionally, centralisation is often associated with slow responsiveness which provides more incentives for business units to handle matters on their own.

For H4b - Dual-speed IT is positively related with IGM we included a question in the survey

addressing the type cloud management. Respondents were able to choose between three answers: "no legacy", "single speed", and "dual-speed"; for all answers examples were provided. We created two groups: Group 1 contained respondents who indicated a single speed management approach and Group 2 contained those who had selected a dual-speed setup. Only one respondent indicated the option "no legacy", which was therefore excluded from the set. The Mann-Whitney test showed no significance. From the post results interviews, everyone agreed that, in theory, the hypothesis should find support given the thought that is applied to processes and interoperability of whole architectures. One respondent argued that managing both “worlds” at the same priority level might create an even more complex architecture. Surprisingly, although the interviewees had many encounters with legacy systems, no one could back up with a dual speed example from practice. On the one hand this could indicate that benefits on IGM can be measured only when the ideal two-speed IT fully adopted, or perhaps that the concept has never really found ground beyond IT advisory literature.

5. Conclusions and Future Research

This study introduced and explored a framework for information governance maturity (Figure 1). We developed our hypotheses and were able to test the majority of these for the main independent variables. With respect to the first hypothesis, we could confirm that governing information internally has a positive influence on information governance maturity. However we could not find any significant support for the hypothesis that a smaller number of cloud providers will have a positive impact on the IGM. Our data confirmed the second hypothesis

(26)

that a higher degree of usage of SaaS in the infrastructure has an adverse impact on information governance maturity, however rejected the hypothesis that this impact is moderated by company size. This finding confirms that a more distributed ownership of data correlates to a higher chance of losing control. By testing the third hypothesis we found – surprisingly - a significant positive impact of agile use on IGM. It is worth noting that multiple respondents indicated concerns over the impact of agile methodologies; however, given the ill-defined measurement objectives and the lack of historical comparison, it is hard to distinguish whether any influence can be attributed to the project development approach. We could not find any support on the impact of stakeholders at this stage. For the fourth hypotheses, we found a significant mean difference, however one that supported the federated model. This indicated that a centralized approach may not be the most effective in managing the range of different business units’ and regions’ needs. In an attempt to explore whether a dual speed IT management strategy was effective, we could not find any support regarding impacts on IGM. Implications for both research and practitioners are as follows; this study has further strengthened the evolving nature of IT governance and the need for enhanced mechanisms. The initial dataset and interviews with industry practice showed that information governance in cloud computing is hardly able to be tackled successfully with a standardised approach. Optimal governance of the cloud infrastructure is dependent on multiple (environmental) factors. However, our discussed hypotheses trialled traditional governance understandings and revealed factors that may impact future cloud adoption, as well as improving cloud governance policy. Furthermore, the study and discussion show an opportunity for advisories to teach the industry more about obtaining business value.

While those initial results have proven promising and insightful, this study is still in its early stages, and will require more data to further strengthen above conclusions. Given cloud adoption itself is still in its nascent stages, more interviews will be scheduled to discuss the

(27)

initial results with experienced managers to derive deeper insights from academics and practitioners. – Upcoming regulations.

A major limitation to the application of our findings is the respondents’ geographic area, which is predominantly focused on Europe. Given different country-specific data laws and regulations, and upcoming Europe-wide regulation, this could affect the interpretation of IGM. Additionally, the adoption strategies might differ in this region compared to others, given that the private components of a hybrid deployment model often exist due to the regulatory requirements governing customer sensitive information.

This study is one of the first attempts to explore the determining variables in the area of information governance related to cloud computing. In further research, it would be interesting to replicate the study in other geographical areas. It would be interesting to see whether deployment choices differ, and perhaps clarify the distinction between regulatory factors and strategic implications. Certainly, it would be of value to investigate the issue of obtaining business value through (better) information governance. However perhaps the most pressing area for future research, given the value of data and information shown by this study, is why information as a strategic asset has received so little focus from executives and governance committees to date.

6. References

Armbrust, Michael et al. 2010. “A View of Cloud Computing.” Communications of the ACM 53(4):50. Retrieved (http://portal.acm.org/citation.cfm?doid=1721654.1721672).

Bharadwaj, Anandhi, Omar a. El Sawy, Paul a. Pavlou, and N. Venkatraman. 2013. “Digital Business Strategy: Toward a Next Generation of Insights.” MIS Quarterly 37(2):471–82. Retrieved (http://www.misq.org/misq/downloads/download/editorial/581/).

(28)

Borgman, Hans, Thomas Boekamp, Hauke Heier, and Bouchaib Bahli. 2016. “Dotting the I and Crossing ( out ) the T in IT Governance : New Challenges for Information

Governance.” Hicss 4901–9.

Borgman, Hans P. 2013. “IT-Governance.”

Bossert, Oliver. 2016. “A Two-Speed Architecture for the Digital Enterprise.” Pp. 139–50 in

Intelligent Systems Reference Library, vol. 111.

Buyya, Rajkumar, Adel Nadjaran Toosi, and Rodrigo N. Calheiros. 2014. “Interconnected Cloud Computing Environments.” ACM Computing Surveys 47(212):1–47. Retrieved (http://0-dl.acm.org.cataleg.uoc.edu/citation.cfm?id=2620784.2593512).

Daugherty, Paul. 2013. “High Performers in IT: Defined by Digital.” Accenture 1–41. Dingsoyr, Torgeir, Sridhar Nerur, Venugopal Balijepally, and Nils Brede Moe. 2012. “A

Decade of Agile Methodologies: Towards Explaining Agile Software Development.”

Journal of Systems and Software 85(6):1213–21.

Donaldson, Alistair and Phil Walker. 2004. “Information Governance - A View from the NHS.” International Journal of Medical Informatics 73(3):281–84.

Fernandes, Diogo A. B., Liliana F. B. Soares, Jo??o V. Gomes, M??rio M. Freire, and Pedro R. M. In??cio. 2014. “Security Issues in Cloud Environments: A Survey.” International

Journal of Information Security 13(2):113–70.

Géczy, Peter, Noriaki Izumi, and Kôiti Hasida. 2012. “Cloudsourcing: Managing Cloud Adoption.” Global Journal of Business Research (GJBR) 6(2):57–70. Retrieved

(http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=66423829&site=eds-live).

(29)

Grembergen, Wim Van. 2004. Strategies for Information Technology Governance. Grembergen, Wv and Sd Haes. 2009. Enterprise Governance of Information Technology. Hausmann, Verena, Susan P. Williams, Catherine A. Hardy, and Petra Schubert. 2014.

“Enterprise Information Management Readiness: A Survey of Current Issues, Challenges and Strategy.” Procedia Technology 16:42–51. Retrieved

(http://linkinghub.elsevier.com/retrieve/pii/S221201731400293X).

Heier, H., H. P. Borgman, and C. Mileos. 2009. “Examining the Relationship between IT Governance Software, Processes, and Business Value: A Quantitative Research Approach.” 2009 42nd Hawaii International Conference on System Sciences 1–11. Heier, Hauke, Hans P. Borgman, and Bouchaib Bahli. 2011. “Cloudrise: Opportunities and

Challenges for IT Governance at the Dawn of Cloud Computing.” Proceedings of the

Annual Hawaii International Conference on System Sciences 4982–91.

Heneghan, Lisa and Albert Ellis. 2016. 2016 Harvey Nash / KPMG CIO Survey.

Heudecker, Nick and Martin Reynolds. 2017. Predicts 2017 : Lead , Follow , or Get Out of

the Way — A Gartner Trend Insight Report What You Need to Know.

Holtschke, Bernhard, Hauke Heier, and Thomas Humme. 2009. Quo Vadis CIO?

Khatri, Vijay and Carol V. Brown. 2010. “Designing Data Governance.” Communications of

the ACM 53(1):148. Retrieved

(http://portal.acm.org/citation.cfm?doid=1629175.1629210).

Kooper, M. N., R. Maes, and E. E. O.Roos Lindgreen. 2011. “On the Governance of

Information: Introducing a New Concept of Governance to Support the Management of Information.” International Journal of Information Management 31(3):195–200.

(30)

Korac-Kakabadse, N. and a Kakabadse. 2001. “IS / IT Governance : Need for an Integrated Model.” Corporate Governance 1(4TY–JOUR):9–11.

Luftman, Jerry N. 2003. Competing in the Information Age: Align in the Sand: Second

Edition.

Manuja, Manoj. 2014. “Moving Agile Based Projects on Cloud.” 2014 IEEE International

Advance Computing Conference (IACC) 1392–97. Retrieved

(http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6779530).

Al Morsy, M., John Grundy, and Ingo Müller. 2010. “An Analysis of the Cloud Computing Security Problem.” 17th Asia-Pacific Software Engineering Conference (APSEC 2010)

Cloud Workshop,Sydney, Australia (December):7. Retrieved

(http://researchbank.swinburne.edu.au/vital/access/services/Download/swin:20103/SOU RCE2).

Muse, Dan. 2017. “State of the CIO: 2017.” IDG, 1–12. Retrieved

(http://core0.staticworld.net/assets/2017/02/20/state_of_the_cio_exec-summary_2017.pdf).

Petri, Gregor and Neville Cannon. 2017. “An Overview of Enterprise Cloud Strategy Approaches and a Pragmatic Template for Setting Your Cloud Use Policy.” Gartner (January):1–22.

R. Wexler. 2017. RightScale: State of Cloud Report 2017.

Ramgovind, S., M. M. Eloff, and E. Smith. 2010. “The Management of Security in Cloud Computing.” Information Security for South Africa (March 30 2010-April 1 2010):1–7. Retrieved

(31)

e.org/lpdocs/epic03/wrapper.htm?arnumber=5588290).

Tallon, Paul P., Ronald V. Ramirez, and James E. Short. 2013. “The Information Artifact in IT Governance: Toward a Theory of Information Governance.” Journal of Management

Information Systems 30(3):141–78. Retrieved

(http://www.tandfonline.com/doi/full/10.2753/MIS0742-1222300306).

Zafar, Faheem et al. 2017. “A Survey of Cloud Computing Data Integrity Schemes: Design Challenges, Taxonomy and Future Trends.” Computers and Security 65:29–49. Retrieved (http://dx.doi.org/10.1016/j.cose.2016.10.006).

(32)

For this study, think of a company or project where you had the most experience with cloud computing.

Please use the same company example as a reference for each question.

Background

Information governance in cloud computing

Cloud watcher

Planning & evaluating a cloud architecture 1-10% of total IT on cloud

Cloud beginner

Currently on initial phase of adoption 10-25% of total IT on cloud

Cloud explorer

Have multiple applications running 25-50% of total IT on cloud

Cloud focused

Heavily using a cloud infrastructure 50-100% of total IT on cloud

1. What is your experience with cloud adoption?

Private cloud operated solely for an enterprise

Hybrid cloud a mix of private and public cloud

Public cloud

publicly available cloud resources for multiple parties

2. What is your organisation's cloud

deployment model?

1-2 3-4 5-6 7-8 9-10 11 or more

3. Please select the number of cloud applications in your landscape.

Standardized fully pre-integrated technology platform

(single vendor)

Multiple individual platforms by application

(multiple vendors)

Pure best of breed technology platform

(multiple vendors)

4. Is your organization following an approach towards a standardized

cloud platform from one vendor or a best of breed cloud platform

across the IT stack?

5.

Please rank the cloud servicemodels according to use:

Please select ''1'' for the most used, ''3'' for the least used and ''x'' if not applicable.

IaaS - Infrastructure-as-a-Service PaaS- Platform-as-a-Service SaaS- Software as a service

2

x x x

(33)

0-500 500-2,500 2,500-5,000 5,000-50,000 >50,000

6. Please indicate the size of your company in employees total.

Centralised

Decision-making responsibilities in a central function.

Federated

Part decision-making responsibilities in a central function, part at business units.

Decentralised

Decision-making responsibilities at business units.

7. How is the organisation's cloud landscape governed?

3 This section addresses the information governance policies of your organization.

For the purpose of this study, information governance is defined as a framework with mechanisms to guide the creation, collection, storage, analysis, use, distribution, and deletion of business-relevant information to achieve value creation.

8. Please indicate the maturity level of the following information

governance objectives:

Information governance Complete lack of any recognizable processes. 0 - non-existent Processes are ad hoc and disorganized. 1 - Initial Similar processes followed by few individuals. 2 - Repeatable Procedures have been standardized and documented. 3 - Defined Possible to monitor and measure compliance with procedures and to take action where needed. 4- Managed Refined to a level of best practice. 5 - Optimised Data management

Collecting, storing and securing information throughout its lifecycle.

Compliance

Maintaining data security and privacy policies; protecting and securing business information assets.

Obtaining business value

Obtain greater value from information by improving the organization’s ability to access and share information, to re-use information and gain business intelligence.

(34)

Fully disagree Tend to disagree

Neither agree or

disagree Tend to agree Fully agree We have experienced

data/information leaks to unauthorised (external) parties.

In our cloud architecture, we mostly involve internal stakeholders (e.g. cross-departamental) We have experienced operational hiccups when adding a new cloud application. We govern business critical information internally (private cloud) In our cloud architecture, we continuously exchange data with external stakeholders.

9. Please indicate your level of agreement with the following

statements:

1-5 6-10 11-15 16-20 21-25 26 or more

10. Please select the number of

connected third parties that

continuously

exchange data within your cloud landscape.

(35)

The impact of agile working methodologies. Information governance in cloud computing

We do not use Agile -0% 1-25% 25-50% 50-75% >75%

Agile work approaches are popular methods to increase responsiveness to market demands and fluctuations. They are characterized by: extensive cross-functional work teams, customer collaboration, shared databases. Examples (include, not limited to): Scrum, XP (eXtreme Programming), DSDM (Dynamic Systems Development Method).

11.

To what extent has your organisation adopted Agile methods

working methods?

Fully disagree Tend to disagree

Neither agree or

disagree Tend to agree Fully agree Data Management

Collecting, storing and securing information throughout its lifecycle.

Compliance

Maintaining data security and privacy laws and protecting and securing business information assets.

Obtaining business value

Obtain greater value from information by improving the organization’s ability to access and share information, to re-use information and gain BI.

12.

After implementing agile working methods, we have experienced

increased challenges

in:

If agile had any unfavorable impact, please choose ''tend to agree'' or ''fully agree''.

(36)

Management

Information governance in cloud computing

We do not have legacy within out IT architecture

We have legacy, we run the entire IT in a

single-speed architecture and governance

policy

We have legacy, we run the entire IT in a

Two-speed architecture and governance

policy

13. How do you handle your legacy applications?

Two-speed IT involves a fast-speed, customer-centric front end running alongside a slow-speed, transaction-focused legacy back end.

We purchase and distribute all devices and do not allow end users to use their own.

We purchase and distribute most devices but allow end users to use their own mobile or

tablet device under restricted policy.

We enable end users to buy or bring the devices of their choice to work.

14. How would you describe your organizations policy with regards to

your end users environment(desktop, laptop, mobile device, tablets)?

Please select the best fit.

No, we do not have cloud waste Yes, mainly due to overcapacity Yes, mainly due to shadow-IT

15. Do you experience any cloud waste?

Please select the best fit.

Other (please specify)

Please indicate the operating industry:

IT/Technology Financial services Professional services Manufacturing Health care (Tele)communications 6

Referenties

GERELATEERDE DOCUMENTEN

(1) Maar in zijn gememoreerde werk laat hij duidelijk de samenhang van de twee vakgebieden uitkomen, In het slot van zijn hoek zegt hij dat het dramatische en

Questions only asked of middle school professionals and care professionals included: According to you, what are the first manifestations of SR?; According to you, what are the

alimentation longs jeûnes : on ne l’a jamais vu se nourrir… instinct grégaire nul ; réputé solitaire. Le dahut Radin Du dahut Spécificité Environnement Traité de chasse

Test alerted content Test example block Test

First section Title Pages for Sectioning Blocks Second section Third subsection Fourth subsection Test frame I First item I Second item I

First section Second section Third subsection Fourth subsection Test frame I First item I Second item I

First section Second section Title Pages for Sectioning Blocks.

15.08.2018 Norman Markgraf | Norman’s Pandoc Beamer Themes 2.. A short