Common Misconceptions – Fear, Uncertainty and Doubt
What makes selling cloud services a lot harder is that you have to fight an uphill battle against misconceptions created out of lack of knowledge or intentionally spread by competitors (the ones not offering cloud services).
I will start to dig into these with this post but given that there are many misconceptions small and big I will probably limit myself for the sake of length and come back to this topic in later posts. Also some of the topics are elemental and need a closer look. I will pick these up in separate posts as well.
You can buy “the cloud” (thanks to Einar Aleksejev for this choice of words)
The cloud is not a tool or a product and therefore it cannot be bought. It is all about services. Let me put an emphasis on this: Whatever technology providers will claim it is all about services. Even the famous term private cloud is about services for real. What most vendors do is to use the term private cloud to describe technology that could help you to build a private cloud. Sadly these offerings fall short when it comes to what a private cloud really would be – the business model for the internal cloud service.
I will dig deeper into private clouds and how a real private cloud looks like in one of the future posts.
It is all about technology
If you look into service descriptions, discussions, presentations, etc. it looks like the cloud is a pure technology play. There are feature discussions and there is a whole lot of buzz about the underlying technology. The only topic sticking out is the privacy/Patriot Act fear (see below).
Why is that? First of all the computing and software industry has a tendency to “sell from nerd to nerd”. And technology is the one common language base. As cloud is so far enabling technology providers (Soft- and Hardware alike) to step up to the world of services this is their comfort zone. The outsourcing industry that has learned that business value, risk management, etc. do play a more important role has not stepped into the cloud business on a broad base. Secondly so far it worked more or less as the early customers have been enthusiasts and therefore were receptive for the technology talk.
So what is it if not a technology play? It is a business option and should be viewed like this. It either offers the customer a new way to reduce the effort and time to market where effort can be the investment needed in test and development equipment. It is a new option that offers additional flexibility how to serve the own workforce with collaborations services. But also there this needs to be based on a need and a thorough analysis of the different options. It is about how to use your own in-house workforce and where these precious resources should spend their working hours (exchanging light bulbs or driving innovation).
It is so much more than just technology though I admit most of us are fascinated by it and for many people in our industry it is the true comfort zone. To really be successful we all need to move beyond technology.
For the “rule of the three S” have a look at this earlier post on cloud-dicussions.com.
All or nothing
I have met customers around the world and one thing is common. There is always someone who is in fear at each customer. Partly that is to that fact that the human per se despises change but also because one of the most common misconceptions is that the cloud replaces everything (all mail systems, all databases servers run locally…). This creates a huge roadblock not much different than in outsourcing cases when discussing TUPE, only that there is no transfer of employees in the case of the cloud so the fear is even bigger.
In cases of mail and collaboration as SaaS offerings the full replacement is an option. But it is not the most widely used option and it is in most cases neither the economically preferred option nor the one with most business sense. The majority of scenarios for enterprise customers is a mix with local delivery based on regional or business requirements. Could this change over time? Probably, but given the lack of trust in governments, privacy rules and the fierce competition in business it will take a long time.
If you look at PaaS and IaaS offerings these address different business scenarios as well and are not aimed at the removal of the full IT department. It is all about the clever usage of these services to enhance the performance of the internal offering of the IT departments rather than a wish to replace them.
The marketing buzz and the discussions on cloud that for most of the time even do miss the most basic distinction of enterprise cloud services vs. consumer cloud services do not help. Only through open and clear communication and focus on the business needs (rather than the technology, see above) we can change the perception of the cloud. If you are a customer search and find someone you trust, who looks beyond technology and helps you to identify the cloud usage scenarios for your business needs. In addition learn from the communication strategies of outsourcing deals to sell the cloud message to your own workforce.
A European customer cannot legally use the cloud due to the Patriot Act
How often have I heard this one? Countless times and you are able to guess the reading habits of your counterpart based on the simple fact which agency it is that grasps the data (FBI – thriller stories, NSA – technology, terrorist stories, CIA – classic spy stories, FBI corruption units – economy thrillers, and so on). As funny as this sound it carries a huge risk. There is so much confusion and uncertain fear about the Patriot Act that many customers stay away from cloud computing as if would be the plague.
Especially in Europe and even stronger in Germany you can also see non cloud providers boosting these fears by telling half true stories that play to the already existing doubt. This is so far a successful sales strategy but there comes the point when customers have more knowledge and will recognize it as that – a simple sales strategy. Playing this card now ensures short term success but destroys any trusted advisor status you might have or seek in the long term.
I will have a full post on this topic in the near future therefore I just list some common Patriot Act misunderstandings:
- The Patriot Act is not just one law. It is a collection of amendments to about 50 already existing laws. So if you have concerns about the Patriot Act, be precise which part it is that worries you.
- The Patriot Act was not created for cloud Computing. It covers all aspects of life and business. E.g. Outsourcing providers need to follow the same rules but there seldom anybody puts up as much discussion as with the cloud
- The Patriot Act does not only cover you if your provider is from the U.S.A. As soon as you own business has substantial subsidiary in the U.S.A. you are fully embraced by it.
- The Agencies will address the provider as the easiest and quickest way to get the data is another misconception. The first addressee is the owner of the data. Only in the case of the so called sealed subpoenas the provider itself will be addressed without prior warning or involvement of the owner. How often this occurs and under what circumstance should be part of the risk assessment.
- To really assess and judge on the risk you need to involve the specialist. I have seen so many people starting to argue on the Patriot Act based on Wikipedia knowledge. This does not work. You legal department, your data protection office or legal support should lead the discussion. This would help to avoid confusion on both sides.
- The Patriot Act is not only about companies but also individuals. This is important as it alters the risk assessment in case you yourself or your providers (even if not cloud) employ US citizens in roles that could potentially have access to data.
To legally use a service you need to ensure that you fulfill the requirements set by the countries you operate in. There are general rules on data privacy and data transfer for data types as well as specific regulation for certain verticals, e.g. banks. The Patriot Act per se does not prevent you from using a cloud service.
The data location matters if it comes to privacy
Have you not heard the question numerous times: “Where is my data stored?” I have and still do.
But is the storage location really relevant? If you look at privacy laws these do not speak about data location but data access. So in other terms even if I promise never to move the data out of Europe but have an system administrator in the U.S.A. who remotely manages the system it is like I have personally carried a physical copy into the U.S.A. This completely turns the perception of most folks upside down but is the way privacy laws (and I believe rightly) are constructed. So again bring the experts to the table. Interpreting the law and arguing someone else’s interpretation is an art of itself.
So what are the terms data at rest and data in transition about? This is less a privacy concern but more a discussion about encryption and external access without permission (potential hacking targets). It is an important discussion but needs to be separated from the data location and privacy concern.
To be continued …