Even if your world revolves around technology, you may have heard about behavioral economics. One of the 2017 Nobel Prizes went to a behavioral economist, and last year also saw the publishing of The Undoing Project by Michael Lewis, a history of this discipline and something of a follow-up to his influential book Moneyball.
The advantages of cloud migration and digital transformation may have been clear as day. But despite the benefits, many IT leaders hesitated. Some are still on the sidelines. Why? Well, why do so many of us prefer the current state of affairs to arguably better alternatives?
Behavioral economists call it the “status quo bias.” They relate emotional attachment to a current baseline to other non-rational cognitive processes, such as loss avoidance and the endowment effect, whereby you ascribe more value to things simply because you already own them.
One of the early studies on the endowment effect involved the variance in college students’ willingness to buy and sell hard-to-get basketball tickets. But it is easy to see its application here. The famous “pets vs. cattle” metaphor makes much the same point, depicting old-school IT practitioners as having an unreasonable bond to individual, on-premises servers, like that of owners to their cats or dogs.
But what about the proponents of cloud computing? What explains the eagerness of many IT practitioners and business leaders for SaaS tools or cloud-based infrastructure?
It turns out other mental tendencies are at work, such as delay discounting, which ascribes higher value to sooner than later rewards. A business leader prefers a SaaS tool today to one that the in-house IT team could deliver next month, or year. The same applies to developers, who would rather have a cloud-based testing environment today than one that IT can provision who-knows-when.
Add to that the zero price effect and need for control. In the first case, researchers have documented the strong attachment that individuals have to the value of zero. That inclination helps tip the scale for those attracted to the cloud because of the absence of upfront capital expenditures. As for control, the cloud democratizes IT and enables autonomy, whether for marketers wanting digital-native tools or developers looking to spin up VMs and use other cloud resources.
Tragedy of the insecure common
This conflict continues to play out. The need for control, for instance, cuts both ways. Many IT leaders value control, but the proliferation of cloud solutions has led to blind spots. Take security.
Whether using SaaS or cloud infrastructure, the enterprise customer is relying on the provider’s assurances that the offering is secure, and all data protected. Under the guidance of an active and engaged chief security officer, a proactive enterprise may take additional precautions. In the best case, the result is a locked-down, layered security framework. In the worst case, you end up with something resembling the tragedy of the commons, the classic economic term referring to a situation where a resource is used by many but ultimately protected by no one.
When no one assumes responsibility, insecurity becomes an externality, like pollution in an unregulated industry. Whatever you call it, the risk is real. Enterprise IT now extends across a hundred or more applications and includes multiple hybrid, private, and public clouds; meanwhile threats (ranging from warfare-like attacks to internal human error) are growing. It has become very difficult to apply consistent security, governance and other policies across the entire IT estate.
Needless to say, the stakes are high, whether in the cloud or not. According to a NTT Security Risk:Value 2017 report, it takes an enterprise $1 million to recover from a data breach, not counting the less tangible losses to trust and brand. The question is how you track—and ideally prevent—that expense.
Reconciling and reaching goals
Aligning the competing demands for control and agility is a work in progress. One development has been the injection of security within the devops paradigm. This is one of the trends mentioned in the NTT Security’s 2018 Security Trends & Predictions report. Rather than bolting on testing at the end of the process, the idea is to move security as far left in the life cycle as possible.
Another is the idea that security itself can be cloud-delivered. With cybersecurity talent scarce, it makes sense to partner with organizations that have those skills and who can deliver advanced security at a digital pace. A managed security services provider (MSSP) is one model.
However this gap is closed, any discussion of cloud costs (see ”What IT needs to know about cloud economics: costs”) should make room for the application of security, governance, and other policies. As for the intersection of cloud economics on applications (see ”What IT needs to know about cloud economics: applications”), those concerns will mean treating some data and apps differently than others.
The democratization of IT and rise of cloud computing has changed the roles of IT leadership and empowered others in business organizations. Insights from behavioral economics can help identify the sometimes-conflicting biases and motivations, more accurately evaluate the risks and rewards, and bridge any potential gaps associated with cloud-enabled digital transformations.