What’s Your Risk Appetite?

Let’s get some dinner

In European history, the first restaurant was opened in Paris in 1765 with a single dish (sheep’s feet simmered in a white sauce). In eastern history, the first restaurants opened in around 1100 A.D. in China in a number of different cities. Either way, we can all agree that restaurants are an integral part of most cultures now because, simply put, people need to eat, and sometimes you really don’t want to cook.

Why should IT be any different? At the Cloud Security Alliance, we currently use just under 100 cloud-based vendors. The reason is simple: we want email, collaborative document editing, chat, video conference calling, calendar scheduling, accounting, payroll, authentication, content delivery, web service hosting from PaaS to SaaS on multiple platforms, and more. If we tried to build and run this all in-house, we’d need over a dozen full-time employees to set up, manage, back up, and otherwise operate it. And we’d probably do a much worse job than most cloud providers.

The parallels between restaurants and cloud providers are striking. Most of us can cook. Most of us can’t make 100 plates of food and have all the food come out at the right time, still hot. Compare this to a restaurant where you can have a Poissonier (a cook that just does the fish, nothing else). A restaurant can practice a dish and get it exactly dialed in. I watched a documentary on a Japanese chef who owns several restaurants. He visited one of his ramen bars to do quality control and he had them make the ramen noodles 9 times in a row before he was satisfied with the result. On the other hand, I mostly just boil stuff until it starts to get soggy and then I stop.

The risks are comparable: when you go to a restaurant you’re giving up a lot of control, but that’s ok because, like cloud providers, there’s a lot of choices and public signals that let you determine if it’s safe to eat there or not. There’s the health code and regulations, many jurisdictions now make health inspection reports public, and there are Google and Yelp reviews. There’s also a literal army of health inspectors in much of the world, and while it doesn’t always work perfectly (e.g. search for “restaurant shut down due to health code violations [name of your city]” it works well enough that we’re not experiencing massive amounts of food poisoning.

In the cloud space, we have comparable standards: STAR, SOC1, SOC2, SOC3, various ISO standards, SOX, HIPAA, etc. If you look at the larger, more mature cloud providers, their compliance strategy is simple: get all the certifications because it’s cheaper than arguing with customers that a comparable standard can be used instead of the one the customer wants.

One final weird parallel: people hold restaurants to higher standards than their home-cooked meals. You wouldn’t eat at a restaurant that doesn’t follow health code, but I bet the last time you checked the internal temperature of your fridge (to make sure it’s safe) was, well, never. I know I never have (I’d know if my fridge isn’t cold enough because my milk would be off, right?). Why not just pay someone else to take care of all that? Like anything in life, we can’t fully eliminate all the downside risk, but we can balance and optimize the downside risk against the upside risk, and much like a perfectly cooked meal, the right cloud provider can be a great experience and well worth going out.