This entry was originally published on the CloudSource blog in January 2012

In part 3, I talked about the importance for the CIO to become a strategic service broker. I mentioned the CIO will have to decide whether a service resides within the enterprise or is sourced from a public cloud. Let’s take a moment to look at the type of criteria to use in making such decision.

A couple years ago I heard Geoffrey Moore speak about “core versus context.” This is how he defines core: “My analysis in a nutshell is that core activities are those that increase the sustainable competitive advantage of a company. Core activities create value for customers in a way that is hard for competitors to replicate, and by doing so increase the market power of the company. Investors notice this, and reward the company with a higher stock price.” (I found the quote back on Roland Tanglao’s Weblog, the original document no longer seems available)

Obviously Moore recognizes that in the current world, core activities do not remain core very long as successful enterprises are often copied by others. Actually in a recent interview, he adds one important element: “Core is what allows a business to make more money and/or more margin, and make people more attracted to a business than to its competitors.  Core gives a business bargaining power: it is what customers want and cannot get from anyone else.”

And obviously, context is everything else.

Core services

So, my first rule of thumb is that core services should be kept internal. Indeed, even if we recognize competitors will try to mimic successful processes and approaches, we should make it as difficult as possible for them to do so. The “secret sauce” should remain secret.

This brings us back to the governance we discussed in part 3. Indeed, business and IT should jointly agree which services are core for the enterprise. This implies they understand what makes the company different and what attracts the customers. The processes and IT functionality supporting those activities is also core.

One more aspect to look into is that data may be core. Indeed, enterprises may gather and combine specific information elements, providing them a unique view of the way their customers behave for example. Such data should be considered core and treated in the same way as core services.

Context services

Does this then mean that all context services are delivered through public cloud service providers? That’s a little too fast as there are other aspects (technical, legal, security, etc.) that may require the service to be provided by the IT department itself.

So, rule two is that services using core data should be treated in the same way as core services, even if they are very standard in nature. This does not mean that the IT department has to develop those services. It might be able to acquire the appropriate software, but they should run within the IT environment. The only exception is if the data can be transferred to an external service provider and used by the service in a fully secure manner. Virtual private clouds may address such requirements, unfortunately, at the moment, most do not provide SaaS type services yet.

Rule three, for any other service, start from the point of view you will use a public cloud service provider, and then review if it is feasible from a technology, legal and compliance point of view. This will change your perspective and allow you to take what is probably the best decision for the service.

In a blogpost from 2008, titled “Proofpoint: Security, Compliance and the Cloud,” Eric Goodwin points out: “By outsourcing context applications such as email archiving to a SaaS provider, the burden on internal resources can be relieved, allowing them to focus on core systems and activities and ensure those systems are constantly improved and running at peak performance. At the same time, the customer benefits from the economies of scale, constant upgrades and high level of service that a SaaS provider can offer.” I tend to agree with him; however, his example of email archiving may not be the best one.

It will actually allow me to illustrate rule three. Indeed, in transferring email, there are a number of aspects that need to be taken into account. In particular, the legal elements have to be understood. Email contains privacy data, so, in which geography will the archive be stored? Who will own the email data once it’s stored there? Such aspects should not be forgotten. Actually, I always suggest companies to have a discussion with their lawyer prior to migrating email to the cloud. Lately BAE Systems refused to migrate their email to Office 365 due to legal concerns.

Conclusion

Technology is moving fast. The law takes its time to adapt. So, at the moment we have a discrepancy between a global IT landscape and local laws. This limits what should be done. In many situations, no ruling has yet taken place, so the interpretation of the law remains unclear. That’s why, in embarking on the decision of what services to keep in-house, reviewing decisions not just with the business, but also with the legal team is important. Remaining compliant is critical for successful companies. The last thing they want is a compliance scandal as it may ruin their reputation.

Core versus context is a good starting point to decide which services and data to keep internally. But other aspects have to be taken into account. The CIO, with his/her deep understanding of cloud, is critical in helping the company make the right decisions.