Cloud leadership: the Guardian

A recent LinkedIn post asked people to suggest two words of advice they would give to someone starting out in their career. I immediately knew which two words I would choose: ‘Don’t Panic’. As well as welcoming any opportunity to recognise the work of Douglas Adams, I believe that these words are relevant to all business circumstances. I can think of many challenges, crises, setbacks, failures and genuine disasters which I have faced throughout my career and, while most of them needed energy and urgency, I can’t think of a single one that would have been improved by panic. 

I think that these two words should be the motto of one of the seven key leadership roles for Cloud transformation: the Guardian. The Guardian is the person who thinks about all the things that could go wrong, and how to protect their enterprise from those circumstances. They are also the person who understands that risk cannot be eliminated, only managed, and that risk mitigation measures have a cost to the enterprise, often expressed in impacts on speed and agility, as well as cost.

I believe that the role of the Guardian is one of the hardest roles to perform effectively, partly due to common misconceptions. Some enterprises still hesitate to adopt Cloud because of concerns about risk, security and privacy. Even within enterprises which have made a strategic commitment to Cloud, risk, security and privacy teams are often unjustly seen as blockers - as imposing constraints and controls which inhibit the benefits the enterprise is seeking.

The role of the Guardian is to dispel these misconceptions. If the Guardian gains and expresses a deep understanding of Cloud, normally in partnership with the Architect they can demonstrate that the fully architected, software defined, API driven, pervasively instrumented nature of Cloud platforms enables them to be secured to a level which is rarely possible on-premise. Similarly, the Guardian can make informed choices about how to use the distributed nature of hyperscale platforms to achieve levels of physical separation and resilience greater than can be achieved with traditional infrastructure. Finally, they can also consider and address hard questions about the risks that go with strategic dependence on external providers.

However, the Guardian cannot and should not try to carry this load alone. Risk and security positions can often feel lonely: you may be perceived as the killjoy who says no when people want to take risks that they don’t understand - but at the same time, you are sure that you will carry the blame if those risks result in breaches, incidents or failures. The Guardian stands the greatest chance of success when they share their understanding of risks with others - as well as the decisions about what to do about those risks. The Guardian should aim to create an environment of empowered, informed, shared decision making. They should work closely with the next role we will consider: the Educator.

The role of the Guardian is not just hard to do, but hard to fill: you will need someone who knows how to measure and balance risk, who is willing to get to grips with technology, and who is keen to engage, explain and educate. However, this person may already be in your organisation, may already be protecting you, and may be ready for new challenges and new skills.