Cross-posted from the ISACA Now Blog:
“This is the song that doesn’t end.
Yes it goes on and on, my friends.”
– Lewis, S., “The Song That Never Ends,” Lamb-chop’s Sing Along, Play Along, Norman Martin Music, 1992.
When I think of technological progress, in a lot of cases we are seeing new views and takes on existing ideas. Ideas keep coming back around, just like “The Song That Doesn’t End.”
Take virtualization and cloud computing. Cloud computing often touts a “pay as you go” model where you run cycles on someone else’s hardware. This is the model many an organization ran with for their mainframes and similarly sized computing devices. A classic example applicable to auditors and IT security folks is found in the Cuckoo’s Egg by Clifford Stoll. Stoll happened onto an international intruder due to a small (less than US$1 dollar) accounting error on just such a platform. That was in 1986.
As auditors, we can use this to our advantage when coming up to speed on new technology, new techniques or new anything in information technology. The first thing to do is see if we have a re-implementation of an older idea. If we do, then chances are we have a good idea of how to begin auditing that new technology.
Approaching new technology with the mindset of looking to see what it is already similar to what we already know accelerates our ability to learn the new technology and provides our organizations with services on said technology. It also reduces a lot of the fear factor for us. After all, the technology implements concepts and ideas we already understand.
Editor’s note: For further insights on this topic, read K. Brian Kelley’s recent Journal article, “Innovation Governance: In Everything New, There Is Plenty of Old,” ISACA® Journal, volume 1, 2020. (ISACA membership required to view the article)
Databases - Infrastructure - Security 
Mar 11, 2020 @ 17:23:56
While back in the mainframe days we had things like tso (time sharing option) where cycles were shared with other subscribers, the difference is the mainframe was still a capitalized expense within the organization where individual departments were charged by the compute-hour. I don’t know of any companies that leased time off of an infrastructure vendor. The cloud is a different model because there is ZERO capitalized cost to the business. So your analogy breaks down quickly.
The analogies you make also break down in other places. 1)Many organizations do not “PAY/GO” in the cloud but instead have enterprise subscriptions or get deep discounts for pre-purchase or spot pricing. This allows a business to think about how to pay for a project. 2)Cloud enables fast time-to-market: I can worry about solving a business problem, not infrastructure. And if the project fails I have no capitalized expense. This allows companies to try new things and fail fast. Note that all of the startups wall street adores do cloud. It’s faster. 3) Cloud is a platform, not infrastructure…if you are doing it right. I don’t want to build stuff in VMs or on mainframe. I want platforms that I can rely on that solve just what I need. Kubernetes-as-a-Service. Terraform. Serverless. Data Lakes. These are platforms that I can use to build things quickly without having to worry about patching servers or learning how to install and secure a shared JupyterLab cluster.
Using the analogy of “the cloud takes me back to 1972 where I lease compute time” is similar to saying “the web takes me back to dumb terminals and a mainframe”….these are platitudes that superficially appear true but don’t really get to heart of the “disruption” these paradigm shifts bring to us.
Mar 11, 2020 @ 17:40:48
I think you missed the fact that it was addressed primarily to auditors.
“As auditors, we can use this to our advantage when coming up to speed on new technology…”
How’s it capitalized isn’t exactly relevant in hot to develop controls and how to audit the system. Understanding that as a model, cloud computing is similar to mainframe time sharing (and I am far from the first to make this reference), you can tweak an existing audit method rather than building something from scratch is key. Especially if you are an IS auditor retooling.
Mar 11, 2020 @ 17:50:40
I didn’t miss that fact. What I’m saying is that your “model” which equates cloud to mainframe is superficial. And yeah, you aren’t the first to make that analogy. And that, IMO, is a terrible analogy. We do a disservice by repeating it. While the analogy is nice as a jumping-off point, auditors would be well-served to understand “why it’s different this time”…whether that is the finance auditor understanding the new cloud expense model or the risk auditor understanding how cloud time-to-market affects new IT projects.
Mar 11, 2020 @ 17:56:54
From an audit and controls perspective a significant amount is analogous. Certainly there are adjustments to be made and a good auditor will take the time to understand the details.
However, we often take concepts in IT that folks are familiar with and use them as a starting point to have a framework to understand what is new. That’s all anyone is doing when they start with the mainframe analogy. That doesn’t dispute that the cloud is a fundamental shift. Nor does it alleviate the requirement to spend time understanding how it is different than the starting point. But it begins the frame of reference, the jumping off point. And there’s great value in doing so.