You did of course, as a professional CIO, take precautions.  You were diligent in your selection of the cloud computing services most suited to your operations.

You were delighted at the heady mix of low cost and high performance that provided you with new freedoms to confound those who’d always positioned your department as ‘the last refuge of the unimaginative’.  Consistent methodology was your badge of honour.

Being very responsible, you were well aware of the risks of travelling alone in ‘cowboy country’. The risk assessment paper, an annexe to the impact study, will still be found by the audit team neatly filed at the end of the investment case that the Board had approved back early in 2010.

All manner of likely or unlikely risks were listed, assessed and addressed.   Only one escaped attention.  Only one ‘what-if’ risk scenario sneaked past your brainstorming team.

Hindsight vision is always 20/20 perfect, and, in retrospect, the company’s policy change was inevitable.   Part of the attraction of Cloud Computing – the freedom to do things differently – would inevitably lead some to do things badly.

The impact might not have been so bad if that unfortunate ‘Lapse’ that triggered calls for new and tougher regulation had happened before ‘Debt-cut-2012’ – the much-heralded IMF-inspired, G20-approved, global deregulation of controls on overseas information repositories.

Despite the regulatory lessons of the 2008 crash, indeed because of the need for recovery, the political heat had been turned on any blockages to global economic growth and a renewed determination to deregulate ‘unnecessary’ restrictive practices or limitations to ‘free’ markets.

And for your business, software engineering and fine-tuning the cog-wheels of public sector efficiency, the challenge could not have come at a worse time – just at the completion of a tough three-year transition to Cloud Computing.

The rational argument, that ‘The Lapse’ had absolutely no direct connection or relevance to your operations or your own stringent standards, would not prevail.  The uncomfortable but undeniable fact that someone, some half-brained amateur in some distant somewhere, had totally trashed the personal medical records of 15 million people and, it now appears, lost control of their credit card accounts, gave the politicians, tabloid editors, TV shock-jocks and the twittering bloggeratti a field day.  Something, they said, must be done.

There had been a time (before the Digital Economy Bill) when debate and careful consideration would prevail before knee-jerk legislation was formulated.  The great irony was that the very same capability for Cloud Computing that allowed ‘The Lapse’ had also enabled global expansion of new types of ‘unsocial networks’ – rampant raging forces that the established democratic governmental processes found difficult to address.  Self-regulation was once again proven selfish; the essence of de-regulation (Advanced Wishful Thinking) had escaped the bottle.

It was inevitable, given the prevailing wind, that your policy (and let’s be quite clear about this; it may have been approved by the board but, as the architect of heroic growth, it was your policy) would come under intense scrutiny.

Questions, questions, questions – and no little panic. What will be the impact of the new emergency regulations?  What can we do to prove beyond all doubt that our operations are safe ?  How can we now re-build customer confidence?   What should we have done differently ?   What are the operational assurance fall-back positions ?   Can you recall why, by the way, the board vetoed the 2010 budget for engaging in global standards forums?

These questions need very careful consideration and, as the Chairman put it, “I’m sure you’ll understand that your successor will want to know that she can call on you to give every assistance at this difficult time.”

__________________

Written in January 2010 and with minor revisions April 2010.