Clients should have clear expectations of a cloud SLA, and if a provider falls short, they must be held accountable. Equally, clients have a responsibility to understand what the SLA does and does not cover, so they know exactly what they are purchasing.
Too often, disconnects arise when procurement teams negotiate contracts without fully understanding the operational requirements, leaving IT and security teams with an SLA that doesn’t meet their needs.
Outsourcing is sometimes approached purely as a cost-saving exercise, rather than a way of improving service quality. This mindset can lead to superficial comparisons across providers, chasing the lowest price rather than focusing on value. Inevitably, compromises follow.
To avoid this, buyers must carry out proper due diligence and identify the SLA’s true “must haves” versus “should haves.” Overloading the SLA with every requirement risks demanding a “gold service” that few providers can meet. On the other hand, accepting too many compromises increases risk, so organisations need a clear understanding of their risk tolerance.
It’s also critical to align the SLA with business objectives. What is the organisation trying to achieve with the new platform? What is the minimum viable product (MVP)? Everything beyond the MVP is a “nice to have.”
This requires decision-makers to not only understand risk but also to articulate it effectively and plan how to manage it. Risk management doesn’t always need to be technical—non-technical controls and governance can also play a major role.
Often, this process highlights an organisational disconnect: procurement may be expected to eliminate risk, which is unrealistic. Eliminating risk is not the same as managing it.
By definition, adopting new, innovative, or untested technology carries risk, but it also carries potential benefits. Organisations must weigh the risk against the possible upside: improved efficiency, better client service, enhanced staff support, or greater agility.
When advocating for innovative platforms, IT and security leaders should reframe the conversation. Instead of only asking, “What is the risk if this fails?” they should also ask, “What is the reward if this succeeds?” This balances the discussion and helps decision-makers see the potential value alongside the risks.
To successfully adopt new technology while minimising regulatory exposure, IT and security leaders need to work closely with risk managers.
Risk professionals can help define the organisation’s risk appetite and tolerances, ensuring risks are managed, not simply minimised. Too often, risk management in cyber security is framed around risk reduction at all costs, which stifles innovation.
By integrating risk managers into procurement and decision-making, organisations can strike the right balance: enabling innovation while staying within acceptable risk boundaries.
