A successful digital strategy should be central to the wider organisational vision and strategy. Many organisations are now developing 'cloud strategies'. However, management should guard against their vision being led by specific technological solutions. Management should first develop robust organisational and digital strategies and establish a clear view of their technological requirements. Smaller bodies may find it beneficial to engage the expertise of service companies to help them understand and navigate the various options.
Questions audit committees could ask:
• What are the priorities for the digital strategy? Does the digital team have a clear understanding of the operational realities? Are operational experts committing time to supporting the digital team to develop their strategy?
• What are the technical requirements? Has the organisation considered what is the most appropriate type of cloud solution (infrastructure, platform or software as a service)? Will all places from which users will be accessing the service have sufficiently fast and reliable internet connectivity for software as a service to be viable?
• Is the complexity of legacy system issues really understood? Has the organisation thoroughly investigated the challenges involved in migration and configuration, such as moving a bespoke system onto a shared platform? Does the digital strategy include a risk assessment of the degree of change involved, including personnel considerations? Is there a strategy for retiring legacy systems to avoid the costs of supporting old and new systems together for extended periods?
• Will best practice be followed in respect of security? Has the organisation followed the NCSC cloud security principles before committing to using cloud services? Does it have an in-depth plan for how cloud services will interface securely with existing services, systems and processes?
• Are private cloud, public cloud, and on-premises options all considered? Does the organisation have a strategy for the use of cloud services, based on a clear understanding of the implications for personal data, privacy and consent? Is the organisation aware that most cloud providers do not accept liability for the clients' data?