Role assigning and taking in cloud computing

The widespread use of cloud computing (CC) has brought to the forefront information technology (IT) governance issues, rendering the lack of expertise in handling CC-based IT controls a major challenge for business enterprises and other societal organizations. In the cloud-computing context, this study identifies and ranks the determinants of role assigning and taking by IT people. The study’s integrative research links CC and IT governance to humane arrangements, as it validates and ranks role assigning and taking components through in-depth interviews with twelve IT decision-makers and forty-four Information Systems Audit and Control Association (ISACA) members, engaged as panelists in a Delphi technique implementation. The empirical results recognize skills and competencies as prioritized determinants of IT controls, while IT security, risk and compliance emerge as capabilities crucial to evaluate and manage CC service providers. Despite the study’s generalizability limitations, its findings highlight future research paths and provide practical guidelines toward the high technology of open-market IT self-governance. The latter entails the humane flows of collegial control and responsibility, as opposed to the inhumane flows of authority and power, under the sequestered technique of the bureaucratically-hierarchized IT hetero-


Introduction
Cloud computing (CC) has emerged as one of the hottest topics in the field of information and communication technologies (ICT) [68]. Some industry experts predicted that by 2018, more than 60% of enterprises will have at least half of their infrastructure in the CC environment [11], and that by the same year at least half of the information technology (IT) spending will be devoted to CC projects [10]. The rapid adoption of CC by large as well as small scale organizations [63] poses new challenges for CEOs as it requires organizations to transfer (some) IT controls of computing resources to cloud service providers (CSPs) [47].
IT control is a process that provides assurance for information and information services, and helps mitigate risks associated with use of technology [26].
CC users and CSPs have different perspectives concerning the control over the IT resources. In a classical (non-cc) datacenter, organizations govern IT systems by assigning their staff to the internal IT controls. Contrarily, when an organization places selected organizational assets in the custody of a CSP, it cedes control over these assets to the CSP, yet retains accountability for security and regulatory compliances [41]. In this regard, one major issue organizations are facing is the data owner's loss of control in the case of CC migration [37].
CC is creating transformation in the nature of employment [89] that influences human-development resource skill sets and tasks [87]. Technical and managerial capabilities within an organization determine how well CC services achieve the organization's goals and potential competitive strategy. Like many other highly-advanced technologies, CC has the potential to change the nature of IT tasks and the associated skills and efficiency, calling for organizational changes, new tasks and new styles of management [88]. Pioneering business enterprises and other societal organizations need to transform into self-organizing and self-governing societal human systems [27]. A self-organizing business in a CC environment must have the capabilities to change strategic direction by redefining work system and work contents and by creating new opportunities for individual development and career path transitions. Therefore, governance in CC requires a new mindset that would challenge existing IT policies, roles and responsibilities and power hierarchies [4]. In this respect, role assigning and taking in the CC user organization become very important.
The re-identification of the required new tasks, roles and responsibilities in a CC environment is an information technology governance (ITG) exercise, since it involves participative decision-making [60], control, and direction mechanisms [81]. In fact, most popular ITG frameworks, such as control objectives for information and related technologies (COBIT) and information technology infrastructure library (ITIL), advocate for responsibility, accountability, consulted, and informed (RACI) charts for guiding people towards taking on new roles and responsibilities. However, none of them provides guidelines to facilitate this process of self-adaptation for internal as well as for IT controls that have been delegated to the CSP [44].
CC has been examined from various technical and organizational perspectives. For example, Winkler and Brown [84] addressed the assignment of IT decision rights, at the application level, including the governance of applications delivered on premise versus those delivered with a software-as-a-service (SaaS) model. However, research focusing on the elements that an organization can leverage on to facilitate role assigning and taking within CC user organizations remains unexplored in academic and non-academic literature [44]. This has created confusion among CC advocates and practitioners, with the result that CC migration projects are fraught with challenges [70] resulting in many reported failed projects [69; 85]. In particular, lack of focus on human aspects [6], lack of talent [55], and lack of skills have been attributed as some antecedents to many failed CC projects [80].
Consequently, the lack of expertise to handle IT controls that have been migrated to the CC, is now a major challenge [83]. In this regard, there is a trend of identifying, analyzing and suggesting skill requirements for changing IT roles [61]. To address this gap, this contribution plans to identify the elements that would facilitate role taking in a CC context by recognizing the required competencies, tasks and responsibilities. This can eventually set the stage for a participatory or a team decision-making process whereby people can actively contribute towards defining their training and professional development needs as well as taking on responsibility for their career transitions and planning. Eagerness to obtain a clearer picture [66] led us also to determine the ranking of the role assignment and taking elements.
Based on a case study, this research identified the elements associated with the new roles and responsibilities for IT controls in the context of a public CC deployment. These elements are validated using in-depth interviews and then ranked using Delphi technique.

Our contributions include:
 Guidelines for contemporary organizations to guide people towards take on roles and responsibilities associated with public CC-based IT controls.
 Guidelines for IT decision makers to help assess their existing workforces' capabilities and making informed decisions on training and professional development needs as well as on acquisition of new resources and capabilities needed for the success of CC projects. In particular, this research advocates the need for organizations to transition from the traditional bureaucratic "command and control" model of role assignment towards a supportive human system model for role taking.
 Guidelines that can be used by ITG authorities as extension to their existing guidelines to organizations on RACI chart assignments to cover CC-based IT controls.
 New insights for researchers on the significant organizational skills for IT controls, when migrating towards a public CC model. These can guide academics to investigate other unexplored research questions such as a (1) comparative studies of this research topic across different countries and different company sizes, and (2) assessing the risks of inadequate technical skills on CC migration projects.
While this study is important, it is limited to only public deployment model and cannot be generalized to encompass countries of diverse cultures. The remaining of this article is organized as follow: Section 2 examines existing literature to build a set of elements for role assignments, section 3 outlines the research methodology, section 4 discusses the empirical validation and ranking of elements while section 5 concludes the article and provides some directions for future work.

Role assigning and taking components
This article reports on authors' experience in defining and ranking the elements that impact the redefinition of roles and responsibilities for the control of CC-based IT resources. Since true technology is a societal human system [28] and since the topic lies in the nexus of knowledge related to humans and technology/machines, we investigated existing theories related to socio-technical systems. The socio-technical theory [7], technology acceptance model (TAM) [13], human-development resource framework [54] and the task-technology fit model [30] were examined. It was observed that even though these theories were related to the current topic, they could not be used to model roles and responsibilities. Journal articles related to the theories associated with three IS domains, namely organizational theories, CC and IT governance were chosen for their explicit theoretical relevance to identifying roles and responsibilities in the chosen domain of CC deployment (Table 1).

Organizational design (OD):
This domain was chosen because it influences the decisionmaking process [73] including decisions related to the assignment of people's roles and responsibilities [8]. Autonomy is considered to be one of the logical requirements for ensuring effective organization, especially in a rapidly changing environment [21]. Therefore, in a CC configuration, silos within IT and other autonomous business units needs to be broken down to ensure cross functionality [25], leading to a participative role-taking decision-making process. OD helps in channeling organizational roles to meet the business strategy. Migration to CC is an organizational strategy [39]. As a result, we considered the strategic alignment model of Henderson and Venkatraman [35]. However, this model was found to focus more on the role of IT in organizational transformation rather than on role taking. Therefore, widely accepted organizational 'Star model' [23; 24] used for channeling resources [58], was useful in providing assignment elements for our research too. This model has been used by practitioners for identifying the right people to manage innovation initiatives [14], for shaping human-development resource processes [79] and for redesigning activities in organizations [57]. OD was useful in proposing five relevant elements of role assignment and taking namely 'strategy', 'structure', 'rewards', 'processes', and 'people' (see Table 1).
Cloud computing: It is a paradigm shift which involves the "outsourcing" of computing resources to remote data centers [15; 52], away from a "hierarchical" mode towards a "market" mode of governance [56]. From technology perspective, our analysis of the academic and practitioner literature on IT outsourcing and public CC resulted in the induction of eleven elements which have an impact on the assignment of people to roles and responsibilities. These eleven elements are: 'strategy', 'vendor evaluation & management', 'contract management', 'technical competencies', 'negotiation skills', 'performance management', 'knowledge management', 'security management', 'risk management', 'compliance management' and 'conflict management' (Table 1).

IT governance (ITG):
This domain has been explored to identify role elements since the definition of roles and responsibilities of IT controls is an integral component of an ITG decision-making mechanism [60; 74]. ITG is based on three constructs namely structures, processes, and relational mechanisms [32; 33; 65; 82]. Whereas ITG structures and processes correlate with those of Galbraith's Star model, ITG literature helped in identifying a new element, namely 'relational mechanisms' ( Table 1).
Each of the above theories offers a different lens for understanding how organizations may facilitate role taking in a CC context. However, as shown on Fig. 1, some of the elements derived from these three IS domains overlap with each other. Therefore, these IS domains produced 19 elements, where three of them overlap. Aggregating (with redundancies removed) all the elements resulted in a model ( Table 2) with a set of 16 elements for the roles and responsibilities of IT controls in a public CC environment. These are hereinafter referred to as T-version elements.

Research methodology
To test our model, we have followed a two-phased approach involving validation through interviews followed by ranking using Delphi technique (Fig. 2). Since research in the domain of CC is still in its early stages [40], exploratory research was deemed appropriate.
It builds on secondary research and employs formal approaches through in-depth interviews, focus groups, projective methods, case studies or pilot studies [33]. In this respect, we conducted in-depth interviews of IT decision makers in CC and in the ITG domain in the United Arab Emirates (UAE) in order to and rank the T-version elements listed in Table 2. While a case research can be used with any philosophical perspective, we opted for the positivist philosophy as it can explicitly test as well as build theory [16]. In our study, the positivist philosophy is used to get the elements of the model validated and ranked by IT practitioners.
To involve people from various organizational levels, the target focus for validation were IT decision makers working at executive management level. For the ranking of these elements, IT practitioners working at operational level were targeted. Being exploratory research, Delphi technique is found to be suitable for ranking of the elements, as this study involves a new CC technology trend [1; 59] and Delphi technique provides human judgmental input [86], which is suitable for making joint decisions related to people's roles and responsibilities. Even though two to three rounds is not only the norm [72] but also preferred [67], this study planned to conduct rounds until consensus among participants was achieved.

Data collection and analysis
Being theoretical, the T-version elements that emerged through the process of researching the related fields using various sources call for validation via empirical research. The exploratory research leading to a qualitative philosophy directed us towards a two-phased case study approach using in-depth interviews for validation and refinement of elements, and further validation and ranking of elements through a Delphi technique.

Phase 1: validation of role assigning and taking components:
This phase involves expert interviews in a case study setting to validate the T-version assignment elements. This study interviewed 12 IT decision makers from 11 UAE-based large private and/or government organizations that have adopted public CC (refer to Appendix A for the profile of the respondents and their respective affiliations). The Tversion elements were shown to the experts for feedback based on the 'IT control migration' context of the organization that they represent. The interview questionnaire is provided in Appendix B.
Due to the nature of expertise required, respondents at IT decision levels, having related professional certifications and/or have experience on working on CC projects were interviewed. Face-to-face interviews with respondents were conducted over a period of seven months during the year 2015, with each interview lasting an average of 55 minutes.
All interviews were audio recorded except for one respondent (R12) who cited organizational confidentiality as a justification for anonymity. For this case, notes were taken during the interview. For analysis purposes, the audio files were verbatim-transcribed using 'O-Transcribe' and loaded into the qualitative data analysis software NVIVO 10.

Phase 1: analysis
To analyze and interpret the qualitative data, we followed the five-step guideline given by LeCompte [50] namely "tidying up," "findings items," "creating stable sets of items," "creating patterns," and "assembling structures". The collected data were subjected to constant comparison analysis [29] to deductively code data into pre-determined (16) themes. The constant comparison analysis feature of NVIVO was used to generate the word count in terms of 'percentage coverage' (Table 3) which shows the number of characters as a percentage of the total source This word count depicts the positive emphasis by respondents [51] to the identified element. Negative values display the disagreement of the respondent on inclusion of a particular element (displayed in terms of percentages, using NVIVO). Since the content of elements overlap with each other, the combined 'percentage' of words for the particular theme (shown in the second last column) aggregates to 349.7.5%. This figure has been normalized to 100% and re-calculated to reveal the 'true percentage' in the last column aggregating to 100%.
It is evident from Table 3, that 'structure' and 'compliance management' received higher (>10%) emphasis while 'technical competencies' received the lowest emphasis. Only one respondent cited technical competency as a theme by stating that it is only relevant while the organization is still on the journey of migrating to CC. Apart from validating 16 themes of the T-version elements (Table 2), a new theme 'change management' also emerged from the interviews, resulting in a total of 17 elements as illustrated in Table 4.
As stated by the interview respondents, the validated elements were overlapping and inclusive. Therefore, to find the relations among these elements, we conducted domain analysis [78] by choosing a domain (element) first and then searched the data using the semantic relations to find attributes of the domain (or element). Based on the respondents' opinion and domain analysis, we identified the relation between the elements, thereby resulting in the creation of patterns (Fig. 3).
As shown on Fig

Phase 1: discussion
Using an influence diagram, Fig. 4 structures the discussion and depicts the results related to the identification of the elements. The major refinement was the aggregation of the seventeen elements into validated and refined (VR-version) five major elements and ten sub-elements. Figure 5 highlights the importance attributed by respondents to each of these elements. As can be seen, people's 'competencies and skills' has the highest impact. The highest competency and skill required is being able to manage risks, compliance, and security.
To recapitulate, the exploration of the relevant literature provided an initial list of elements for role taking in the context of a public CC deployment model. In-depth interviews helped in validating as well as in refining the elements. Next, we adopted Delphi technique to further validate and rank these elements.

Phase 2: ranking of role assigning and taking components
To rank the elements, Delphi technique was used involving forty-four ISACA members as panelists. ISACA is a nonprofit, independent association that advocates for professionals involved in information security, assurance, risk management and governance (https://www.isaca.org). The panelists reflected varying profiles (one CIO, ten IT auditors, four IT consultants, twenty-five IT management, and four undeclared) with eleven members working in government and twenty in private UAE organizations (the balance did not declare their organization). The panelists were informed about the purpose of the sessions in advance through the ISACA website and emails. To mitigate the risk of ambiguity in the definition of the elements [12], the definition of each element was provided through the questionnaires and further clarified through the presentations. Two Delphi technique rounds were conducted among the panelists.

Phase 2 analysis: round 1
The focus of the round 1 was to re-validate the elements (VR-version, defined in phase-1).
Following other researchers' work [43] [17], this Delphi technique research provided preexisting information (a list of elements (VR version)) to panelists, for re-validation and rankings. These elements were also explained through presentation, followed by the distribution of questionnaire-1 (Appendix C), thereby giving panelists the opportunity to make recommendations to add, change, or delete elements. During the round 1, the panelists agreed with all the validated and refined elements and considered them to be sufficient.
However, six panelists suggested revisiting the title of the sub-element 'change management'. They also suggested by stating: "change management is not restricted to vendor management alone… Change management should be at organizational level". The panelists' suggestions correlated to the response from six interview respondents (R3, R4, R5, R6, R7, R8) who viewed the abilities of people to accept and adapt to the changed work environment as an important organizational element. These comments are also in accordance with Galbraith's [24] views which emphasize the importance of people skills and mind-set to execute the strategic directions of the organization. Therefore, considering the input from the Delphi technique panelists and the interview respondents, we renamed 'change management' as 'mind-set' and we moved it out from 'vendor evaluation & management' to the higher level of main constructs. Subsequently, the 'competencies and skills' element was renamed to 'competencies, skills and mind-set'. The collected data were analyzed, elements modified and a new set of questionnaires-2 (Appendix C) was printed for the round 2.

Phase 2 analysis: round 2
The focus of the round 2 was to rank the modified elements, presented to the panelists, thereby enabling them to see the anonymous collected opinion of the group. Questionnaire 2 was distributed among the panelists who were asked to rank the elements in term of importance, using a Likert scale. The panelists were, also, requested to assign weights to each element and sub-element. The purpose of using the Likert scale ranking was to measure the degree of consensus between the panelists and therefore leverage Kendall's coefficient concordance [75]. Data were typed in the pre-prepared excel sheets, analyzed and the new rankings were calculated for each major element and sub-element based on the statistical average of the panelists and the empirical estimates of ratings.
Using the assigned weights and applying statistical aggregation, new ratings and rankings were calculated for each element as shown in Table 5. In the table, column 1 shows the average ranking given to each element by the panelists, and column 2 shows the average percentage weights given by the panelists. Column 3 shows the average weights given by interview respondents, and column 4 shows the average ratings of columns 2 and 3. Consequently, based on column 4 ratings, new ranks were calculated as shown in column 5. As an example, for the 'competencies, skills & mind-sets' element, the average percentage assigned by the panelists was 48.4%, while the average percentage assigned by the interview respondents was 57%. The average of these two resulted in an overall-average of 52.7%. Based on this result, 'competencies, skills & mind-sets' retained its first rank (in terms of importance) in the elements (VR-version).
Round 2 results were shared with the panelist through the subsequent presentation and printed forms. This was done to provide panelists with feedback regarding the ranked elements, thereby complying with Goodman's [31] guidelines to keep the panelists informed about the current status of their collective opinion. Using Schmidt's [75] interpretation of Kendall's W coefficient, the level of consensus of 0.79 in the first section and 0.84 in the second section and 0.89 in the third section indicated a strong agreement among the panelists on the element's rankings. According to Bell [5] data are unreliable if the results of questionnaires show varying answers. Kendall's W coefficient results provided a good degree of consensus among panelists, giving confidence in the reliability of the results and providing reason not to go for a third round.

Phase 2: discussion
Kendall's coefficient concordance [75] was used to measure the degree of consensus among the panelists. Satisfyingly, the consensus was achieved within two iterative rounds resulting in the modification and ranking of the elements as shown on Fig. 6. A significant finding in this phase of the empirical study is the higher emphasis on the 'technical competency' requirements which differed from that of the interview respondents. This finding was also reflected in comments of the panelists, as one of them stated that "reasonable in-house technical knowledge is a must" and another one believes that "people's competencies and skills have more impact (on roles and responsibilities assignment)". Another panelist commented that the degree of reliance on technical competencies depends on the size of the organization. According to him, as smaller organizations tend to have less technical skills, they rely heavily on CC vendors' advice.
This aspect was re-iterated by another panelist who stated that "technical skills being inadequate with small companies, therefore too much reliance is placed by them on vendors. …whereas in large organizations in house technical skills are strong and mature".
Therefore, in a CC environment, where IT controls are migrated and managed by the CC provider, technical competencies are still required. However, this requirement seems to be less important for smaller organizations which mostly rely on the CSP expertise. Ergo, the final validated, refined and ranked elements termed as elements (VRR-version) are recompiled as shown in Table 6.
The resulting validated elements will aid in managerial decisions to identify the required skills and competencies for IT controls in a CC environment. While the researchers have described people's 'competencies, skills & mind-set' as critical for achieving the strategic direction of an organization [24], the empirical study re-established them as the decisive elements in role taking, with the maximum coverage (52.7%). Interpretation of the interview respondent's statements revealed that the highest (71.9%) desired competency and skills for IT controls are the ability to evaluate and manage CC vendors, particularly in terms of risk, compliance, and security. Contrary to the literature, which states that people need profound 'technical competencies' for integrating CC resources with internal systems [49], this study indicated that CC vendors take control of the technical part of the CC, replacing people's technical competency requirements with business skill requirements.
Those who supported the inclusion of technical competencies attributed a much-diminished weight (7%) for this element, stating that technical competencies are needed while the organization is still in the process of migrating towards a CC deployment model.
The structures (18%) within an organization determine the location and distribution of power [24; 65], the type and the number of job specialties used in performing the work.
Researchers [24] as well as interview respondents correlated the task assignment to the number of people in the department at each level of the structure. According to five respondents, CC will not only reduce the necessary number of IT professionals in the organization, but also acts as a catalyst to facilitate the relocation of people to different departments or to expose them to new career paths. Protean is taken from the Greek sea-god Proteus (Πρωτεύς) who is capable of changing his shape at will.

Conclusion and suggestions for future research
Organizations are pursuing technological scalability by embarking ICT, such as CC. One critical pre-requisite for a plan of technological scalability is the emergence of new governance models [76]. While numerous ITG frameworks, standards, and best practices exist, to date ITG authorities have not come up with guidelines for identifying roles and responsibilities in a CC environment. Theoretical and empirical studies revealed that people's assignment to IT controls in a CC environment (as well as in a non-CC environment) is being done on a subjective and ad-hoc basis with little consistency across sectors, regions, or organizational sizes. Therefore, motivated by the lack of organizational guidance, this research identifies the elements that impact role taking for the control of IT resources within public CC user organizations. We have empirically validated these elements by interviewing IT decision makers and, then, ranked these elements with the assistance of IT practitioners, using Delphi technique. This research has highlighted 'people's competencies, skills and mind-set' at evaluating and managing CC vendors as the dominant element. The ability to 'evaluate and manage CC vendors', particularly in terms of 'risk, compliance and security management' emerged as the highest desired competency. In addition, this study revealed that smaller organizations do not depend much on their internal technical competencies as they have tendency to tap into the CSP expertise. Another significant finding is that staff in the CC user organizations needs to possess significant business competencies to manage CC-based IT controls.
This set of ranked elements is an innovative initiative that can be applied to ITG frameworks while ensuring consistency, uniform control, and compliance. Our empirical study contributes to both ITG research and practice by reducing the gap between these two fields in order to guide managerial actions towards establishing IT-centric governance arrangements to match the CC-based enterprise architecture. The findings contribute to the practice of managing IT controls in public CC by providing guidelines to empower IT decision makers and employees to make informed decisions about training and professional development needs and role taking. It also provides guidelines to ITG authorities and policymakers to comprehend good practices related to people's skills and competencies in the context of a CC deployment model. This research suggests that, in the context of a new organizational paradigm, our empirical findings can assist organizations to share the identified skills and competencies among its workforce. This can potentially create a participative approach among employees for the purpose of identifying training, personal and professional development needs, as well as for making better informed decisions about role taking, career transitions and career path planning. Hence an esoteric implication of this contribution is in the fact that CC entails a "paradigm shift" from the traditional role assigning model (based on bureaucratically-hierarchized IT hetero-governance) towards a role-taking model (based on a supportive societal human system of open market IT self-governance).
Based on a case study in the UAE, our approach lacks some generalization and therefore some caution is required in interpreting the results. For instance, because national culture has been found to have a substantial effect in IS studies [53], generalizing these results to other cultures is encouraged. This study therefore advances academic research in the area of ITG by paving way for further qualitative and quantitative research to conduct a global study, including hybrid CC deployment models and encompassing several countries. Tables   Table 1. Theoretical background for role assignment and taking   Theoretical  perspective   Implications for role and responsibility  assignment Elements Sources

Organizatio nal theory
This model emphasizes that people's roles within an organization depend upon the strategy adopted by the organization (whether to build internal capabilities or to exploit external capabilities); Roles and responsibilities also depend on structures that determine type and numbers of job specialties used in performing the work; the number of people constituting the departments at each level of the structure; distribution of power; and basis for forming departments at each level of the structure; It emphasizes the role of processes, which are defined as connected set of activities that show the movement of information; This model emphasizes the importance of people's competencies, skills and mind-set required to execute the strategic directions of the organization; According to this model, people are rewarded when they take over motivating tasks.

Security management
 Competencies to handle security concerns in public cloud where services can be used by competing clients and where the number of cloud users is much higher.  Competencies to handle cloud security concerns like information assurance, data privacy, and ownership issues arising in public clouds due to the risk of an unauthorized data disclosure and lack of user control on client data.  Competencies to ensure the deployment of data privacy mechanisms by CSPs that are compliant with the regional legal regulations.     Competencies to identify and manage all potential critical, legal, and compliance-related risks associated with the cloud.
Competencies to ensure compliance with internal as well as external policies, regulations, and accountability mechanisms when operating in the cloud.
Competencies to evaluate cloud vendors to ensure deployment of security mechanisms related to information assurance, data privacy, data confidentiality, ownership, and technology-related issues.

Contract management (12%)**
Skills to develop and manage contracts for effective SLAs, pricing, access rights, data ownership, risk management, and to ensure the availability of data and reports.

1.1.3
Performance management (9.5%)** Competencies required for setting quality levels, monitoring the vendor against the SLAs, and rating their performance.

Knowledge management (7.8%)**
Skills to share knowledge between cloud users and vendors in both directions, building trust that will result in improved commitment and better overall results.

Technical competencies (7%)**
Competencies to coordinate with the cloud vendor to implement/integrate the cloud services with the existing systems.

Negotiation skills (6.5%)**
Skills to negotiate the contract terms to ensure the rights and obligations for both parties.

Conflict management (3.5%)**
Skills to assess and avoid any negative impact from establishing new business ties or terminating existing business with a cloud provider.

1.2.Processes (23.8%)*
Competencies to handle different sets of processes that cross departmental and organizational boundaries.

1.3.Mind-set (4.3%)*
Ability to handle challenges, and readiness to adopt the new technology.

Structures (18%)
Roles and responsibilities assignment is based on the location of decisionmaking power and authority that establishes the reporting relations, power distribution, and communication channels.

Strategy (14.7%)
IT strategy which is in alignment with business objectives will define whether to build capabilities (like skills, processes, technologies, people abilities) internally or to exploit external capabilities. It defines the tasks to be performed.

Rewards (8.7%)
People are rewarded by being allocated to cloud-related tasks, so as to give them opportunity for growth, motivation, recognition, and the challenge of learning new technologies.

Relational mechanisms (6%)
Roles and responsibilities assignment depends on building interpersonal and collaborative relations among units and organizations.     Round-1 -Elements explained through presentation -Elements re-validation using questionnaire-1 Instructions: Elements will be shown to the interviewee and rest of the questions will be pertaining to the elements that can be used to allocate roles and responsibilities of IT controls that have been moved to the public cloud.

Strategy
Defines whether to build capabilities (like skills, processes, technologies, human abilities) internally or exploit external capabilities. Strategy of an organization leads to the tasks to be performed.

Structure
Type and numbers of job specialties used in performing the work (Specialization). Number of people constituting the departments at each level of the structure (Shape).
Distribution of power -either to the department dealing directly with issues critical to its mission, or centralization or decentralization of this authority.

Processes
Type of Information and decision processes (vertical or horizontal) that may cut across the organization's structure.

People
Fundamental set of competencies, skills and mind-sets required from employees at all levels.

Rewards
Motivating people to perform and address organizational goals. Offering nonmonetary rewards such as recognition or challenging assignments.

Relational mechanisms
Collaboration, relations, teams, networks, integrative roles and matrix connections building attributes to build interpersonal and collaborative relations among units and organizations.

Risk management
Competencies to identify all potential risk that may be associated with critical assets like intellectual property, personally identifiable information etc. that will be stored with the CSP.

Compliance management
Knowledge of internal and external organizational policies and ensuring the maintenance of same compliance, even when operating in Cloud. Knowledge of national and international regulations that constrain the flow of information and mandate the vulnerability assessment of data in the public/hybrid Cloud.
Competency to assist holding cloud (and other) service providers accountable for how they manage personal, sensitive and confidential information in the public/hybrid cloud. 8. Do you want to add any element? 9. Do you want to delete any element?

Security management
Competencies to handle security concerns in public/hybrid cloud where services can be used by competing clients and where the number of Cloud users is much higher. Competencies to handle Cloud security concerns like information assurance, data privacy, and ownership issues arising in public/hybrid Clouds due to the risk of an unauthorized data disclosure and lack of user control on client data. Competencies to ensure the deployment of data privacy mechanisms by CSPs that are compliant with the regional legal regulations.

Vendor Evaluation & managemen t
Skills required for handling activities to evaluate and select vendors.

Contract Development
Skills to structure contracts for effective pricing, access rights, data ownership, risk management and for ensuring the availability of data and reports. Specific service level agreements (SLA) can be added to the contract.

Technical competencies
Competencies to evaluate the on-demand, self-service cloud based solutions, coordinate, implement and integrate the cloud services with the existing systems to create new opportunities and to reduce cost.

Negotiation skills
Skills to negotiate the contact terms to ensure the firm's rights and obligations for both parties.

Performance management
Competencies required for setting quality levels, monitoring the CSP against the SLAs and rating the CSP performance

Conflict management
Skills to assess and avoid negative impact of establishing new business ties or terminating the existing business with a CSP.

Knowledge management
Attributes required for sharing or transferring knowledge with the CSP, to build trust which will result in supplier improved commitment and thus better results.

42
Questions regarding suggestions for the improvement of the elements 10. What are your views regarding the use of these elements for the assignment of people's roles and responsibilities of IT controls in a public cloud? 11. What are the weaknesses of this list?
12. Do you think an organization would benefit from these elements?
13. How can we improve them?
14. Any other feedback/comments on the elements and their definitions?

Case Interview # X (CI-X)
Date: Time Started: Time finished: Location: Setting (Noisy/Quiet): Impression of how well the interview went: