Techaisle Survey: Governance Challenges Hinder AI and Cloud Adoption in SMBs

Techaisle's SMB and Midmarket security adoption trend survey research underscores the critical role of governance in today's complex IT landscape. The findings reveal that 36% of organizations identify a lack of governance as a significant impediment to successful AI project implementation. Additionally, 42% cite governance as a barrier to adopting cloud communications solutions. These challenges highlight the need for robust governance frameworks. Encouragingly, the survey also indicates a strong emphasis on security, with 58% prioritizing governance, risk, and compliance as essential components of their overall security strategy.

In the SMB context, "governance" is a concept akin to "taste" in interior design or "sustainability" in supply chains: universally acknowledged as essential but notoriously challenging to define. What is clear is governance's crucial role in safeguarding SMB interests, encompassing risk mitigation, regulatory adherence, and brand protection. It represents the collective vision of an organization, shaping its interactions with customers, partners, and the public. The term "governance" is often appropriated by IT departments, leading to discussions around IT, cloud, or data governance, obscuring its broader organizational implications.

Leading SMBs are benefitting from thinking about management issues first and then developing positions that guide governance decisions. They study the usage patterns of cloud and ‘shadow AI,’ or user-managed applications and storage that may not align with corporate security policies. It is possible to state that any use of cloud or AI user-managed IT services needs to adhere to these policies, but the reality is that they may not. This doesn’t mean that the use of cloud and shadow IT should be banned – the cloud is an important IT service delivery option, and to some extent, shadow IT reflects innovation within the business.

It is crucial that security technologies and processes are designed to align with corporate governance policies. For instance, attacks from hackers or exfiltration of corporate data caused by lost laptops or smartphones (or via malicious employees) often aren’t covered by specific governance policies within an SMB. However, these events represent risks that most SMB executives consider unacceptable. Here, the staff member (or supplier) responsible for IT security needs to be sure that the technologies and processes put in place will provide the level of protection required to adhere to corporate governance policies.

When the answer to “AI?” is ‘yes,’ what is the next question? It appears the answer involves ‘governance.’ In most cases, there is no real debate about whether AI will be used. AI is being piloted in a clear majority of businesses today, and in fact, many SMBs and Midmarket firms are moving to an “AI first” mandate. Legacy issues around security and data privacy still demand attention, but for the most part, the debate around AI management has evolved to a discussion of how AI use and expansion should be governed.

SMBs are increasingly relying on specialized GRC (Governance, Risk, and Compliance) platforms to navigate the complex regulatory landscape. As the volume and complexity of compliance mandates surge, small and medium-sized businesses find themselves overwhelmed by the need to manage risks, protect sensitive data, and demonstrate regulatory adherence. To address these challenges, SMBs are turning to vendors like OneTrust, Drata, and Vanta, which offer user-friendly, cloud-based platforms designed specifically for their needs. These solutions streamline GRC processes, automate tasks, and provide the necessary tools for risk assessment, policy management, and compliance reporting. While larger enterprises often utilize robust platforms like Archer and IBM Guardium, the growing sophistication of GRC requirements has made these solutions increasingly accessible and valuable for SMBs as well.

Techaisle data also shows that 28% of SMBs are qualifying suppliers based on their governance policies and capabilities. Effective supplier governance is critical for SMBs to ensure their security solutions align with organizational objectives and mitigate risks. The complexity of the security landscape, with countless vendors and product categories, presents a significant challenge. While a 'best-of-breed' approach, sourcing individual products for specific threats, might be appealing, the practical reality for SMBs is often a consolidated solution from a core vendor. This strategy simplifies management and reduces integration complexities.

When selecting security suppliers, both IT and executive teams must collaborate. IT can evaluate vendors based on technical specifications, certifications, and service-level agreements. However, executives bring a broader perspective and should assess the supplier's market reputation, leadership position, and ability to deliver long-term value. A supplier's involvement in industry standards and collaborations is a positive indicator of their commitment to the security ecosystem. Ultimately, the supplier must offer a compelling total cost of ownership, considering not only the purchase price and licensing fees but also ongoing operational costs and the required skillset. By carefully evaluating these factors, SMBs can establish a strong foundation for their security posture through effective supplier governance.