"We believe we have a very good plan in place to make sure we're just as compliant and secure, if not more so, than we were before," Heim said.
There are ways to mitigate risks associated with cloud computing, as well as precautions, safeguards and best practices that can be adopted, IT executives said. For example, companies should examine what prospective cloud vendors offer in terms of data center redundancy, IT and physical security, risk mitigation, operational practices and government and industry certifications. IT executives can also complement cloud vendor offerings in these areas with best practices and security wares on their end, like systems that encrypt data before it's transmitted to the public cloud servers.
More than government snooping, IT chiefs appear to consider insider threats a more concrete and likely danger, including disgruntled employees or contractors like Snowden who out of malice or in retaliation expose confidential data or damage IT systems.
In fact, Snowden should serve as a reminder to CIOs to take precautions when hiring IT staffers and to put in place monitoring systems to alert them about rogue system administrators, said Alex Gorbachev, board member of the Independent Oracle Users Group and CTO of remote database administration company Pythian Group.
For example, email administrators may have unfettered, unaudited access to all mailboxes, he said. That means they could potentially browse through the CFO's messages and take a peek at preliminary financial reports. If such information were to leak, it could become a dicey situation for publicly traded companies.
Many database administrators have similar power. "Most organizations don't have a mechanism to track their activities 100 percent," Gorbachev said.
IT executives also worry about careless employees who may inadvertently compromise company systems in a variety of ways.
"Personally, I am more concerned about safe data handling practices by our users -- flash drives, use of public Internet access, lost or stolen tablets, phones and laptops, passwords on sticky notes -- than I am about the security capabilities of cloud service providers and the intrusion of governments or other entities," Brandon Robinson, network services director at ACES, a power management company in Carmel, Indiana, said via email. ACES uses cloud services for payroll, purchasing, expense reporting and some line-of-business transactional systems.
Another risk that shows up prominently on CIOs' radar screens are external threats, like malicious hackers and malware.
Government surveillance could become a bigger concern if a large company got burned by it -- for example, if a government had surreptitiously collected a considerable amount of confidential data from a company, and a malicious hacker broke into the government's system and exposed the data. But there hasn't been a high-profile case of that sort yet.
Sign up for MIS Asia eNewsletters.