So, someone from that nefarious entity called “the business” rings up IT, or perhaps even has the gall to employ an external application without IT’s blessing, and your impassioned pleas about security, migration, governance, et cetera fall on deaf ears. Frankly, these people don’t care about all that stuff, and I would argue that they shouldn’t have to. When an in-house solution to a problem takes 6 months and costs a factor of 10 of what a cloud solution does in a matter of hours, all the talk about security and governance is likely going to be politely ignored.
IT and the CIO must articulate the risks in business terms, and assign estimated costs to them so you can compare dollars to doughnuts rather than making vague threats about doomsday security risks, or discussing trivialities about your beloved governance model. Most of these people are compensated to generate revenue, and talking to them about revenue risk and reward will win far more open ears that mentioning ITIL, SDLC, SoA, etc. even if that is an underlying concern from an IT perspective.
At the end of the day, Cloud is little more than a "make vs. buy" decision. There are always concerns about quality, control, etc. when you buy instead of making, but when it’s all said and done, if the cost to buy is significantly more compelling, you’ll likely be forced down that road.