It's also essential for companies to have clear, detailed usage guidelines for employee use of IT systems and handling of data. Companies should use stringent criteria for choosing their cloud computing vendors, examining their track record, security policies, data protection technology and service-level agreements.
In particular, CIOs should watch out for opportunistic and hyperbolic claims from vendors claiming to have technology that can completely shield data from government snooping.
"Vendors have absolutely no ability to make those claims," IDC's Strawn said. "They can't execute on them. The NSA has a lot of power to do what they do. You can't do much about it."
If an agency like the NSA wants to monitor a particular system, it will, and if it can't, it will get a court order to get the access it needs.
Also, just because data, systems and applications are hosted on premises doesn't mean that government snoops can't get to them. In fact, it's likely harder for government spies to break into data centers run by Google, Microsoft, IBM, Salesforce.com and Amazon than to tap into the average enterprise network.
"I'm more comfortable with Microsoft's security for our email than with handling that internally," BCBG MaxAzria's Fuller said. "We're a fashion company, not a tech company. We need to focus our resources on producing great dresses people want to buy."
Still, the NSA scandal worries cloud computing vendors, as they sense concern from current and prospective customers. "It's not having a material impact. But it's certainly causing people to stop and then rethink decisions, and that is, I think, reflected in our results," said Rob Lloyd, Cisco Systems' president of development and sales, during the company's most recent quarterly earnings call.
The level of security offered by cloud vendors is mixed; from vendors that are new and inexperienced, to others that are outstanding and provide a better and safer environment than many organizations could afford themselves, according to Jos Creese, head of information, corporate resources, IT services at the Hampshire County Council in the UK.
"We need to be prudent as to who we select in cloud providers," said Brian D. Kelley, CIO at Portage County government in Ravenna, Ohio.
Portage County is dipping its toes in cloud computing, and the NSA revelations made him and his team more aware of the cloud risks. "In IT, we've always had control of our systems and data, and with the new cloud model, we're now relinquishing that control," Kelley said.
"We certainly need to engage ourselves much more to know where our data is, how it is accessed and who can access it, and what to do when the cloud bursts," he said.
IDG News Service reporters Stephen Lawson in San Francisco, Chris Kanaracus in Boston, Joab Jackson in New York and Mikael Ricknas in London contributed to this article.
Juan Carlos Perez covers enterprise communication/collaboration suites, operating systems, browsers and general technology breaking news for The IDG News Service. Follow Juan on Twitter at @JuanCPerezIDG.