I was given a list of topics including platforms & applications, enabling technologies, cloud in business, cloud in public sector, tools for management, cloud security, governance issues, etc. Having been with the large corporations during my career, I chose to speak on ‘Enterprise Cloud Computing’. I reached the venue a little ahead of my session so that I could get a feel of what was being discussed and tweak my talk accordingly. The audience mainly consisted of students, lecturers and a few invitees whereas the speakers were experts from various streams and mainly from vendor companies, representatives from specialist firms, and consultants.

In the preceding session, speakers presented their thoughts and ideas spanning a variety of areas including development tools, quality testing, performance management tools, security concerns and methods for their mitigation, etc. All speakers invited questions from the audience at the end of their speech but participants only nodded their heads in agreement but asked no questions.

Just before our session the organizers came up with a brilliant suggestion of changing our session into a panel discussion instead. Discussing this over lunch, the four speakers of this session felt that without adequate preparation and without a moderator, it would be difficult to last that long given the fact that the audience was rather passive in participation. So we reverted to our original plan of presentations with some time earmarked for questions and answers.

I took care to present the subject in an easy manner emphasizing on basics and leaving out a few details which I thought was were a little more advanced for the delegates. Other speakers too played the same card to the best of their abilities. There were but two questions and both from the teaching staff while students sat back dutifully till the end of the seminar.

Post session blues

When walking back from the hall, one of the professors enquired as to why this was termed ‘cloud computing’ and not ‘utility computing’ and another professor wanted to know if this was really working in the enterprises. Tired after the seminar, I preferred to wear a smile and give diplomatic answers. A student, sneaking in from behind and looking worried, spoke in a low voice and asked if ‘cloud’ was really safe. Before I could ask him further he said that he heard that the UID scheme in India is not taking off just because it was put on the cloud. I had to stop then to allay the fears of the young man explaining that what he had heard was incorrect and that UID was in a safe territory. I then turned around to another bunch of boys and asked them if the seminar was useful and one student admitted honestly that he understood nothing.

Key take-away from the seminar

There were quite a few things I learned from the seminar which makes me feel that the industry is in troubled times. Let me list them here:

1. ‘Cloud’ is a captivating theme which no institution can do without. A feeling that they will be termed outdated if they do not speak of cloud, is a compelling proposition. I wonder why institutions conduct such seminars; perhaps they do so because they have to as per their standard practice.

2. There is absence of planning and sessions are chosen without adequate thought.

3. The more they emphasize about the subject, the more they confuse the audience, especially the vulnerable young students.

4. It is perhaps time to downplay ‘cloud’ for a while and let the subject cool its heels for  sometime — till this madness settles down a bit. Restarting later may inject a little more sense to the discussions and people will absorb the subject better.

5. People seem to have different understanding what a cloud is. I am reminded of the story ‘six blind men and the elephant’.

The cloud has been on the horizon for quite a while now and shows signs of moving overhead. The scene looks threatening and intoxicating and an overdose of it has caused a hangover from which I am recovering from.

Life of the ordinary

We often get mired in routine tasks and trying to manage day to day operations. We get so consumed with this routine (of keeping the lights on) that we forget the larger purpose that we came in for. Of the little time that we have, we try to add an application here or there and keep ourselves in business. Small successes keep us happy and we try to make big of the small stuff that we accomplish. But when we go out to a seminar and hear someone speaking of big achievements, we feel shy and hide ourselves in the crowd so as to become ordinary and nondescript. That sure doesn’t give us happiness – we wish we had done something good to talk about. Small projects and extensions to the current systems we do often, but it is about doing something significant which brings about a difference to the environment that we are in.

Doing something big

Let me delve on few ingredients of such an effort:

Identification of a requirement – One needs to scan the business environment and seek out a business need that could change the fortunes of the company. This would come through discussions with the business heads or the CEO. Define the requirement and the projected outcome.

Planning – No large project is ever successful without adequate planning. So what is required is to lay down all steps necessary, resources required, possible risks and fall back options. The plan obviously requires concurrence of those involved in the project.

Execution – Adopt formal project management practices and stay committed to its success despite hurdles that we come across. It is our conviction that will lead us through.

Review post implementation – After the initial applause, do pause to take a look at the impact that the move has created and whether the project has actually achieved what it set to achieve. There are many who miss out this step. The management or the end users are the real spokespersons and it is only when they speak out in happiness, we can consider ourselves to be successful.

Of courage and managing risks

However, doing anything big and significant requires courage. We have to break shackles, come out of our comfort zone and get ready to strain ourselves for a big battle. Success however is not guaranteed and therefore the move tests our risk taking ability. Low risk entails small rewards and greater the risks, larger are the gains. We take what is called a calculated risk i.e. be conscious of the pitfalls but prepare well enough to tackle them.

I have at times during my career refused to take the beaten path and embarked on some big ventures against the usual advice of colleagues and vendors. For example, doing a big bang ERP implementation, going ahead with supply chain automation even when there were very few examples of other companies doing so in our industry, attempting digital assets management, etc. The projects carried risks no doubt but when we succeeded all others wanted to be a part of it and claim that they also contributed.

‘IT Services Management (ITSM)’ then came up as a formal methodology for managing the IT environment and services delivery. No one author, organization, or vendor owns the term ‘IT Service Management’; the origins of the phrase are unclear. There are a variety of frameworks and authors contributing to the overall ITSM discipline; and proprietary approaches are available too.

Understanding ITSM

Let us first understand what ITSM is. IT Service Management (ITSM) is a process-based practice intended to align the delivery of information technology (IT) services with needs of the enterprise, emphasizing benefits to customers. ITSM involves a paradigm shift from managing IT as stacks of individual components to focusing on the delivery of end-to-end services using best practice process models. It has, to some extent, common interests with process improvement movement, for example TQM, Six Sigma, Business Process Management, and CMMI, frameworks and methodologies. ITSM may consist of a set of best practices, a natural progressive life cycle approach, focused on value generation and business outcomes, non-prescriptive and therefore easy to tailor and adopt.

Main components of ITSM

It would make sense to understand various steps of the process that one has to undergo for implementing ITSM. Let me describe them in brief here. They are drawn from methodology followed by the Quint Group.

Service Strategy – Vision: This is about understanding the business and aligning IT with business objectives. Therefore every stage of service lifecycle is driven by a business case.

Service Design – Blueprint: This consists of a document made after a detailed analysis which guides the design of architectures, running of IT services, putting in appropriate and innovative IT infrastructure solutions and services. This provides the right direction for delivery of various services to business.

Service Transition – Construct: This part focuses on the broad long term change management role and release practices so that risks, benefits, delivery mechanisms, and ease of ongoing operations of service are delivered. Therefore the matters like knowledge management, awareness, training, release and development management, service testing and validation, are considered adequately.

Service Operation – Provision: This stage focuses on delivery and control process activities like event/ incident management, request fulfilment, problem management, etc. By doing so, we achieve a highly desirable steady state of managing services on a day to day basis.

Continual Service Improvement – Enhance: Continuous improvement is integral to this process and therefore there should be an effort to identify process elements to bring about service management improvements.

If we are currently managing our processes well, we tend to get complacent and do not formalize the service delivery mechanism. We should institutionalize the processes by inviting wider participation including those from business so that IT stays focused on delivering business benefits. It may sometimes not be possible for us to develop the best practices and therefore some external help could be of value.

Governance
Governance describes the overall management approach through which senior executives direct and control the entire organization, using a combination of management control structures and the right management practices. One of the requirements of governance is that that the critical management information reaches the executive team in a form that is adequate, accurate, and timely to enable appropriate management decision making. It also involves providing the control mechanisms to ensure that strategies, directions, and instructions from management are carried out systematically and effectively.
So the CIO has his role cut out; he has to proactively provide the required support to the management through robust information and control systems. IT systems should also facilitate maintenance of documentation of various transactions, approvals, record of critical business discussions, decisions, etc.

Managing risk
Risk management is the set of processes through which management identifies, analyzes, and where necessary, responds appropriately to risks that might adversely affect realization of the organization’s business objectives.
The first need, therefore, is to do a risk assessment and identify all possible risks that the company could be exposed to. The next step is to analyze those situations and determine criticality of the risks and their possible impact on the organization.
Once the risks are analyzed, the company has to define measures that it can take to contain any adverse fallout. The response to risks typically depends on their perceived gravity, and involves controlling, avoiding, accepting, or transferring them to a third party.
It then becomes the duty of the CIO to introduce policies and technologies for risk coverage and mitigation. He covers risks against hacking by external users, institute measures for user authorization and control, ensure safety of data through regular back-ups, implement disaster recovery and business continuity plans, conduct user education sessions, etc.

Compliance
Compliance means conforming to the stated requirements. At an organizational level, it is achieved through management processes which identify the applicable requirements (defined, for example, in laws, regulations, contracts, strategies, and policies), those which assess the state of compliance, and the ones that assess the risks and potential costs of non-compliance against the projected expenses to achieve compliance. It also involves defining management processes that can prioritize, fund, and initiate any corrective actions deemed necessary.
Here, the CIO has to be in touch with the company secretary / legal head or concerned departments to make a list of various statutory requirements that the company is required to comply with. He needs to facilitate the creation of facility to record requirements, to remind people on due dates, to help monitor compliance and help create a report on the status.
Various software packages are available that helps meet these requirements including those from leading ERP vendors, software majors, and many other small firms who create such specialized tools.

A 360-degree approach
GRC, therefore, is a holistic view of issues that the managements of companies are obliged to address. In my opinion, a CIO can play a significant role in helping his organization meet its obligations. Since most documents and processes reside on IT systems, it becomes incumbent on the CIO to ensure that all requirements are taken care of. Here is an opportunity therefore for the CIO to fill this space and rise to be an executive of significance.