Fortunately, organizations today aren’t using those technologies for mobile devices, he said.
“The good thing is that most enterprises started off with mobility as a brand-new thing,” said Zumerle, co-author of the updated report “How Digital Business Reshapes Mobile Security.” So they bought new mobile security systems to manage and secure their employees’ devices.
The most common one organizations use today to enforce mobile security policies is enterprise mobility management (EMM), which monitors mobile devices and controls employee access to applications. Zumerle said the vast majority of Gartner client organizations use an EMM tool.
A minority of organizations, “for a number of internal reasons — usability, technical reasons — do not want to manage devices,” Zumerle said. “It’s a slightly different approach. Instead of trusting the device, they are trusting parts of the architecture.”
Organizations that choose to “unmanage” devices may pack their email contacts, calendars and business applications into a mobile container and “make sure that container stays safe from any sorts of attacks.”
The personal applications employees use would be outside the container; the advantage is they are isolated from the company-sanctioned business apps, Zumerle said.
Or organizations can set up an enterprise app store. There, employees can browse and download approved applications. Some basic detection programs would be run on the devices workers download apps to — to check whether the devices were “jailbroken,” or had software restrictions removed, or otherwise compromised.
“You would have those sorts of things, but you wouldn’t impose a device-wide enterprise policy,” Zumerle said.
Just the basics
A third category of organizations don’t have proper mobile security systems — but they do impose the most basic security on devices used by their workers. They may use Exchange ActiveSync, a Microsoft protocol that lets users access email and contacts from their employer’s Exchange server. It can be used to impose security on mobile devices, but it’s bare-bones.
“You basically can force a very basic policy onto the device in terms of passcodes encryption and so on,” Zumerle said. “There’s a portion of the industry right now that are still at that stage, where they’re using that basic protocol for some basic management of the device.”
It happened at the end of a panel discussion on how the digitization of work (of the world!) is changing the CIO profession, and it was over in a flash. But the reaction — a burst of applause — to a question fielded by veteran IT executive Stephen Gold reflected the pressure CIOs are feeling about their jobs.
Gold is CIO at CVS Health, the $180 billion corner drugstore chain turned pharmacy innovation company, as it calls itself. Over the past four years the Woonsocket, R.I. health care provider has relentlessly pursued a “customer centric” digital strategy, Gold told the audience at this year’s MIT Sloan CIO Symposium.
The overhaul began with creating a “consistent digital image” for the customers and patients of its lines of business — CVS Pharmacy, CVS Specialty, the MinuteClinic, Caremark — each of which had its own website, mobile applications and development team. But that was just the “tip of the iceberg,” Gold said. The adaptation of legacy IT systems to a digital marketplace at a company the size of CVS is such an enormous task. Indeed, the quest gave rise to the hiring in 2013 of a chief digital officer (CDO), Brian Tilzer, and in 2015 the formation of a digital innovation lab in Boston.
“You read the press — there is talk about the demise of the CIO, the rise of the CDO, but I don’t see it that way. I don’t see it as a threat,” he said of CDO hire, noting that he strategizes with Tilzer all the time. “I view it as an opportunity. I was exchanging emails with him at 6 o’clock this morning on a trip we’re taking to San Francisco.”
Here was a CIO confident enough to voice what others in the room must have been thinking when they heard chief digital officer.
Training for the CIO profession
The MIT panel included JetBlue Airway’s CIO Eash Sundaram and chief commercial officer Marty St. George. Shawn Banerji, managing director of the technology division at executive search firm Russell Reynolds, moderated the panel, which focused on how CIOs are adapting their organizations for digital times. Sundaram, for example, serves as chair of JetBlue’s new venture capital arm in Silicon Valley, which seeks out startup technology — personalization, geolocation, virtual reality — that can be used to enhance the travel experience.
At the end of the session, Gold took a question from an audience member who identified himself as a former CIO and professor in the business school at Northeastern University. What should the IT curriculum cover to prepare a new generation for the rigors of the CIO profession? Should we be training students in computer science or be teaching something else? “It sounds like the traditional MIS curriculum doesn’t fit anymore,” the professor said.
“In my opinion, I would say it is an and, not an or. I still believe the chief information officer has to be a computer scientist or has to be an electrical engineer,” Gold began. “You wouldn’t have a chief medical officer that was not an MD,” he added, his voice rising, “you wouldn’t have a chief accounting officer that’s not a CPA.” That’s when the applause broke out, first a single hard clap then a burst of applause and an affirmative shout out from the crowd — hear, hear!
It’s not that CIOs need to write code, Gold said, although he still can, he noted.
“But you have to understand the architecture of how these systems get built and maintained,” Gold said. “You have to continue to teach the fundamentals and on top of that teach them what it means to be a business-focused CIO.”
“Our philosophy is we are a customer service company that happens to fly planes,” Eash Sundaram, CIO and executive vice president of innovation at JetBlue Airways, told a lunchroom of CIOs at this year’s MIT Sloan CIO Symposium. “Technology is the backbone of our customer service.”
Many companies like to tout customer service as the key to their success. And many companies, no matter the industry sector, view technology as core to the quality of their customer service. How else could they sell to a digital customer if technology, specifically information technology, were not a pillar of their business models?
So perhaps it shouldn’t be surprising that the JetBlue CIO, in addition to his IT and innovation roles, is also chair of JetBlue Technology Ventures, the airline’s Silicon Valley venture capital arm, which seeks out technology startups that enhance customer experience.
But the career twist — CIO as venture capital investor — was a new one on me in what may be the fastest-evolving role in the C-suite. And it apparently sounded novel enough to the CIOs and other IT corporate types sitting near me: We perked up when Sundaram, on a panel about the CIO role in digital transformation, started talking about the venture investment firm, formed in February and located 2,931 miles west of the airline’s Long Island headquarters in Redwood City, Calif.
“We have a small team out there with its own funding and a president who reports to me,” Sundaram said, referring to the multitalented Bonny Simi, pilot, three-time Olympian and Stanford grad.
JetBlue’s investment aim is to find and develop businesses that “sit at the intersection of technology, travel and hospitality,” in particular, early-stage startups specializing in personalization, geolocation, messaging, and virtual reality and other new technologies that bridge and enhance a JetBlue customer’s digital and physical travel experience.
“It’s a nice model for us to bring innovation back to the mother ship. In some cases, the investments we are making will be consumer products on Day 1, and in some cases five to 10 years out. We think this is going to be an important vehicle for expanding what Jet Blue does,” Sundaram said.
JetBlue CIO and digital transformation
While CIO-as-venture-capital-investor might be a rarity, Sundaram is representative of the latest iteration of the CIO role, said Shawn Banerji, managing director of the technology division at executive search firm Russell Reynolds and the moderator of the MIT Sloan CIO panel.
Five years ago, with the advent of cloud, most companies in search of top-notch IT talent put a premium on the “operational CIO,” Banerji said — someone who could build a robust, secure, scalable, functional utility across the enterprise.
“That’s a tough job. It requires great business aptitude; it takes relationship skills, great program project management skills, people leadership — all those sorts of things,” he said. About two years ago, CIO search criteria started to change.
“We saw the adaption of the role into the transformational CIO as businesses wanted to change from legacy ways of doing things into a more digital way of interacting with customers. They expected the CIO to adapt and play that role in that transformation,” Banerji said.
The technical aptitude and business skills required for this role are not exactly aligned with those required of the operational CIO, he added. Transformational CIOs like Sundaram, in addition to building robust IT operations for a digital customer, are also driving new products — and making money for their companies.
Many of those sought-after operational CIOs, while superb at their jobs, do not have the capabilities to become digital leaders. “It’s a different kind of profile,” Banerji said.
Technology is marching at a breakneck speed and organizations are relying on innovation to keep pace with the changing ecosystem. The big four technologies that are driving business innovation — social, mobile, big data analytics and cloud, referred to as “third platform” technologies by IDC and as the acronym SMAC by others — are changing enterprise IT and the way businesses and customers communicate with each other, requiring businesses to evolve their strategies in order to thrive.
And CIOs play an important partnering role when it comes to innovation, said Fred Magee, adjunct research advisor at IDC.
In an IDC study titled Creating Innovation Strategies — Learning to Think beyond Enterprise Boundaries, Magee details a framework to help IT leaders who are using IDC’s Leading in 3D approach in creating multi-tiered innovation strategies within an organization.
Magee sees the L3D model – designed to help IT leaders create an IT strategy that aids their organization’s digital transformation — as the implementation end of innovation.
“The point of creating an innovation strategies framework is to create a context within which business leaders and CIOs can understand how the world is changing digitally and where they need to make investments and change their business models, IT infrastructure and their processes to adapt to that changing world, from large transcendent changes to small incremental ones,” Magee said.
IDC makes clear that innovation is not a one-size-fits-all process. The innovation strategies framework is designed to help organizations realize the kinds of innovation they need in relation to their business strategy, he said. The framework has three tiers of innovation: Disruptive, adaptive and incremental.
“If you think of disruptive innovation as driving innovation toward the market, adaptive is recognizing that the market is changing already … and incremental is driving innovation one step at a time,” he added.
The three tiers of innovation may seem separate, but they are not, he said. Even organizations that are disruptive by design will operationalize their disruptions sometime, he added.
CIOs can connect the dots between organizational priorities and technological possibilities.
“[The] CIO is really going to be more of an innovation partner and is going to be in a position to identify the best means for using digital technologies to support the digital transformation of the business that the executive, marketing and sales leadership and perhaps the board have identified as being critical to the business’ future,” Magee said.
To identify the right types of innovation, it is important to recognize external drivers like customers and market changes and identify the company’s leadership style — visionary or cautious — and whether it is willing to launch a significant innovation, he said. Determining a company’s business goals — whether it is trying to achieve competitive supremacy or competitive equality — comes next, followed by the execution phase, he added.
“When you start to define the ideas that actually make sense to your business, then you say, ‘OK, this is a manageable, moderate amount of innovation that might be possible to do on a continuous basis because we understand the investment profile for this kind of investment and now we have to execute it.’ That’s where L3D comes into play,” Magee said.
L3D is a process for turning ideas into deliverables, Magee said. It is about first identifying what needs to happen, then taking it through a process of innovation, integration and incorporation, he added.
The innovation strategies framework has four stages: analysis, ideation, L3D delivery and evaluation.
“Using this innovation strategies framework, hopefully you will have engaged your stakeholders, business leadership, in a process of identifying the right places to innovate and also a process for making a business case for it,” Magee said.
The EU-U.S Privacy Shield data transfer pact is now in effect, and U.S. cloud providers, e-commerce retailers and other companies that want to collect customer data from their European Union counterparts can start signing up to use the laws Aug. 1.
The framework, which replaces the Safe Harbor agreement dissolved in October 2015, has stronger security protections for EU citizens whose personal information will be shipped across the Atlantic. U.S. companies on the receiving end have to self-certify, promising to uphold data privacy principles such as “notice” — which requires companies to let customers know what will happen to their data. But in complying with Privacy Shield principles, companies can also use the new pact to improve their reputations as customer-centric organizations, said Enza Iannopollo, an analyst for Forrester Research.
“If I am required by the regulation to put in place a process to address access requests for the data of my customers, how do we do that?” Iannopollo said. “Am I giving them the right explanation, and when I do that, when I communicate with them, am I showing the right level of sensitivity and the right level of understanding?”
If the answer to those questions is yes, that’s good news, Iannopollo said. Customers will give high marks to companies that explain their privacy policies on their websites in ways they can easily understand. If companies give the job to their legal teams, and those teams churn out dense legalese, customers may feel discouraged and underappreciated.
“You’re losing a big opportunity, which is using that content to show once more to your customer, ‘I care about you,'” Iannopollo said. “‘I’m easy to do business with, and I’m putting you charge and this is the control that you have over your data.'”
Ensuring customers’ security and privacy, she said, can be a “differentiating factor.” Consumers will happily continue to give their business to customer-centric organizations they feel respect them and their privacy — and even pay more for their products and services.
“Compliance is where you start, but then you can push privacy really all the way to a business growth strategy,” Iannopollo said.
Before organizations needed to protect the business data their workers access on smartphones and tablets, they had to — and still do — protect the data employees use on laptops and PCs. So why not use those same endpoint security tools to protect mobile devices?
Two main things: the way people use mobile devices and the way mobile devices are built, said Gartner analyst Dionisio Zumerle, co-author of the recently updated report “How Digital Business Reshapes Mobile Security.”
“The traditional management models just don’t fit mobile,” Zumerle said. “You have the way that people use their mobile devices — that promiscuous way, if you will — that they use mobile devices with personal and business.”
Users are “promiscuous” on mobile devices, Zumerle said, because they’ll just as soon as use a reporting tool to prepare a business presentation on their smartphones or tablets, for example, as they will post a picture of an Independence Day picnic with their families on Facebook. Mobile devices make it easy not to discriminate.
That doesn’t happen as much with laptops or PCs, Zumerle said, “maybe because people don’t consider a laptop that personal.” Or it could be because most of the personal activity that is done on laptops — email, scrolling through Twitter or Instagram, or shopping on Amazon — happens in browsers.
Lack of oversight
Another reason traditional tools don’t work can be traced to the architectural differences between traditional devices and mobile devices. For example, laptops and PCs have been built to do things like track user activity. And if anything untoward is going on, they can be locked down.
“With certain agents on the device, you can pretty much see a lot of what’s going on, on the device and a lot of what the user is doing is with the device, with the enterprise data on the device,” Zumerle said. “And that’s something that you cannot do on mobile devices for technical reasons.”
What most companies today are using to manage and protect mobile devices, a panoply of enterprise mobility management tools, do allow organizations to see some, but not all, of what a user is doing on a mobile device. And there are newer tools, such as cloud access security brokers, that will send a warning to someone trying to, say, access a free file sync-and-share service such as Dropbox. So someone trying to move two gigabytes of data from a mobile device won’t be in stealth mode.
“Still, it’s difficult to see what data was that two gigs of data,” Zumerle said. “Just pictures from my birthday party? Or was it real enterprise data from customers?”
Dionisio Zumerle discusses the trends that are shaping mobile security today and how to get started on a strategy in this SearchCIO interview.
Barcelona, Amsterdam, Berlin.
Those are the cities that could replace London as Europe’s technology hub now that the British people have narrowly voted to separate from the European Union.
If London loses its premier status, CIOs in England’s glittering capital — and elsewhere in the tech-rich United Kingdom — will have even more trouble recruiting hard-to-find talent.
Programmers, developers and other IT folks from all over Europe have long journeyed to London to seek their fortunes — or at the very least, a start to their careers, said Forrester Research analyst Laura Koetzle.
Tech hub no more?
Often, they go straight from college to a notoriously expensive city, she said, “knowing that they’re not going to have that much money, and they’re going to live in a stinky flat share … because it’s the best market in Europe, where they can rise the fastest and do the most interesting things.”
But as legislators work out details of the split over the next two years, the immigration status of thousands will be thrust into uncertainty. If it’s too hard to stay in London, many tech workers will go someplace else.
Barcelona, Spain, or Amsterdam, Netherlands — cosmopolitan cities with flourishing IT sectors and relatively lower costs of living — are likely alternatives, Koetzle said. Berlin or Stockholm, Sweden, could also take the title of technology hub.
Venture capitalists, too, seeing less promise, could move to talent-friendlier shores, as could their startup protégés.
Keeping the capital’s gain
To keep the talented Europeans they already have, Koetzle wrote in a paper released after the EU referendum, London-based CIOs should give themselves a new title: chief retention officer. As the government sorts out visa and immigration policies, CIOs’ challenge will be to convince their European workers to go through what could be a lot of extra effort to stay in a country that’s not so easy to live and work in anymore.
One suggestion: Get hipper. Start by giving workers the social media and collaboration tools they want to use, such as Skype and Slack.
“Further, revitalize your tired old ‘back-office campus’ as a cool, vibrant place to work in order to keep your star developers,” Koetzle wrote.
Company leadership has a vision for where the business should be headed. The new direction diverges from what made the company successful. It will require new business models, new financial models, a new business psychology — it calls for innovation. How does leadership make it happen?
Don’t overlook innovation software, said Mohan Nair, who spoke to me recently about his experience with Spigit software. “You can’t do it the old-fashioned way.”
Nair is the chief innovation officer and a senior VP at Cambia Health Solutions, a Portland, Ore., not-for-profit that got its start nearly a century ago selling insurance to loggers and mill workers in the Pacific Northwest. In recent years, Cambia has moved beyond insurance into consumer healthcare and technology. Today, the health insurer, which has 2.5 million members and employs 5,500 people, comprises some 25 companies, many of them aimed at helping people become more involved in their healthcare decisions through online, mobile and digital technologies.
Nair, who was trained as a computer scientist and went on to run software companies, was recruited in 2003 to Cambia, then known as The Regence Group, to help the company’s then-new CEO, Mark Ganz, engineer a “total transformation of the business from the bottom up, not top down.”
Unleashing vs sanctioning innovation
The bottom-up transformation started at the top with the CEO’s vision to make Cambia a more customer-centric company — a radical viewpoint in the health insurance industry at the time, Nair said — and with leadership’s conviction that innovation be seen as a company value.
“You don’t say, ‘Let’s have a lab and you guys are going to get all this innovation after the smart people think it through. You make innovation a responsibility and a requirement.”
But saying that henceforth innovation is a company value doesn’t make it so. “It’s not that easy,” Nair said. It’s important that innovation is not something seen as “allowed” by the company. “That’s not what innovation is about. There is a renegade quality to innovation and you should unleash it, not allow it.”
One thing that helped unleash new ideas at Cambia, Nair said, is the innovation software from Spigit he introduced five years ago.
“It allows for true bottom-up crowdsourcing in a somewhat disorganized way. Anybody at any level can say, ‘I challenge us to solve this problem. I challenge us to identify solutions in this area,'” he said. “Technology has no emotion, but the design of the technology can allow emotion to manifest itself.”
While Cambia’s organizational structure — who reports to whom, the various paths up the corporate ladder — is the “backbone of the company,” Spigit’s innovation software “is like the nervous system of the organization,” Nair said.
“It’s all about how ideas flow from one part to another, where redundancy could be good and where focus can be the enemy of new ideas,” he said.
Measure — but not too soon
It’s also important that innovation be measured. To that end, Cambia employees are surveyed quarterly on their bosses’ ability to “absorb and understand” new ideas. The company also measures how many ideas are coming through the system, identifying which people are getting more ideas going than others and what techniques they are using to make that happen, Nair said. The company has also found a correlation between people who submit ideas and their performance rating — people with high performance ratings tend to contribute more ideas than their lower-performing peers.
But, he cautioned against imposing metrics too early in the process. “I never put those measurements in place until I felt we had reached a tipping point, which is about 28% of the company submitting, viewing or contributing new ideas,” he said.
While the aim of the innovation software is to generate ideas that bring business value, companies should not fixate on business results too early, he said. “When we were at 5%, 8%, 10% participation it was about loving the idea less and encouraging the people with the ideas more.”
The innovation scorecard
Indeed, it takes about four or five years for the technology-enabled innovation model to “mature,” Nair said, who rattled off Cambia’s latest
- 29% of employees engaged in innovation
- 1,276 ideas generated
- 5 companies created (two from crowdsourcing)
- $171 million in contributed revenue
“The most recent company we are about to launch will be a very dramatic transformation. It is in the area of pharmacy transparency and came from a pharmacist who submitted his idea into the crowdsourcing toolkit,” Nair said. “Others latched on it — and eight months later he is founder of a company.”
How does a tech revolution begin? With the hyped rollout of some slick gadget at a convention in Las Vegas or San Francisco, followed by headlines everywhere about how the thing is already changing people’s lives (meanwhile, folks are queuing outside retail stores in the rain wearing ponchos)?
Not quite, said IT consultant Judith Hurwitz. Technologies that “transform everything” take decades to evolve.
Hurwitz, who wrote Hybrid Cloud for Dummies and other books on IT, was at the recent Cloud Expo in New York to talk about cognitive computing, which simulates human brain functions. It learns the way we do, Hurwitz said, and will change the way business applications are built.
Software of the future will rely not on programming, as traditional apps do, but on an ever-flowing input of data, changing as structured database files and unstructured journal articles and videos are ingested and analyzed.
It will have an enormous impact on data-intensive industries like healthcare, changing the way doctors diagnose patients – they’ll collaborate with machines like IBM’s Watson on diagnosing patients. And in manufacturing, according to The National Academy of Engineering, production systems will be imbued with intelligence and reasoning — and operate themselves.
That’s not all. Cognitive computing will refashion legal and financial services, retail, marketing and security, Hurwitz said.
It just won’t happen tomorrow.
“When the technologies are mature enough, ubiquitous enough, the infrastructure’s in place — that’s when dramatic change suddenly happens out of nowhere,” Hurwitz said.
Take the Internet. When did you start sending more emails than letters? Probably around 1996 or ’97. Electronic communications were first sent in the early 1970s over the ARPANET, a networked developed for the U.S. Department of Defense.
There was no come-from-behind tech revolution with the fax machine either. It was developed throughout the mid-to-late 1800s but didn’t become an office staple until the 1980s.
“All of these technologies take time to evolve,” Hurwitz said. “This is the reality.”
A long-term care provider turned to cloud computing to shore up security and boost application performance. Here’s the rundown:
The IT situation at Creative Solutions in Healthcare was pretty dire two and a half years ago. When CIO Shawn Wiora came on board he found alarming security issues. The company’s out-of-date Windows Server 2003 machines were out of synch with current security protocols. Patch management as a formal program was practically nonexistent. There was very little documentation of Health Insurance Portability and Accountability Act (HIPAA) compliance. “From a security perspective, it was a ticking time bomb,” Wiora recalled. IT performance was also an issue with slow electronic health record (EHR) system response times.
Wiora noted a disconnect between the state of IT and Creative Solutions’ passion for patient care. The company, based in Fort Worth, Texas, runs more than 49 skilled nursing and 13 assisted living facilities. The CIO determined cloud computing would let the IT side catch up with the rest of the company. The company selected VMware’s vCloud Air, an infrastructure as a service offering, as its core cloud computing technology. VMware, Wiora said, was open to accommodating Creative Solutions’ security vision: A customized version of the Health Information Trust Alliance framework, which incorporates HIPAA, NIST and PCI among other security controls.
Incorporating the key frameworks into its cloud from the start put Creative Solutions on the proper security track. In addition, the cloud deployment improved the performance of applications such as EHR. Instead of a two-second lag, the company recorded round-trip latency in the 40-to-80 millisecond range. That’s an important plus for care delivery, considering caregivers at an individual facility use kiosk computers to record thousands of patient interactions daily. The company has also addressed internet outages, using Cradlepoint technology that fails over to 4G LTE in the event of disruption. “The company is now a phoenix out of the ashes in terms of IT,” Wiora said.