High-profile cyberextortions like the Sony Pictures Entertainment hack in 2014, the one last year on infidelity dating site Ashley Madison and even a lesser-known hack on InvestBank in the United Arab Emirates must have spooked a lot of people.
According to a study released in January by Cloud Security Alliance and security software vendor Skyhigh Networks, 25% of organizations said they’d be willing to pay a ransom to hackers to stop the release of sensitive information, and 14% would pay more than $1 million.
“To me that is disheartening, and it does tell us that both we’re not doing a good enough job in the industry protecting information,” said Jim Reavis, co-founder and CEO of Cloud Security Alliance, “and also that our use of technology is so vast that there are so many threats out there.”
And they keep happening. The Boston Globe reported just this week that the town of Medfield, Mass., paid a ransom after “ransomware” — a virus that locks a computer or device and demands the user pay a cash sum — shut down its computer network for about a week.
I wrote last week about the “culture of security” at Equinix, a Silicon Valley provider of data center space. CIO Brian Lillie described it as a companywide awareness about threats to information security – achieved through relationship building and support from top execs down — combined with an array of technological tools and a CISO to make sure all departments check out.
Now is the time for more companies to take Equinix’s lead. Traditional security practices like doing backups and tools such as intrusion detection software and antimalware are all compulsory to maintaining a strong security posture, but the fact that organizations are willing to give in to hackers’ cash demands — and in practice do — is testament that more is needed.
The human element in information security often gets short shrift. For example, many still believe that training programs don’t work and aren’t worth spending time and money on. But the best security defenses in the world won’t be successful if even one employee doesn’t know a phishing email when he sees one. And today, it’s easy for business departments to order a cloud service or download an app to a corporate smartphone. People who don’t know what’s kosher and what isn’t are practically courting disaster.
Everyone — from chief executives to business departments to the newest of hires — needs to be keenly aware of the threats out there, how to prevent them and how to counter them if they do occur. The more an organization can instill its people with a security mind-set, the more it can bolster its defenses against an increasingly bold and innovative underground.
It’s easy to resort to labels when talking about the CIO position: strategic CIOs versus operational CIOs, the digital visionaries versus the keep-the-lights-on types, team players versus the so-called rock stars. A recent survey from Deloitte’s CIO Program adds to the litany. Based on the responses of 1,271 CIOs and senior tech leaders from 43 countries, Deloitte uncovered three categories of CIOs:
- Trusted operator
- Change instigator
- Business co-creator
Unlike other expert commentary that suggests one type of CIO position is better than another, however, the Deloitte study doesn’t choose sides. Instead, it makes the welcome observation that the CIO role will and should vary from business to business — and even in the same business, change over time.
“There is no judgment around one versus the other. The best category is the one that is matched to what your organization needs in the moment,” Karen Mazer, U.S. CIO program lead at Deloitte Consulting LLP, said in a webinar reviewing the survey findings.
If the business is in cost-containment or reduction mode, it likely needs a trusted operator in the CIO position. A business trying to set a vision for the future and leverage cutting edge technologies to do that, needs a change instigator. A rapidly expanding company deciding on the long-term tech investments required to accommodate growth, probably needs a CIO who is a business co-creator.
Rather than fret about which category they fit in, Mazer suggested CIOs first answer these questions:
- What CIO pattern do you identify with and are you aligned with the business needs of today?
- What does the business need to be doing? Should it be looking more to the future, and how are you preparing yourself for where the business needs to go? Do you have the skills and confidence to drive the organization forward?
While Deloitte does not pass judgment on the roles that define the CIO position, survey respondents had definite ideas about which type of CIO they aspired to be.
Over half the survey takers who identified as trusted operators or change instigators said they would like to be business co-creators. Mazer said it is important for those types of IT leaders to identify the reason their CIO positions are not aligned with their personal aspirations. Is it because they’re not where their organization is, or is it because they lack the CIO skills required to be in that category?
“The best CIOs can adapt to the needs of the environment they operate in and change with the times,” Mazer said.
For detailed descriptions of the three CIO categories, go to part two of this post, “CIO report: Three CIO archetypes and how each delivers IT value.”
Based on the responses of 1,271 CIOs and senior tech leaders in its recent global survey, Deloitte identified three CIO personas: the trusted operator, the change instigator and the business co-creator.
The first part of this two-part post, “Defining the CIO position: Don’t box yourself in,” explained that Deloitte’s study doesn’t claim that one persona is better than another. Rather it argues that the mode of delivering IT value should ideally match the business’ needs at the moment. Misalignment — whether because IT fails to operate at the level the business needs, or because the business is simply not prepared to follow IT’s vision — is not good.
“CIOs who can adapt and adapt quickly to changing business needs are the ones we think are going to are going to go a long way in driving very significant value for their organizations,” said Khalid Kark, director at Deloitte Consulting LLP and a principal author of the CIO report.
This post provides a rundown of the three CIO archetypes Deloitte derived from the survey responses, as well as the top business priorities, leadership traits, relationships, and technology investments associated with each.
Trusted operators deliver IT excellence by focusing on cost, operational efficiency and performance reliability. They provide enabling technologies, they support business transformation efforts and align IT strategy to business strategy. This category comprises the largest percentage of survey takers: 42%.
Business priorities: Of the five business priorities cited by all the CIOs taking the survey — performance, cost, customers, innovation and growth — survey respondents identified as trusted operators singled out cost and performance as their top two.
Leadership: CIOs in this category rarely lead business innovation, nor do they spearhead growth efforts. “Technology operations,” “execution” and “communication” as their top leadership talents.
Relationships and influence: Trusted operators typically report to the CFO and they actively engage with their IT workforce.
Tech investments: Digital technology will have the most impact on their businesses in the next two years, followed by analytics and cloud.
Change instigators lead transformation efforts and act as the change agent within the organization, according to Deloitte’s CIO report. This category represented the smallest number of CIOs taking the survey.
Business priorities: Customers and innovation are the top business priorities for change instigators. These CIOs are often brought in to change the status quo and look outside the enterprise for ideas.
Leadership: Change instigators see “communication” and “understanding” as their top two leadership strengths.
Tech investments: Change instigators see analytics as the technology that will have the biggest impact on their organizations over the next two years.
The primary aim of business co-creators is to support and drive business strategy. This group accounted for about one-third of the survey respondents.
Business priorities: Business co-creators rank all five business priorities almost equally, striving to balance performance and cost goals with customer, innovation and growth goals.
Leadership: They see “communication” and the “ability to influence internal stakeholders” as their top two leadership skills.
Brian Lillie, CIO at data center builder Equinix, a company where security is “embedded in everything we do,” said that doling out general advice for bolstering IT security in the cloud computing era is difficult because all organizations are different. But there are guidelines they can follow to take advantage of the lower costs, faster setup and better user experience cloud systems offer — and maintain solid cyberdefense. Here are his three tips for better cloud security:
- Have a cloud-first strategy. To Lillie, cloud today means cloud-first. “If you can solve a business problem in the cloud, do it,” he said. “Because that is where all of the investment is going. It’s where most of the [vendor] innovation is happening and more and more and more, their solutions are going to be in the cloud.”
- Accept the reality of hybrid IT. Most companies won’t be 100% in the cloud, Lillie said. Some applications, for example, will have to purpose-built, and those will most likely have to stay on premises — so will highly sensitive applications and ones that are “too core to IT.” So hybrid IT — or an integrated mix of on-premises and cloud systems — should be the aim.
- Wrap it all in security. Organizations can’t stop at defending their data centers. As they look more to cloud applications, they need security policies, processes and tools to safeguard those as well. “You’ve got to make sure your data is safe in transit,” Lillie said. “You’ve got to make sure that your integration strategy between your on-premises and your cloud is not only secure but high-performing.” And no one technology does everything, he said. His team has around 25 security tools to keep Equinix’s cloud applications safe, including gatekeeper software called a cloud access security broker, federated identity management for ensuring users are who they say they are, and a Web application security scanner to detect weaknesses in applications. “I actually think that a set of tools layered is the best defense,” Lillie said.
Figuring out who to hire and what to pay for IT job skills has never been a cut-and-dried affair. Even when IT salaries are relatively stagnant, as they have been in recent years, demand for certain IT job skills — and therefore the premiums paid for those skills — can change in a matter of a mere three months, a phenomenon David Foote understands well. Foote Partners LLC advisory and research firm, founded in 1997, tracks pay for 835 IT skills every 90 days.
“The truth is that there are so many skills that employers find worthy of extra pay, and for these skills either certifications don’t exist or the ones that do are perceived as too easy to attain,” Foote said in the firm’s latest release on IT job skills pay from Oct. 1, 2015 to Jan. 1, 2016. “Besides, employers have always had their own ways to evaluate and accredit skills expertise. They are comfortable using their own methods to qualify the strength and value of skills and how they factor into their workers’ capabilities on the job.”
In rapidly changing business climates — as is the case in today’s massive shift to digital business — premium pay for IT jobs skills is particularly volatile, Foote explained in a phone call following up on the report. A good example is what has happened to compensation for big data skills over the past two years. For all the media buzz about the importance of advanced analytics in gaining a foothold in the digital marketplace, pay premiums for 58 big data-related skills and certifications declined an average 4.7% in the last nine months of 2014.
“Companies started going into big data, hiring people out of Google, out of big tech firms — and then found nothing was happening. ‘We’re putting money into this,’ they told us, ‘and we’re not getting any results,'” Foote said.
Big data pay on rebound
Doing big data is about data sharing and transparency and breaking down business silos, Foote said, something many hierarchal companies find difficult to do. Another reason for the pullback in big data pay? An institutional reluctance to embrace data-driven decision management. “These companies want to build a new business model to compete in a digital era — and then find that their culture just completely gets in the way of doing it,” he said.
But as companies have found their “sweet spots” in big data, discovering what they can and can’t do, compensation for big data skills has rallied, rising nearly 6% in market value overall in 2015 and predicted to increase over the next 12 to 24 months.
“Big data capabilities are just too critical for staying competitive. They’ve expanded in popularity from a few industries to nearly every industry and market,” he said. The growth of Internet of Things (with predicted compound annual growth rate of 30 % over the next five years) — and the pressure to turn IoT data into actionable business intelligence — will further spur pay for big data related skills, he said.
Here are some other findings on IT job skills from Foote Partners’ latest research:
DevOps gets “serious traction:” Acceptance of DevOps methodology is growing. The latest premium pay data for 2,745 employers tracked by Foote Partners shows a 7.12% gain in average market value for DevOps skills in the past six months.
Cloud skills demand strong, but pay eroding: Talent supply for cloud skills is catching up with demand, resulting in a modest 1% gain in average value in 2015 for 73 cloud-related certified and noncertified skills.
Security skills gap deepens: Market values for the 76 information security certifications tracked by Foote Partners have increased an average 9.7% over the past two years. The report states: “The bad news is that while cybercriminals and hacktivists are increasing in numbers and deepening their skill sets, the ‘good guys’ are struggling to keep pace. … CISOs will have to become more aggressive about getting the skill sets the organization needs, plus [they] will need to build sustainable recruiting practices and develop and retain existing talent to improve their organizations’ cyber resilience.”
Read more about Foote Partners’ latest findings in, “Digital business disruption roils the manufacturing sector.”
David Foote, whose research advisory firm, Foote Partners LLC, specializes in tracking compensation for IT skills, knew digital business disruption was real when he started getting calls from companies like Fender Musical Instruments Corp.
“Fender makes metal and wood products — musical instruments, amps. And they call me and say, ‘We’re putting together this digital group and we have no idea what to pay these people and how to reward them,'” Foote said. “‘Wait a minute,’ I said, ‘You’re a manufacturing company, what does this mean?'”
The storied guitar maker told Foote it wasn’t exactly sure, but it was looking for ways to grow its business. Guitar is a hard instrument to master. It had a couple of ideas for digital products that would make it easier for people to learn how to play — and help sell more guitars.
All corners of the manufacturing sector are seeking digital skills compensation data, Foote said, citing Lowe’s Companies Inc. and Honeywell International as two more examples. “Lowe’s is the store you walk into when you want to build a deck on the back of your house. We’re working with them and find out they’re doing stuff with NASA on all this crazy robotics stuff and 3D imaging,” he said. Honeywell, making a big push into the connected home market, now has “nine, very well-staffed digital innovation groups around the United States and Canada,” according to Foote.
“It’s not that people are doing digitization that’s so amazing. It’s that the companies calling us and asking for help now are hard-core manufacturing companies. They’re all getting into digital software, and things are getting serious,” he said.
GE picks up and moves to a digital hotspot
A marquee example of a hard core manufacturing company in the midst of business digital disruption is General Electric. Foote, who lives about five miles from what will soon be G.E.’s former headquarters in Fairfield, Conn., said the manufacturer’s move to Boston isn’t just about tax breaks. “They are going digital in a very big way and they want to put their headquarters closer to the action,” Foote said, referring to Boston’s thriving high-tech ecosystem. Indeed, CEO Jeffrey Immelt recently asserted that the industrial powerhouse would be a “top 10 software company” by 2020.
Digital skills held back by culture
As the manufacturing and other sectors come to terms with doing business in the digital era, the questions for companies and CIOs, as well as for Foote Partners, is what IT skills and roles are required to deal with digital business disruption, and what do companies need to pay these people to be competitive. But hiring the right people doesn’t necessarily put companies closer to digital transformation.
One example, said Foote, is the role of DevOps engineer. DevOps — the blending of tasks performed by a company’s application development and systems operations teams — has been around for a long time, but only recently has there been enough compensation data to follow the role of DevOps engineer.
Foote had long wondered why more companies hadn’t gone after a skill that would help them integrate their IT, operations and business strategy — and conceivably give them a competitive edge.
“Then I realized after talking to companies is that DevOps is really not a technical skill; it’s a whole mindset. And a lot of companies were really turned off by that, because they don’t adapt very well when they have to change. Change is tough.”
For more on which skills are hot, and which not, in digital business transformation, check out part two of this post, “IT job skills, digital mind-set in short supply.”
PTC Inc., a software company based in Needham, MA, is in the midst of a transformation. Known for its design software, PLM and service management products, PTC is placing big bets on the Internet of Things and augmented reality technology.
“The digital and physical worlds are converging,” Jim Heppelmann, president and CEO at PTC, said at last week’s live streaming Thing Event. “This convergence is transforming everything. It’s transforming how we design and manufacture things, how we operate and service them.”
But, added Heppelmann, one area that hasn’t converged just yet is how people interact with smart, connected things.
That’s a gap PTC believes will be filled by augmented reality (AR) technology. Unlike the artificial environment created by virtual reality technologies, AR layers contextual information over the real world in real time. Think Google Glass, which uses eyewear to, say, display a map view to the user with directions to a destination.
In addition to changing how consumers interact with the world around them and how companies market to those consumers, PTC believes AR technology will change how employees get work done within the enterprise. “The number of potential applications for AR in the enterprise is limitless,” Heppelmann said. His list includes everything from validating product designs to training new employees on how to use a product in the field.
PTC is using AR to help businesses fix and maintain complicated machines. Deere & Co, a manufacturer of agricultural, forestry and industrial engines and equipment, and KTM-Sportmotorcycle AG, a global company that designs and manufactures racing motorcycles, are two PTC customers using AR to this effect.
At KTM, for example, one of the challenges the company encounters in new growth markets is the lack of technical experience needed to service the bikes. “This can make it difficult to make repairs correctly and it can be difficult to make those repairs on time,” Jens Tuma, head of customer service at KTM, said during the webcast.
KTM is using AR as an interactive resource to guide new technicians when making repairs. Using a tablet, the technician can run a diagnostic test on KTM’s smart bikes, isolate the problem and then follow step-by-step visual instructions overlaid on the bike itself that shows how to make the repair.
“Augmented reality will help us deliver more consistent service around the globe,” Tuma said.
PTC’s IoT and AR play has been years in the making. In 2014, PTC acquired Axeda and ThingWorx, companies that specialize in building Internet of Things applications. In 2015, PTC acquired Vuforia, an AR platform for developers, and ColdLight, a predictive analytics platform.
PTC’s acquisitions total up to more than $700 million, which is a sizable investment to equip the company with connectivity, cloud and analytics technology. “PTC needed to transform our technology portfolio to align with the transformation happening in products today,” Heppelmann said.
Terry Kline is a proponent of innovation contests because he’s seen how they can change the work dynamic. “What’s made me do it everywhere I’ve ever worked is that I’ve had employees who say, ‘Hey, I’ve got this great idea, but no one will listen to me,'” Kline, senior vice president and CIO at Navistar International Co. in Lisle, Ill., said in an interview with SearchCIO. So Kline creates opportunities for employees to pursue those great ideas right in the workplace.
Innovation contests or hackathons are a way to crowdsource ideas for new products or new ways of doing things. In the last few years, as the engineering talent wars rage on and as new competitors continue to emerge from unexpected places, innovation contests have become popular in the enterprise and beyond. Kline has used the technique for years, even before taking up his IT post at Navistar, a manufacturer of industrial vehicles and engines, in 2013.
Kline hosts innovation contests at least once a quarter, but he doesn’t do so on a set schedule. Instead, he uses innovation contests as a leadership tool when he either needs to find the most efficient way to execute on an idea or he’s interested in teasing out new ideas. One critical component? He doesn’t limit innovation contests to the IT department.
Instead, with the backing of the CEO to whom he reports, he encourages cross-functional teams to work together whenever possible. “IT by itself is back office, under the covers,” he said. “So if you don’t have a business problem or a solution, [the results are] not as attractive,” he said.
Top ideas are awarded prizes. (Kline has been known to gift his spot in the executive parking area for a month. “I give things away that you can’t buy,” he said.) And the very best ideas are implemented. Over-the-air re-programming, a feature in some Navistar engines that will enable drivers and fleet owners to update engine control modules over a Wi-Fi connection rather than having to return to a service bay, came out of an innovation contest. “It started off as a 1.5-page idea that was then turned into a prototype,” Kline said. “Now it’s a real project, funded, and everyone in the company knows about it.”
Innovation contests are just another process
Innovation contests have the potential to yield great results, but to get there, CIOs should think about them in a basic way: At the core, innovation contests are just another process, according to Tim Kastelle, a teacher of innovation management at the University of Queensland Business School.
In a column he penned for the Harvard Business Review, he wrote that idea generation is the easy part. It’s all of the steps required to turn an idea into practice that’s hard. Ideas have to be sorted, employees have to be given a chance to execute on the selected ideas, cheerleaders have to keep the organization enthusiastic about the idea, and marketers are needed to “get your great new idea to spread,” he wrote.
Kastelle provided readers with a couple of tips on how to build a successful innovation practice: First, evaluate the organization’s innovation strengths and weaknesses; second, invest in improving those weaknesses, he said. “It will likely involve making genuine changes in the way things are managed,” he wrote. After six months to a year, Kastelle recommends repeating the evaluation process.
Selecting the right big data use case is on every expert’s list of big data best practices. Another? Getting the right stakeholders involved.
Before CIOs can take a big data pilot into production, they’ll need to figure out who to get involved and when. Those two questions may be tough to answer, especially for CIOs at companies that have a siloed approach to the work they do, according to Micheline Casey, former chief data officer at the Federal Reserve who is now an advisory board member for the big data analytics company ClearStory Data.
Big data projects often end up requiring input from across business functions. Getting stakeholders involved early means CIOs could tap into that input and lean on them to generate support for the larger project. But knowing when to bring people in can be tricky.
Too many cooks in the kitchen can be a big data pilot killer, and so some CIOs may decide to hold off involving the chief privacy, risk or security officer or legal counsel in an effort to give their teams room to experiment. At other organizations, doing so could ultimately backfire. “You could have a really successful pilot or a first attempt at a big data project, and then realize you totally forgot to do something vis-a-vis your security or privacy policies, and you have to go back and start from the beginning,” Casey said.
That’s especially true for highly regulated industries such as pharma, health care or insurance where a privacy, risk or security officer can ensure strict data governance policies are being met — even for a pilot project, Casey said. And she speaks from experience. When working for a health care company (“who will remain nameless,” she said), one of its first big data pilot efforts focused on customer engagement.
It was the early days of big data when businesses weren’t as scrupulous about anonymizing personally identifiable information (PII) as they are today. Casey and the team (composed of business intelligence and technology employees) kicked the pilot project up to the next senior level to vet, and that person rang the anonymization alarm bell.
“We realized we needed to have a privacy officer involved and things had to be tweaked,” she said. The discovery didn’t eat up too much time, setting Casey and the team back only about a month. Nor did it put the company at risk because the flaw was caught at an early stage. “Making sure you have a wide array of stakeholders at the table from the very beginning is really important to the long-term sustainability for these projects,” she said.
Getting a privacy, security or risk officer or legal counsel isn’t a de facto step. For a big data pilot doesn’t utilize PII, “these folks aren’t needed,” she said.
Shawn Banerji cringes when he hears someone called a “rock star CIO.”
“I can’t stand the term,” he said during a recent phone call from his offices in New York City. “The CIO job or equivalent is bigger than any one person, and it’s been going that way for a long time,” he said.
Banerji is the managing director of the technology officers practice at Russell Reynolds Associates, the executive search firm. We touch base a couple times a year to trade information on technology trends. He tells me what companies are looking for in IT executive talent.
Look behind the curtain at companies with dynamic CIOs, Banerji said — a Dana Deasy at JP Morgan Chase, formerly CIO at BP; or Eash Sundaram at Jet Blue. “What you’ll see is a team of people who work together exceptionally well, who understand their roles and goals, and have a terrific leader who’s able to ensure that people are in the right place and properly empowered — that’s how you get the best results.”
Moreover, talk to so-called rock star CIOs, he said, and most will tell you their success is not about them but about surrounding themselves with excellent people.
“Do you think Tom Brady would be half the success he is if he did not have an organization behind him — coaching staff, receivers, lineman, all those people?” Banerji said, with a nod to SearchCIO’s Boston base.
“This is a guy who succeeds no matter what the changing parts are, because they have a great system in place in Foxboro.” If something happens, the organization is able to reach down to the next level on its bench and bring up another capable person. So too, with IT organizations.
(His sports analogy, made a couple weeks before the fateful matchup at Mile High, indeed shows that a rock star is still just one member of a team.)
Corporate values vs. corporate culture
Besides a deep bench, great CIOs often have another thing going for them, Banerji said: They work for companies that live by a set of core corporate values.
Not culture, mind you — values.
“Culture is tribal. Culture is esprit de corps, the tenure of your daily interactions,” Banerji said. The same company can have many subcultures. Marketing has its culture, IT another, the New York office has a different culture from the Boston office. And that’s perfectly OK, he said.
But cultural independence shouldn’t be mistaken for core corporate values.
“Values transcend function, they transcend geographies and times zones and business lines. They are the irrefutable tenets companies put forward to define who they are,” he said. It could be the corporate philosophy revolves around integrity, or creativity, or putting the client first. “But whatever the corporate values, it doesn’t matter whether you’re in the Mumbai office in finance or in the New York office in marketing, they are the things you all have to embrace.”
At Russell Reynolds, people call it living the Lucite, he said, because the values that founder Russ Reynolds infused in the firm often show up behind plastic on a lot of people’s desks and in conference rooms. “Russ believed that if you don’t have a core set of values, you can never create a company. He was a little old school that way, but on to something, I think,” Banerji said.