My thanks go out to readers who were charged up enough to write about the IT chargeback series on SearchCIO.com. Whether you do showback, partial chargeback or chargeback for a profit; charge by usage or subscription for internal or external services; or wouldn’t go near the model with a 10-foot pole, it’s clear that the issue isn’t cut and dried.
While several vendors wrote with words of thanks for illuminating a tense topic, other notable correspondents reflected on subjects as diverse as accounting principles, the philosophy of chargeback and the evolution of the IT department.
Chris Puttick, CIO of Oxford Archaeology (OA), a U.K.-based consultancy of archeologists working in Europe and Africa, questioned the perception of IT within a chargeback environment. “I’m surprised you didn’t have more people picking up on the negative side of chargebacks, i.e., you are presenting IT as a cost rather than as something of value,” he wrote. (To learn how the thriving business of archaeology influences OA’s IT strategy, watch for my profile on SearchCIO-Midmarket.com in August.)
Puttick specifically commented on chargeback by per-unit pricing, which is not as simple as it seems because it fails to acknowledge the savings present in larger deployments. “CFOs do not make accounting principles simple, they make them accurate,” he wrote.
Another letter came from a veteran of the IT chargeback debate, whose message was salient, sympathetic and solution-oriented.
“I’ve been working in the chargeback field since 1985, and your article is one of the few that relates the problems to something everyone can understand,” wrote Sandra Mischianti, director of research and development at Nicus Software Inc. in Salem, Va. “I usually use the restaurant analogy. (Set the prices for the entrees and do not attempt to measure the grains of salt. But you need to know how much salt you use each month and track what it’s costing you.) Some of our clients get it, and some definitely do not.
“I also agree that most companies are not doing a great job,” Mischianti added. “As one client recently said at our conference, ‘IT chargeback is like teen sex: Everyone is talking about it, but no one is doing it well!”
Mischianti noted that external cloud providers have created a great deal of pressure on IT departments, which are on tactical defense. “The real problem for the CIO is to demonstrate the value IT has over the cloud providers,” she wrote, listing Issues such as integration with internal change control to anticipate changes, risk management, disaster recovery, etc.
“When individual departments move their applications into an external cloud, those systems don’t normally interface very well, and you get a bunch of disparate systems, like we had in the early 1990s,” Mischianti added. “Anyone who was in IT then can attest to why that didn’t work, but it seems we are headed in that direction again.”
IT can and should set the technology direction and ensure that applications can evolve and interface with every other application the CIO might decide to implement. But it’s very hard to put a dollar amount on that — and even harder to get someone else to pay for it.
What’s your value proposition? Look for chargeback best practices next week on SearchCIO.com, and send your thoughts to firstname.lastname@example.org.
John Bottega admits he’s a bit of a clotheshorse. The guy likes a quality suit. Actually, he is a connoisseur of fine suits, their fit, their style, their durability. The sleeve on a quality suit, for example, is cut to show a glimpse of shirt cuff. Crumple the pant leg of a quality suit, and it should spring back into shape, pretty much wrinkle-free. In fact, it’s the raw materials used and the workmanship employed that define the quality of a suit, or lack thereof, Bottega explains. The best materials plus superb workmanship, combined with a disciplined manufacturing process, make for a high-class suit.
Bottega is not in the garment business. But he’s a suit CIOs might just want to pay attention to.
A keynote speaker at the MIT 2010 Information Quality Industry Symposium, Bottega is vice president and the chief data officer (CDO) for the markets group at the Federal Reserve Bank of New York. Before that, he was CDO at Citigroup, the first person in the financial services industry to hold that position, according to his bio.
His disquisition on suits was just one of several analogies he used in his talk on “Information Quality and the Financial Crisis.” Quality raw material is data captured at the source. Quality workmanship is determined by the skill set of the data stewards. A quality manufacturing process needs to follow best practices for collecting and maintaining data. A high-class data supply chain is all about getting the right information to the right people, at the right place, at the right time.
The talk was interesting — he’s a skilled speaker. Bottega also has some strong ideas about data quality, as reported in my story today on data governance programs.
But what really perked up my ears was his job description. As CDO at the New York Fed, Bottega is responsible for the bank’s data management strategy, which, again quoting the official bio, “encompasses business, governance and technology in order to establish a sustainable business data discipline and technology infrastructure.”
Whoa, Nelly. Ain’t that the CIO’s job?
“Completely different role,” Bottega said when I caught up with him after his talk. “The genesis of the chief data officer was to bring 100% focus on a content and business issue, coupled with technology. Technology has been focused for years and years and years on the pipes and the engine. Banks and businesses are realizing there is a whole business component to data.”
The data supply chain includes technology, acquisitions, procurements, compliance, legal. “If no one person were focusing on it, it would be kind of a patchwork,” Bottega said. “No one owned the whole end-to-end data supply chain.”
The thinking behind establishing a data management office is that data is a separate and standalone discipline supported by technology, Bottega said, and “can stand alone as a corporate function.”
Of course, CIOs are chief information officers, I felt compelled to point out. And as businesses move from an analog to a digital world, why are CIOs not equipped to take data management strategy on?
“If you go back to the origination of the role, the CIO or the CTO was focused on the machines. I heard someone describe it as the engine room versus being on the deck,” Bottega said. He quickly added that having a chief data management officer does not minimize the importance of technology, nor is it meant as an indictment of the CIO or CTO.
“But think about it: CIOs and CTOs have to focus on so many pieces. This is just taking a chunk of this discipline and saying that data has grown so relevant to efficient operations that, gee, we need somebody focusing 100% of their time on it.”
The old chargeback process, revived by cloud computing, could have major ramifications for IT organizations as they revamp to become centralized service providers, experts say.
Traditional chargeback models divide the IT budget for a business unit, for example, by the number of users in it. There are numerous ways to do this, from “showback,” where the business units see a bill that they don’t have to pay, to partial, full and for-profit chargeback models.
The chargeback process for cloud services is more complicated, because IT must measure consumption for workloads in a shared environment. And yet the technical challenges — such as applying metrics to IT services and billing the correct parties — pale in comparison to the cultural barriers IT organizations will face as they reorganize to remain relevant, according to Craig Symons, vice president and principal analyst at Forrester Research Inc. in Cambridge, Mass.
With outsourcing, offshoring and hosted Software as a Service, or SaaS, there are plenty of opportunities for business units to compare external service offerings to an internal IT bill. Enterprise IT departments need to be willing to contract with external providers and promote their own internal strategy, or risk “being marginalized as business units go elsewhere,” Symons said.
The first order of business for enterprise IT is to develop a reusable catalog of products and services around which metrics can be placed to charge back business units. Some IT organizations are hiring product managers to package products and services to do this. Symons suggests assigning an account manager to each business unit to go over the bills, so more intelligent discussions can be held. Other new roles will include cloud services procurement and vendor management, as IT becomes a centralized provider of technology services — or what has been termed by some as “IT as a solutions broker.”
Let me know if your IT department is undergoing a role change due to shifting to external service providers, and how you are dealing with it; Email me at email@example.com.
If your organization is talking about moving to an IT chargeback or a supply and demand model for IT, could that be its first step on the road to outsourcing?
That was an interesting sidelight raised by a story I did this week on a company that cut millions of dollars in technology spending by splitting its IT organization into a demand side and a supply side.
To back up a bit, the management experts I interviewed about this “supply demand” model agreed it can be an effective way to go. Demand-side IT works with the business on an IT roadmap and negotiates with supply-side IT on getting it done. Done right, the model recognizes that requests for IT services must come from the business, even as it imposes fiscal and strategic discipline on those requests. In turn, supply-side IT people become expert in their areas. Relieved of having to respond to a chaotic barrage of business demands, supply-side IT staff can focus on efficiency and competitive advantage — the stuff that makes internal IT departments relevant. That’s the ideal, anyway.
In practice, the model has the potential to disenfranchise the supply side of IT, a former CIO in the financial services industry told me.”I’ve been in situations where the supply side is viewed as a commodity,” said Jack Santos, who’s now a research vice president at Gartner Inc.’s Burton Group. “The thinking [from the business] was that this was the first step to outsourcing.”
Mark McDonald, Santos’ colleague at Gartner, saw it a bit differently, arguing that IT chargeback, per se, can pave the way to outsourcing IT, because the focus is strictly on price: “When I do IT chargeback, I make my pricing visible, which automatically means it will be compared to external providers,” he said. On price alone, the internal IT organization is almost guaranteed to be noncompetitive, Santos and McDonald said, especially when the IBMs and CSCs of the world typically underbid for the first couple years to get the business.
No matter, said Bruce Barnes, another former financial services CIO, who now runs a consulting practice out of Ohio. The wave of the future is that IT organizations are getting smaller not bigger, and the piece that survives is business literate, he said. Being a consultant, he naturally offered up a four-box matrix to explain. “One axis is running from simple to complex, and another from generic to highly proprietary,” he said. In the past, internal IT was in the lower left-hand quadrant — simple and generic — and the business hired consultants for the high-level stuff. The upper right-hand quadrant — complex and highly proprietary — is where internal IT people need to be. The rest can be given away if the business finds somebody good enough to take it.
A question has been nagging me since I attended Cloud Expo in New York: What metrics can IT departments use to charge back business units for cloud services? Measured service is fundamental to the National Institute of Standards and Technology definition of cloud computing, and enterprises building private clouds presumably will bill business units for their consumption of computing resources.
When I called CIOs and analysts about IT chargeback models, I didn’t expect to unearth such passionate arguments for and against chargebacks, a political hot potato at the heart of the IT-business relationship. Some say IT chargeback is not only inevitable but mandatory for achieving true efficiency; others say it sets up a charged relationship in which business units naturally second-guess IT departments’ pricing for services. With such public clouds as Amazon.com’s Elastic Compute Cloud, or EC2, a credit-card click away, an IT staff risks losing an opportunity to guide IT strategy.
In this economy, IT departments need to prove their investments support the strategic imperatives of the business. Therefore, IT chargeback metrics need to reflect the desired business outcomes, often in business terms. In a Software as a Service model, for example, the metrics wouldn’t refer to the disk and memory usage so much as to the number of customer requests responded to within a given period of time. For chargeback to be effective, both IT and business strategists need to collaborate on appropriate metrics; that can be challenging because they often don’t speak the same language. In fact, one source said the growing role of a CIO is that of a translator between IT managers and the business.
IT chargeback isn’t as simple as it sounds. My reporting blossomed into a series of stories on SearchCIO.com beginning this week that included IT chargeback metrics, the pros and cons of chargebacks, the contentious relationship between IT and the business on the subject, and important takeaways. I learned that chargeback isn’t the be-all and end-all, but just one part of an IT cost management structure.
Do you or don’t you charge back? Send me email at firstname.lastname@example.org. I want to hear all about it.
Master data management software is about to enter a rough patch, according to analyst Andrew White, agenda manager for MDM and analytics at Gartner Inc. White explained to me in an email recently what the near future for MDM adoption looks like, and it is not necessarily pretty. The large software vendors, such as SAP, Oracle and IBM, are just now incorporating MDM into their product lines. They are doing this because the “early adopter” market is beginning to transition to the “fast followers.” That means that pretty soon MDM, in White’s words, will be “crossing the chasm” to become mainstream.
But White sees a big problem: Many IT shops will assume that MDM software is mature and ready for easy adoption — “and yet it is not,” he said. Because of this disconnect between the robutsness of the MDM software and the expectations of CIO adopters, “failure rates will increase,” giving MDM a black eye. Moreover, true MDM will not occur for most users, who instead will end up with just another half-baked “data integration effort.”
“As such, MDM will get a bad rap and name in the coming year — perhaps because the big vendors have invested in it,” White wrote. Or, to put it another way, because they are selling it to you before its time.
CIOs who just must have MDM now, be forewarned, White said: you will need to do a lot of the work on your own.
This week, the U.S. Supreme Court considered a broad challenge to the Sarbanes-Oxley Act, and it chose to rule narrowly. The 5-4 opinion changed the way the members of the Public Company Accounting Oversight Board (PCAOB) can be removed from their posts. (Henceforth, the ax can fall for any reason at all, as opposed to “for cause.”) But the court did not alter the authority of this private regulatory board to oversee the U. S. accounting industry. And it steered clear of the constitutional challenge to the Sarbanes-Oxley Act raised by Free Enterprise Fund v. PCAOB. The SOX antifraud legislation that was passed in the wake of the corporate thievery at Enron and WorldCom was left intact — or as Chief Justice Roberts stated on behalf of the majority, “fully operative as a law.”
Put me in the camp of those who cheered.
And count me as one surprised by my reaction.
Sarbanes-Oxley compliance is a topic I’ve reported on practically since the day I started writing for SearchCIO.com in 2005. The stories have duly noted the soaring costs of becoming SOX compliant after the law went into effect; complaints about the notorious Section 404, which requires companies to prove the adequacy of their internal controls; the stop-and-go efforts of the U.S. Securities and Exchange Commission to make SOX compliance less excruciating for smaller companies; the contention that the Sarbanes-Oxley Act put U.S. public companies at a disadvantage on the world stage; and yes, the overzealousness of the PCAOB. In the absence of clear guidance from the PCAOB on how to comply with the law, many companies erred on the side of overkill. Critics complained that despite the SEC’s changes, the law did little to protect against fraud and had accountants laughing all the way to the bank.
Although they couldn’t have been laughing nearly as hard as the band of obscenely compensated bankers who helped propel the world into the worst economic slump in over 50 years.
But a funny thing did happen on the way to Sarbanes-Oxley compliance, at least from an IT perspective. CIOs and IT departments sweated through SOX compliance to preserve the good name of their CEOs and boards, who have to sign off on financial results as a result of the Sarbanes-Oxley Act. But many of the left-brain problem-solvers took SOX regulations as an opportunity — a starting point — for rationalizing the Hydra’s head of IT controls across the enterprise. Tommy Thompson’s journey from SOX chaos to risk-based compliance management is a good example.
Corporate greed will be always with us. Overspending on technology and resources to meet compliance requirements is still a problem. But IT — and I daresay, investors — are not less well off because of the Sarbanes-Oxley Act.
The world has gone mobile faster than most people expected it would, resulting in security nightmares for CIOs. It is not uncommon for roaming employees to use multiple devices to gain access to sensitive information, with IT left to figure out how to federate identities.
One solution to this dilemma is identity management using biometric fingerprints and in particular, cloud-based biometric services.
Companies such as BIO-key International Inc. in Wall, N.J. are offering Identity Management as a Service, enabling enterprises to offload the verification process to the cloud. Biometric fingerprints are nothing new — BIO-key made a name in 1994 with its optical and fingerprint scanners — but 60% of personal computers now come with readers for biometric fingerprints, according to BIO-key CEO Mike DePasquale.
The next frontier is phones and personal digital assistants, according to DePasquale, who says BIO-key is working with LG Corp. and AT&T to provide authentication for such devices.
The BIO-key service downloads its software to a device and sends biometric fingerprints back to the vendor’s central server, where the fingerprint is transformed into a mathematical model.
The platform was used during Common Admission Test in India — the equivalent to the Graduate Management Admission Test in the U.S. — when 200,000 exam takers came and went over a 12-day period, checking in each time with their index fingers.
Identity management using biometric fingerprints is widely used in hospitals and by enterprises as part of their building security systems. As a service, it may well be one of the most convenient forms of user authentication for an increasingly mobile society.
The Internet may be global, but cloud computing, like most politics, is local — or should be, according to experts who say a cloud location must adhere to country-based privacy and data security regulations.
Unfortunately, many organizations that have braved the public cloud don’t know where their data resides, which could set them up for cumbersome compliance problems, according to Forrester Research Inc. in Cambridge, Mass. And that’s the good news — some infractions may result in stiff fines or even jail time, say Forrester analysts James Staten and Onica King, co-authors of an Infrastructure as a Service report warning IT executives that IaaS clouds are not responsible for regulatory compliance. “These issues remain the responsibility of the customer, and ignoring them may be perilous for any multinational or non-U.S. corporation,” they wrote.
In the United States, for example, health care organizations are hamstrung by HIPAA, which prevents certain patient information from residing on servers outside the country. In Canada, a similar privacy act could prohibit companies from contracting with a cloud provider in the U.S., said Danny Terrigno, an IaaS storage expert. “Storage is a key cloud application, but in Canada, any data that is personal cannot leave the country,” he said. “So if it goes on a server in the United States, the [Canadian] government will come after you for that.”
Once again, get it in writing
Ben Schorr, a lawyer who blogs on law office technology, notes that many of his clients might be willing to try cloud computing but are very concerned about their sensitive data being located (or outsourced) to data centers in “unfriendly” countries, or countries where laws on data privacy are somewhat undefined. “Even if we conclude (as we probably should) that the fourth amendment DOES protect hosted email and other data, that still leaves open the question: ’What does the fourth amendment protect in Malaysia? Or China? Or Peru?’” he wrote. SaaS providers are going to have to provide assurances that their data is going to stay domestic if they hope to host data that is at all sensitive in nature, he said.
“There are some things companies need to watch out for,” admitted Archie Reed, distinguished technologist and chief technologist for cloud security at Hewlett-Packard Co. “There’s no liability [for cloud providers]. There’s no recourse if contracts don’t mention that the architecture may change on the back end and outsource to India, yet you’ve got something that requires your data to remain in a geographic location. Unless you’re looking at all those things and have negotiated it properly, you have no controls.”
Francesca Sales is an editorial intern working with SearchCIO.com and SearchStorage.com. She is attending Northeastern University for a dual degree in English and Linguistics.
If gurus at a recent gathering at MIT have it right, an increasing number of IT leaders are reaping benefits from applying the scientific method to IT projects. Experimentation is being used to create a culture of “creative dissent” in order to drive IT innovation. The key for CIOs is to pick a few experiments to rapidly scale and manage, then measure their failure rates — similar to what some describe as an iterative agile project practice.
Roy Rosin, vice president of innovation at software maker Intuit Inc., is a proponent of rapid experimentation. At an IT innovation panel at the recent MIT Sloan CIO Symposium, Rosin explained that unlike in years past, the essence of innovation today is to go fast.
CIOs, Rosin explained, “need to rapidly validate whether this is a good production or not, preferably before you spend all that time and money. Speed is of the essence.”
Rosin provided the example of ViewMyPaycheck as an instance of rapid creation and validation that has resulted in dividends. The payroll solution began as an idea to put secure employee data in the cloud. The self-service site lets employees check their pay stubs, adjust withholdings from their paychecks or check vacation balances. A handful of volunteer Intuit employees were given unstructured allotted time to collaborate and test the application. Within three months, the company was able to release the first version of the application.
“Overall,” Rosin said, “Intuit now has small teams rapidly validating new concepts — getting most initial releases into customer hands in a few months for meaningful learning.”
But speed cannot come at the expense of value. Experiments need to be controlled, according to Erik Brynjolfsson, the Schussel Family Professor of Management and director of the MIT Center for Digital Business and Sloan School of Management.
One of the ways this is done, he claims, is by replicating what is innovative in the business model, into enterprise software. “It’s great to have innovation, but you also need to deliver value and embed that in enterprise software, and scale it to translate innovation into value,” Brynjolfsson explained.
Rosin agrees, saying that the difference between innovation and invention is that the former captures value in new ideas. He thinks that a CIO needs to spend time with the little teams. “Are you just measuring revenue, or are you also celebrating the little things? It’s the culture of putting yourself out there and getting feedback. You measure success from the perspective of the customer and celebrate learning from fast failure,” he said. This is where creative dissent, a big culture change, factors in.
On the other side of things, many CIOs also believe that innovation can be achieved through standardization and common processes, or what Brynjolfsson refers to as the “paradox of standards.”
For example, Anne Margulies, CIO for the commonwealth of Massachusetts, used standardization to pave the way for innovation. Soon after taking the job as CIO, she embarked on a massive restructuring of 100-plus IT agencies across the commonwealth’s executive branch as part of an IT consolidation initiative issued by the governor of Massachusetts. Over a period of three months (each phase of the project is implemented in three-month chunks), she simplified the disparate agencies into a streamlined eight, an example of what she calls “restructuring complexity.” Currently, the initiative is on its last phase of implementation, with 80% consolidation completed.
Margulies believes that centralization is one of the keys to IT innovation because, unlike many other states, the commonwealth of Massachusetts is consolidating at two levels — the infrastructure at the commonwealth level, as well as at the secretariat level — in order to keep application technology close and responsive to the businesses served.
If creative dissent or agile practices are driving innovation, or reducing project complexity at your company, we’d like to hear from you. Email me at email@example.com.