Security investments and priorities are a tricky thing to nail down, given that threats are constantly shifting, but one security precaution could be going the way of the dodo bird.
Michael Daly, deputy CISO at Raytheon Co., tells me the buzz at shows and security groups is about getting rid of some security measures — in particular, endpoint security tools, and possibly even staff.
The reasoning, he said, is that security for endpoint devices has become automated enough that endpoints don’t necessarily require some of the tools and people of yore to run effectively.
“An organization may have been staffed up in order to go through patching. Now everyone has patching automated, so I think people are asking, ‘Do we still need this many people, or do we have enough [automated] procedures now to get things done with [fewer] people?'” Daly said. For instance, “Maybe it turns out Microsoft has gotten better with Windows 7. You still need desktop [antivirus], but all these other things — insider threat tools, automated patching tools — are taking care of things, so, what can we give up?”
Then there’s the high interest in desktop virtualization, which essentially removes the data from the endpoint. Some experts, however, argue that virtualization should not be used as a security precaution, but that’s an issue we’ll explore in another story.
What’s in a name? Sure, a rose by any other name would smell as sweet — but what about a CIO? If you referred to him or her as a services broker, what would change? On SearchCIO.com you’ll find my story on the growing trend of businesses of all sizes adopting the IT services broker model. Sometimes referred to by analysts as “hybrid IT,” this model makes IT the services facilitator in order to address the business’ desire to consume IT as a service. The story also explains how, rather than hiding from it, a services model confronts “shadow IT” — the dreaded and growing tendency among business users to take IT into their own hands. Many CIOs and analysts agree this evolution is the way of the future for IT, but one CIO I spoke with, Dan Petlon at Enterasys Networks in Andover, Mass., is rather sour on the moniker.
What is it that makes this title such a thorny issue for Petlon? After all, by his own account, he embraces much of the ideology behind the services broker model. He estimates he spends about a third of his time talking with leaders in the business about what they’re working on and how technology can help them move forward — enough to exorcise the specter of shadow IT. And he’s a self-professed “huge cloud fan,” counting about two dozen cloud-hosted applications in use at his company. So, is the issue just a matter of semantics, then? Yes and no.
“My job is to provide appropriate technologies to meet the needs of the business, whether that’s in the cloud or in-house, but I don’t think of myself as a service broker,” Petlon said. “I’m still a value-added function in the business; I’m not someone who arranges for someone else to provide a service.”
And therein lies much of his concern — CIOs and IT leaders devolving into a strict interpretation of “services broker.” He’s seen it happen to IT leaders who’ve given up on keeping up, Petlon said. They become glorified outsourcers, fighting with vendors and shuffling contracts while their relevance within the company diminishes.
“Increasingly, a lot of IT groups are finding themselves in that role, managing contracts, executing [service-level agreements] — and other than that, they’re not improving the business process,” he said. “It’s kind of like admitting defeat, saying ‘we’ll take that contract management vendor relationship role instead of being an active part of the business and trying to help the business compete on a higher plane. I think it’s the wrong path.”
If the title “CIO” becomes synonymous with “services broker,” will your role smell as sweet? Certainly there are benefits to the services broker model. But you should be aware of whether you define the label or it defines you.
With technology boosters like these, who needs Scrooge? That’s what many IT folks must be thinking when they take a gander at the sponsors of a bill before the U.S. Senate to limit overtime pay for computer workers. You can read about the details of the bill in a piece I wrote for SearchCIO-Midmarket.com this week. Suffice it to say, the Computer Professionals Update Act basically states that employers are no longer legally obliged to pay overtime to anybody in the computer field making $26.73 an hour or more.
The bill, (which goes by the cutesy acronym CPU), was introduced in October by Sen. Kay Hagan (D-N.C.), whose district includes the Research Triangle hotbed of high-tech companies. Sen. Michael Bennet, a Democrat whose Colorado district is home to clean energy, aerospace and medical device companies, is a co-sponsor, as are three Republicans: Sen. Michael Enzi of Wyoming, Sen. John Isakson of Georgia, and most recently, Sen. Scott Brown of Massachusetts, where high-tech is a mainstay of the state economy.
A litany of letters opposing the bill decry it as yet one more example of politicians putting corporate interests ahead of individual workers. Most are from people whose livelihoods will be directly affected.
But management, too, is shaking its head. CIOs I reached in my home state of Massachusetts who were willing to venture an opinion wondered about the intent of the bill — and possibly its unconsidered ramifications. John Lauderbach, CIO at Roche Bros. Supermarkets Inc., said he could see how curtailing overtime pay might even raise base pay, as a means of maintaining compensation levels for employed staff who earn a portion of their income from overtime.
Ed Bell, interim CIO for the commonwealth of Massachusetts’ Senate and House of Representatives, said he was disturbed by the “cookie cutter” approach the bill takes to compensation in an industry where the work and skills to do the jobs are anything but cut-and-dried.
“I’m under the belief that there are a lot of factors that need to be taken into account when defining whether a position is exempt or nonexempt: factors such as whether the work is in Wyoming or New York City; whether the position requires 35 or 70 hours per week; whether the position requires an MS from MIT (but [the applicant is] new to the market) or a high school diploma; or whether the position supports applications via an on-call schedule for endless hours per week or it’s just confined to the 9-5 time frame,” Bell said in an email.
Just as surely as you’ll hear that Mariah Carey Christmas song 900 more times between now and Sunday, you’re sure to keep running into 2012 prognostications on your daily travels around our family of sites between now and mid-January. Because it’s such a cheery time of year, I like to think of these as little gifts to our readers. I hope you don’t mind if I add one to the pile.
What I have to offer is not so much a guess at a trend as a sure thing. How do I know this? Because it’s already happening. I’ve been talking to analysts and CIOs about the idea of the IT organization as a services broker. IT as a services broker is a trend my colleagues have written about previously, and it doesn’t appear to be going anywhere but forward. From small and medium-sized businesses to large enterprises, IT organizations more and more are responding to the one-two punch of the consumerization of IT and an unstable economy by getting lean and decidedly less “mean.”
To keep up with the demand for flexibility from the business and to keep costs in check, IT leaders are positioning their organizations and themselves as facilitators of technology services rather than as the managers and mainframe-minders of yore. To remain relevant and keep tech missteps by the business at bay, IT is retaking the cloud reins from customers and stepping in to take over a myriad of cloud vendor relationships.
It’s not an overnight change. It requires a lot of planning, of course, and a lot of talking with the business to get to know customers’ needs and soften the Grinch-like reputation of the “Department of No.” The biggest benefits (sure to make eyes light up and hearts grow three sizes in the C-suite) are the financial ones. Done right, Chief Technology Officer Abdullah Haydar said, the financial benefits are huge. Think no more periodic hardware refreshes, leaner staff, less downtime for maintenance. In fact, a focus on finance is really the key here, he said.
The most important thing to do when setting down this services path, Haydar said, is to evaluate the ROI and present a business case. And for goodness sake, don’t rush it.
“Any CIO can tell you a huge number of projects fail because people rush in,” Haydar said. “If you migrate haphazardly, you risk having colossal failures, you risk having your systems fail. You have to have proper planning and proper management … there is nothing about this [strategy] that says the same lessons don’t apply. You need proper planning and a business case. You have to prove it’s worthwhile and have a plan of execution.”
I hope you’ll check out the full story after the holidays and share your thoughts on the whole concept of IT as a services broker. And when you do, feel free to “regift” it on the social media platform of your choice — I won’t be offended at all!
I check in with headhunters this time of year to get the lowdown on hiring — and more important, on what companies are looking for in their CIOs. What’s considered executive material these days? This year, I asked that question literally because — call me superficial — I’ve noticed lately that CIOs are — how do I say this? — a lot hotter than when I first starting covering IT seven years ago.
I’m not talking about CIOs moving away from being the bespectacled IT guy in white socks, short sleeves and pocket protector. That stereotype was stale even when I started writing about IT. CIOs are dressing for success: sharp suits on both sexes, high heels for the women; an iPad nearby.
What I heard back from headhunter Shawn Banerji helped explain what’s going on. And it involves more than a well-cut suit and the latest gadget. Banerji, who’s at New York recruiting firm Russell Reynolds, described for me a new breed of CIO executives: Ramon Baez, for example, who was recruited to head IT at Kimberly-Clark. The maker of Kleenex was in the midst of a huge transformation, and its expectations of IT were huge too. Once Baez agreed to take the job, he hired a personal trainer, dropped 20-something pounds and got himself into fighting trim.
“He told me that if he hadn’t gotten himself in shape, physically and mentally, he would have broken down; and irrespective of how capable an IT leader he was, he could not have been effective in the role,” Banerji said.
That’s the executive material required for the CIO job, Banerji said. “You’ve got to have a really strong constitution, mentally and physically. I liken it to professional athletes.”
And athletes not only good for the short sprints, he added. The journey of business transformation that many companies are on is so accretive that they can’t afford to lose their best executives. Corporations, need to create “a culture of performance for their top executives that is sustainable,” Banerji said. That’s hard.
“People say, ‘It’s a marathon not a sprint,’ but do you see how fast those people run in a marathon? Companies cannot afford to have CIOs working for a year or two and then getting burnt out completely,” he said.
CIO executive needs passion — and not just for enterprise architecture
According to Banerji, part of the new CIO persona comes from the fact that CIOs these days often have some major passion outside of work, and they really work at it. “These are people who are able to carve out specific blocks of time to do things that are meaningful to them outside the context of work,” he said.
One of the high-powered CIOs he knows races cars. Another races motorcycles. I wondered if he has come across any CIOs who write poetry or raise orchids. He hadn’t, but doesn’t doubt they’re out there. “The reality is, it’s not what you do but that you do something and that you carve out the time to do these things,” he said. Apparently the ability to turn off work and take a breather is an absolute must if one wishes to sustain the level of performance a company expects.
Some of these CIOs are flying a million miles a year. They’re responsible for operations around the globe. And forget about those long, alcohol-fueled dinners with your favorite vendor rep. “What happens if something goes down in Asia and they want you on the phone? Are you going to tell the CEO or CFO or the board of directors, ‘Sorry, I was half a bottle of Pinot Noir in.’? Doesn’t work that way,” Banerji said.
The new CIOs: more Marine than Mad Men and Mad Women! More polymath than Poindexter!
What do a Gartner analyst, a Forrester analyst, the CIO of a group of community colleges, and mobile device management (MDM) vendors have in common? (No, this isn’t the setup for a bad joke.) Answer: All four point to the use of application portals to solve a myriad of problems related to the proliferation of mobile devices in the enterprise.
To retain control of the applications being used on mobile devices, CIOs are building portals for internal enterprise applications. These portals contain a list of tested and approved applications that can be used on many devices — and here’s the punch line — with the blessing of IT.
Christian Kane, a Forrester Research Inc. analyst brought this topic up while we were talking about mobile device management. It seems that many MDM vendors and enterprise-portal players have noticed the need for an internal app store, and have developed customizable templates that an organization can use to populate a store with apps and set policies for their use.
Jack Santos, an analyst at Gartner Inc., predicted that enterprises would start to build their own application portals — akin to those you find in Apple’s App Store — in his talk about the changing role of IT during the Gartner Catalyst Conference in San Diego in 2011.
Dustin Fennell, CIO at Scottsdale Community College in Arizona, decided to use desktop virtualization to give 13,000 students and 1,000 employees any-device, anytime access to data and applications. A big part of his strategy hinged on the building of an application portal. IT populated the portal with preapproved applications, but students and faculty can request the addition of new ones. These apps in turn are tested by the requestor before they are put into the application portal for general college community use.
Some might call this an evolution of the corporate intranet, but I think it’s more than that: It’s another way that IT is fulfilling the needs — particularly the mobile desires — of employees in a corporate culture driven by consumerization — while subtly making sure that security and other policies remain intact.
The global economy is in danger of collapsing under a mountain of debt — and guess what? So is the software that runs your company, according to a study this week from CAST, a software analysis and measurement company. The report shows that enterprise software is loaded with technical debt. That’s the term for the cost of fixing all the quality defects that remain in an application’s code after it’s released. Make that all the deliberate shortcuts and shoddy work. Technical debt is calculated only on violations that the organization intends to remediate.
Based on an analysis of 745 applications submitted by 160 organizations in 10 industry segments and representing 365 million lines of code, CAST calculates it costs businesses millions of dollars to fix technical debt — and companies are not budgeting for it.
“The findings revealed an average technical debt of $3.61 per line of code,” said Bill Curtis, CAST’s chief scientist and senior vice president of CAST Research Labs.
That debt adds up: Nearly 15% of the applications examined by CAST had more than a million lines of code. Just like the kind of debt that weighs on many of us 99%-ers, technical debt incurs interest as the violations go unfixed, so it just gets bigger and bigger over time. Research house Gartner predicts global technical debt will reach $1 trillion by 2015.
Notable findings in the CAST report:
- Java apps, accounting for about 45% of the study sample, scored lower on performance and carried more technical debt than apps using other languages — $5 per line of code compared with the average $3.61.
- COBOL apps (yes, these monsters are still around) scored highest in security. They deteriorate in quality as they get bigger, however, unlike their less secure but more modular, newer relatives, Java EE and .NET. (.NET apps scored lowest on security.)
- Structural defects were equally prevalent in outsourced apps and those developed in-house. This finding might be skewed, however, by the fact that most outsourced apps were developed in-house originally before being farmed out for maintenance, Curtis said.
“Even though we have known for two decades that things like cross-site scripting, SQL injection and buffer overflows are huge opportunities for hackers to break in, we still see those things in the code; and that is a huge problem,” Curtis said. “The problem is that you don’t always know which violation in the code is the one that is going to cause the outage or offer a hacker the way in.”
But you do know it’s going to cost millions to fix when it happens.
This leaves CIOs between a rock and a hard place when it comes to managing the risk of technical debt. You can’t fix everything — and you don’t want to, Curtis said. What CIOs need to identify are the most severe violations that carry the highest cost for the maintenance of the system or have the highest risk to the business — “for an outage or data corruption or a security breach or performance problem” — and then go fix those.
Opinions about the top trends for the coming year are starting to trickle into my inbox. Most of these “Outlook 2012” predictions are about the certainty of economic uncertainty.
I know, however, that soon I’ll start to get pitches from vendors and analyst firms predicting which mobile device will be the next iPad; what the next big disruptive technology will be (the cloud won that honor hands down this year, with mobile devices a close second); and the one thing that CIOs can’t ignore.
For me, that one thing is monetizing IT, a trend we picked up on last year but which I believe will be a game-changer for CIOs in 2012. Technology has become so integrated with how a business runs and serves its customers that CIOs are being asked to contribute to the bottom line.
More important, they are being asked to help others in the enterprise contribute to the bottom line. CIOs are working with chief marketing officers to promote and create new services. Technology practices such as Agile are being adopted by the rest of the business to speed up product time to market and add value to the business. And CIOs are working directly with customers (external customers, not internal end users) to gauge how the business can create a better user experience.
Cutting costs, efficiency gains, business process automation — those all are givens. What CEOs want to hear about is technology that will capitalize on the enterprise’s information assets. They want CIOs to rein in big data to deliver new insights and make money.
We’ll also be looking at how some of the biggest stories of 2011 — consumerization of IT, mobile, social media, big data, shared services and the cloud — will continue to shake things up for CIOs in the coming years.
One more big story for 2012? IT staffing: Finding talent is proving to be pretty difficult, in part because the skill sets in demand are in constant flux, and in part because internal talent development isn’t enough of a focus within IT organizations. As one CIO said to me at a show: “What do I do with the ‘old people’ running the systems we have when we bring in all these new systems?”
Good question. What are your predictions for 2012?
Let us know what you think about this blog post; email: Christina Torode, News Director
Something I heard about IT services organizations has been rattling around in my brain this week.
I was interviewing a CIO-turned-analyst for a story about the value of giving IT employees “line of sight” to strategic business objectives. The question was whether it was important that individual employees understand the connection between what they do on a daily basis and the business’s strategic objectives. Not just CIOs and IT management, mind you, but the guy who screws the server into the rack. Wasn’t this just another variation on IT and business alignment?
“I stopped thinking about IT alignment and started thinking about integration a long time ago,” my CIO-turned-analyst said.
Then out of the blue — or so I thought at the time — he said that what worried him was all the talk about the benefits of building an IT services organization and of running IT as a business-within-a-business. Running IT as a business was all well and good, he said, but were CIOs flirting with danger?
“The flip side is that there is a disconnect to the actual business you serve,” he said. The CIO/CEO of this “business within a business” is so consumed by the cost, the quality, the timeliness, the efficiency of IT services that he loses sight of his strategic role as a partner to the business.
Running IT as a business is something I write a lot about in one form or another. IT cost transparency — the ability of CIOs to know not only how much they’re spending but also why — is a goal of a lot of the CIOs I consult. Building a services organization helps sort out how the business consumes IT resources. My colleague Christina Torode has identified the transformation of IT into a services business — to an enterprise within an enterprise — as a major trend.
Still, my expert on the phone had a good point about IT services. Was this a route back down to the basement? To the CIO as the guy who runs IT? Or are we just confused about how an IT services organization runs? What are your thoughts?
For a few years now, stories, studies and surveys have been heralding the arrival of the next-generation workforce. Lately, though, the commentary is beginning to sound like trailers for 1960s horror flicks:
They’re here! They’re invading your cubicles and boardrooms! Their numbers are growing! They’re the Millennial generation, and they’re going to ruin you with their insatiable hunger for — using their personal mobile device for work! IT departments everywhere will be powerless!
Not so fast. As with any spooky tale, there is a way to stop the bogeyman. In this case, the silver bullet is a strong, updated bring your own device (BYOD) policy.
The thing is (as some IT leaders and analysts will tell you) when it comes to BYOD, these new-generation workers are really no different from their fellow employees and, indeed, employers. To paint their presence as a cause for concern makes them sound like impudent children. Are they any different from your CEO who insists on using her new iPad, or from the head of marketing who’s more comfortable with his ‘Droid than the company-issued BlackBerry?
It’s not a generational thing, it’s a societal thing. It’s the consumerization of IT — and that’s not about to change, so policies will have to: Maribel Lopez, principal analyst at San Francisco-based Lopez Research, has been sounding this particular alarm for more than a year.
“It started with senior management bringing in their own devices; now people are starting to realize it’s a big phenomenon,” Lopez said. “The new workforce is very accustomed to being tooled in their own environment; and what’s happened is, if you haven’t changed your policies, you could be losing out on a certain type of talent. … IT managers are saying, ‘We have to find a way to deal with this.'”
Those IT managers include Josh MacNeil, assistant director of technology services at the Whitman Hanson Regional School District in Massachusetts. He is very much in favor of letting people work in ways that allow them to be most productive. For the past 10 years, his district has allowed teachers 24/7 remote access. But dealing with devices will be a true challenge, he admits. He is creating a BYOD policy, gathering information from other school districts. The information exchange on the topic of BYOD has picked up pace noticeably in just the past couple of months, he said.
For organizations ready to take on the challenge of creating a policy, or working on updating their BYOD policy, Lopez Research suggests addressing 10 (seemingly) simple questions:
- Who is eligible? What type of employees can access the company’s network?
- What data and services can be accessed?
- How will applications and services be delivered?
- What does the company pay for?
- Which operating systems and devices, and how many platforms will IT support?
- How is the device secured?
- How is the device managed? Will it be maintained over the air or through syncing with a desktop or Web application?
- What support is provided?
- What are the privacy issues?
- What are the legal concerns?