During World War II, when it was discovered that U.S. soldiers were being targeted by the enemy through unconventional means — alcohol, prostitutes — to give up critical information, the military launched an all-out security campaign. “Loose lips sink ships” was one of the campaign’s slogans. There were scores of other materials advising the troops to keep mum, including a document handed to every soldier entering the battle area that listed 10 things never to write home about. The idea, said Jeff Schmidt, was to make soldiers aware of the gravity of the threat and remind them that they — the rank and file — were critical partners in American security.
“We have a lot to learn there,” said Schmidt, founder and CEO at security consulting firm JAS Global Advisors LLC. “Employees need to be trained to feel like they have a stake in maintaining the security of their organizations. They can’t act like they are protected by what can seem like a gigantic security apparatus.”
Schmidt was talking to me about what security experts saw in 2011 that was new or different, and about the threats most likely to plague CIOs this year. He works with a lot of government agencies and Fortune 100 companies in risk-prone industries like defense and energy. While intentional insider threats are “as old as the hills,” in his view it’s the unintentional security threats — those regular old phishing attacks coupled with human error — that pose the clear and present danger. Attacks like the single email attachment, for example, that was crafted to trick the HR department at RSA — a security firm! — and that in a flash compromised millions of the world’s most trusted identification tokens.
His message to CIOs: Educate, educate, educate employees, and make them part of the security team — or ships will sink.
Of course, there’s a problem there with that team mentality, as anyone knows who is witness to, say, the current state of politics or to the economic pain heaped on many Americans in recent years or — and here we’re going out on a limb — who has embraced social networking heart and soul. For employees threatened by layoffs, what motive is there to pitch in to prevent the ship from sinking if their part of the ship has already sunk? (In fact, companies have seen insider theft rise, said Schmidt, even among longtime, trusted employees. “Desperation is a powerful driver,” he notes.) Then there is the generation reared on free digital file-sharing, free encyclopedias and the habit of sharing — with everybody. How can CIOs drive home the notion that company data is precious when information has been so devalued and a company’s insiders feel like outsiders?
Coincidence? Or a truly topically in-tune editor? I’ll go with the latter. On the same day I was assigned a story on the place of cloud-based business intelligence (BI) in the enterprise, Gartner Inc. released a telling study on the subject — and I learned that cloud consulting firm ThinkStrategies Inc. has a conference specifically dedicated to Software as a Service (SaaS) BI coming up in April. Cloud-based BI was literally the hot IT topic du jour.
It certainly makes sense. Back in the waning days of 2011, CIO Executive Board Executive Director Shvetank Shah told us that BI projects were going to be where IT leaders focused their time, attention and money in 2012. In fact, he noted that this is what we’ll be looking at for the next two or three years. The focus on BI is part of a “megatrend” of projects shifting away from big ERP to big information.
A brief about Gartner’s study suggests this shift seems to be playing out right now. But what role will the cloud play? According to the consultancy, nearly one-third of 1,364 IT manager and business users surveyed in Q4 2011 already use or plan to use cloud-based BI tools to augment their BI functions within the next 12 months. A total of 17% said they have replaced or plan to replace parts of their core BI functions with a SaaS offering. What’s behind this? The key drivers Gartner cites are time to value, cost concerns and lack of available expertise.
So, as for the aforementioned assignment: I’ll be digging a little deeper, talking to folks who’ve already taken their BI to the cloud and if or when experts suggest you should too. One user of cloud-based business intelligence tools I spoke with today can’t imagine his company without them. Very pleased with what he and his end users are able to accomplish, he hooked me into an impromptu online demonstration. It certainly looks to be an exceptional tool for this food distribution company that does $3.5 billion in sales. But is cloud based BI right — and ready — to take the enterprise by storm? I’ll bring you some answers on SearchCIO.com next week.
It’s a given that the days of worrying about only what is within your four walls are long gone. Outsourcing took care of that a long time ago. The reach of the CIO domain is going beyond even that relationship, however, and into the “extended enterprise,” as some are calling it.
External customers, internal employees and partners are dragging data further and further away from the confines of a given data center or desktop PC and into the realm of mobile apps, social forums and the cloud. In a tip running on SearchCIO.com this week on securing the extended enterprise, Forrester Research Inc. security expert Chenxi Wang explains the extended enterprise as follows:
“Today’s businesses must constantly create new products and services, expand their geographic presence, streamline operations, and deliver topnotch customer services. To do this, your business will increasingly use third-party and cloud services to reduce cost and increase speed to market. Your business will unleash the creativity of your employees and customers with mobile, social and rich media technologies. More and more, devices — meaning cameras, cars, home electronics and even musical instruments — come equipped with microprocessors and will become conduits for businesses to deliver services and engage customers. To stay relevant, your enterprise must extend itself continuously to include new peripherals and meet new business scenarios. Forrester Research defines this vision of business as the extended enterprise, one for which a business function is rarely, if ever, a self-contained workflow within the infrastructure confines of the company.”
The term “extended enterprise” nicely ties together many of the topics we’ve writing about for the past year, the most prominent one being the consumerization of IT or, as our Senior News Writer Linda Tucci likes to call it, the “democratization of IT.” Regardless of what it is called, it is yet another opportunity (some might call it a can of worms) that CIOs are in charge of securing and navigating for the business.
Should IT organizations hire consumer advocates? The idea came up at our company’s annual editorial meeting during a panel discussion involving our own CIO, his senior director of IT operations and the chief information security officer (CISO) of the largest protected health information data warehouse in the U.S.
The panel’s topic, “A day in the life of an IT pro,” was intended to give reporters fresh insights into how IT pros spend their days, and it didn’t disappoint, covering many of the issues we at SearchCIO.com strive to understand better from the CIO’s point of view. Topics ranged from how technology investment decisions get made (methodically) to managing vendors (oy!), to which of the many buzzwords tech reporters bandy about are actually things IT pros need to pay attention to (“consumerization of IT“).
(A few tidbits before I get to the takeaway here: Telco vendors should be ashamed of the way they treat their IT customers. It’s a good idea to Google the phrase “[insert product name] sucks” before pulling the trigger on a technology purchase. EBay is attacked an average 100,000 times per day.)
Hiring a consumer advocate who belongs to the IT organization was a suggestion that came up in answer to a question about how IT roles are changing — must change! — to keep up with business demands. Standardizing processes has helped. Methods like Scrum, and waterfall too, have taken some of the hit-or-miss quality out of software development. But the standard practice of a business analyst or a business relationship manager collecting business requirements and translating them to IT? That was insufficient, the CISO on the panel said. The inventors of smartphones and tablets and social networking sites aren’t going to business relationship managers with their ideas. They are dealing directly with consumers. IT shops need a consumer advocate among their ranks, if they hope to keep up with what business users expect from technology, he said. What do you think?
One of my favorite movies is Poltergeist, with its never-ending quotable lines. “What’s happening?” probably is the most famous; but my favorite is when actress Zelda Rubinstein, who plays the spiritualist Tangina, claims, “This house is clean.” Not so, if you follow the movie, the premise of which is, don’t build a new housing development on top of a graveyard.
In many ways this movie reminds me of an IT department (bear with me here). CIOs inherit all the decisions, good and bad, that their predecessors made. As a result, they often are being asked to “clean house” — to simplify, to automate, to gain efficiencies and to cut down on rogue technology.
Looking over this year’s CIO Innovators profiles, you’ll find that CIOs clearly have cleaned house — without the help of spiritual guides. Among them is Steven Johns, the subject of our first CIO Innovator profile in 2011. He rolled up his sleeves when he inherited an “infrastructure overhaul” on joining H.B. Fuller Co. in 2007. His plan of attack was to take back the core functions of IT from a third-party outsourcing giant, update legacy systems and move non-core functions to the cloud. This “turnaround guy” met the needs of users through the adoption of cloud solutions; those in turn reduced rogue technology. He also cleaned up some big messes that had been left behind: systems in place since the 1980s and no standard collaboration system across the global company, to name just two.
But as CIOs begin to build the next foundations in an age of cloud computing, shared IT services and the consumerization of IT, I wonder whether they are potentially adding a weak foundational layer, at least in terms of controlling rogue technology. Are they adding to the problem as they accommodate the age of people-centric computing?
Self-service provisioning, for example, often is talked about as a must-have for shared services to succeed. Self-service provisioning portals also are a tenet of cloud computing. Some CIOs believe that “self-services” — putting the power of technology choice into the hands of users — is the future of any good IT services organization. Left to their own devices, however, will users really make the right decisions?
Will rogue technology, which leads to silos of information — something CIOs are trying to undo in this Information Age — only get worse?
Sure, making it easier for users to get their hands on the technology they need is not only smart but inevitable. On the other hand, what precautions should CIOs be taking to lay a solid self-service foundation?
It’s a question as old as information technology itself: “How do I prove the value of my technology investments to the business?” What makes the question so vexing is that there’s never been an easy answer — or any answer, period. There is no one-size-fits-all solution; and if someone were to come up with one, well, it probably would become obsolete in a matter of months. And then there’s the real kicker: This question has been plaguing CIOs for years, but it’s never been more important to answer it than it is right now, in the slippery era of all things global and mobile.
So, although I wish this paragraph contained some crazy, silver-bullet solution of the big “…until now!” kind, that’s sadly not the case. What I do have is some encouragement from CIOs who believe that proving the value of technology investments can reasonably be accomplished. One CIO is being practical in his approach, the other is scoring points with the business through creative thinking. Neither is trying to reinvent the wheel; they’re just looking at what they have to work with and running with it. And perhaps most importantly, both are being proactive: They didn’t wait for the business to come to them with demands for financial answers.
I’ll delve into more details in an upcoming story for SearchCIO.com about monetizing IT, but one CIO taking the practical approach is Raul Cruz, CIO at AECOM Technology Corp., an engineering and architectural design firm with more than 45,000 employees around the world. Two years ago, he implemented a financial management framework that gets truly detailed in its tracking of costs associated with services, activities and projects. He’s applying that information to a SaaS solution that will make all those figures accessible to his team and, of course, the business.
Then there is Larry Bonfante, CIO of the United States Tennis Association. What he’s done over the last few years might be considered a kind of “creative IT recycling.” This phrase, which I just made up, isn’t meant to cheapen his efforts by any means — in fact, they have made the USTA quite a bit of money. Here’s just one example: The USTA runs the widely attended US Open. The 700,000 or so attendees gotta eat; and when they do, they can visit the food village in the center of the event campus or an outlying kiosk. Choices are nice, but until recently, the outlying kiosks could accept only cash because they were too far away from the central village to connect to the system. Enter IT with a Wi-Fi solution, and those kiosks now can take credit and debit cards — and the USTA can take in an additional $200,000 in revenue. You know the business had to, ahem, love that.
The subject of shared services led to a lively debate about the need for IT chargeback — and, to put it bluntly, the strain and pain it puts on IT and business departments.
To back up a bit: This week and next we’ll be publishing stories on SearchCIO.com that define a shared services model from the IT executive’s point of view. Be forewarned: There are many CIO points of view on this topic. Here’s one definition of shared services: a multi-tenant environment in which IT resources and skills are pooled internally. As one IT executive put it, a shared services model is more about “the service and not the server.” Gone are the days when hardware and applications were dedicated to a given business unit. Instead, they now are pooled to be used as needed for projects and changing business needs.
As resources are pooled, however, whether in a multi-tenant environment or in a traditional centralized-IT model, IT executives are rethinking how they charge for IT services that are shared instead of dedicated. Is IT chargeback based on use really necessary? If it is, how should IT go about it?
The customers of one consultant with a systems integrator are having a pretty hard time trying to answer audit questions when they’re asked what exactly they bought for a particular project, he said. In a shared services environment, where a project investment is tied to usage as opposed to the purchase of a server, the answer isn’t simple. And, he added, the organization might not even have the metering or reporting tools to break out who is using which resources and what to charge them.
David Johns, CIO at Owens Corning, said he doesn’t bother with IT chargeback at all under his shared services model, because it takes IT’s focus off the business and ultimately the end customer, and is a burden on business units. “What value is there to the end customer if you spend an enormous amount of time going through a massive exercise focused on service charges to a business [unit]?” he asked.
In our upcoming stories, we’ll be exploring the issue of IT chargeback, the benefits of the shared services model and whether self-service provisioning portals are a given for shared services success.
Some say self-service absolutely is the ultimate end game of any well-run IT services organization. But where does that leave IT?
Security investments and priorities are a tricky thing to nail down, given that threats are constantly shifting, but one security precaution could be going the way of the dodo bird.
Michael Daly, deputy CISO at Raytheon Co., tells me the buzz at shows and security groups is about getting rid of some security measures — in particular, endpoint security tools, and possibly even staff.
The reasoning, he said, is that security for endpoint devices has become automated enough that endpoints don’t necessarily require some of the tools and people of yore to run effectively.
“An organization may have been staffed up in order to go through patching. Now everyone has patching automated, so I think people are asking, ‘Do we still need this many people, or do we have enough [automated] procedures now to get things done with [fewer] people?'” Daly said. For instance, “Maybe it turns out Microsoft has gotten better with Windows 7. You still need desktop [antivirus], but all these other things — insider threat tools, automated patching tools — are taking care of things, so, what can we give up?”
Then there’s the high interest in desktop virtualization, which essentially removes the data from the endpoint. Some experts, however, argue that virtualization should not be used as a security precaution, but that’s an issue we’ll explore in another story.
What’s in a name? Sure, a rose by any other name would smell as sweet — but what about a CIO? If you referred to him or her as a services broker, what would change? On SearchCIO.com you’ll find my story on the growing trend of businesses of all sizes adopting the IT services broker model. Sometimes referred to by analysts as “hybrid IT,” this model makes IT the services facilitator in order to address the business’ desire to consume IT as a service. The story also explains how, rather than hiding from it, a services model confronts “shadow IT” — the dreaded and growing tendency among business users to take IT into their own hands. Many CIOs and analysts agree this evolution is the way of the future for IT, but one CIO I spoke with, Dan Petlon at Enterasys Networks in Andover, Mass., is rather sour on the moniker.
What is it that makes this title such a thorny issue for Petlon? After all, by his own account, he embraces much of the ideology behind the services broker model. He estimates he spends about a third of his time talking with leaders in the business about what they’re working on and how technology can help them move forward — enough to exorcise the specter of shadow IT. And he’s a self-professed “huge cloud fan,” counting about two dozen cloud-hosted applications in use at his company. So, is the issue just a matter of semantics, then? Yes and no.
“My job is to provide appropriate technologies to meet the needs of the business, whether that’s in the cloud or in-house, but I don’t think of myself as a service broker,” Petlon said. “I’m still a value-added function in the business; I’m not someone who arranges for someone else to provide a service.”
And therein lies much of his concern — CIOs and IT leaders devolving into a strict interpretation of “services broker.” He’s seen it happen to IT leaders who’ve given up on keeping up, Petlon said. They become glorified outsourcers, fighting with vendors and shuffling contracts while their relevance within the company diminishes.
“Increasingly, a lot of IT groups are finding themselves in that role, managing contracts, executing [service-level agreements] — and other than that, they’re not improving the business process,” he said. “It’s kind of like admitting defeat, saying ‘we’ll take that contract management vendor relationship role instead of being an active part of the business and trying to help the business compete on a higher plane. I think it’s the wrong path.”
If the title “CIO” becomes synonymous with “services broker,” will your role smell as sweet? Certainly there are benefits to the services broker model. But you should be aware of whether you define the label or it defines you.
With technology boosters like these, who needs Scrooge? That’s what many IT folks must be thinking when they take a gander at the sponsors of a bill before the U.S. Senate to limit overtime pay for computer workers. You can read about the details of the bill in a piece I wrote for SearchCIO-Midmarket.com this week. Suffice it to say, the Computer Professionals Update Act basically states that employers are no longer legally obliged to pay overtime to anybody in the computer field making $26.73 an hour or more.
The bill, (which goes by the cutesy acronym CPU), was introduced in October by Sen. Kay Hagan (D-N.C.), whose district includes the Research Triangle hotbed of high-tech companies. Sen. Michael Bennet, a Democrat whose Colorado district is home to clean energy, aerospace and medical device companies, is a co-sponsor, as are three Republicans: Sen. Michael Enzi of Wyoming, Sen. John Isakson of Georgia, and most recently, Sen. Scott Brown of Massachusetts, where high-tech is a mainstay of the state economy.
A litany of letters opposing the bill decry it as yet one more example of politicians putting corporate interests ahead of individual workers. Most are from people whose livelihoods will be directly affected.
But management, too, is shaking its head. CIOs I reached in my home state of Massachusetts who were willing to venture an opinion wondered about the intent of the bill — and possibly its unconsidered ramifications. John Lauderbach, CIO at Roche Bros. Supermarkets Inc., said he could see how curtailing overtime pay might even raise base pay, as a means of maintaining compensation levels for employed staff who earn a portion of their income from overtime.
Ed Bell, interim CIO for the commonwealth of Massachusetts’ Senate and House of Representatives, said he was disturbed by the “cookie cutter” approach the bill takes to compensation in an industry where the work and skills to do the jobs are anything but cut-and-dried.
“I’m under the belief that there are a lot of factors that need to be taken into account when defining whether a position is exempt or nonexempt: factors such as whether the work is in Wyoming or New York City; whether the position requires 35 or 70 hours per week; whether the position requires an MS from MIT (but [the applicant is] new to the market) or a high school diploma; or whether the position supports applications via an on-call schedule for endless hours per week or it’s just confined to the 9-5 time frame,” Bell said in an email.