Brian Lillie, CIO at data center builder Equinix, a company where security is “embedded in everything we do,” said that doling out general advice for bolstering IT security in the cloud computing era is difficult because all organizations are different. But there are guidelines they can follow to take advantage of the lower costs, faster setup and better user experience cloud systems offer — and maintain solid cyberdefense. Here are his three tips for better cloud security:
- Have a cloud-first strategy. To Lillie, cloud today means cloud-first. “If you can solve a business problem in the cloud, do it,” he said. “Because that is where all of the investment is going. It’s where most of the [vendor] innovation is happening and more and more and more, their solutions are going to be in the cloud.”
- Accept the reality of hybrid IT. Most companies won’t be 100% in the cloud, Lillie said. Some applications, for example, will have to purpose-built, and those will most likely have to stay on premises — so will highly sensitive applications and ones that are “too core to IT.” So hybrid IT — or an integrated mix of on-premises and cloud systems — should be the aim.
- Wrap it all in security. Organizations can’t stop at defending their data centers. As they look more to cloud applications, they need security policies, processes and tools to safeguard those as well. “You’ve got to make sure your data is safe in transit,” Lillie said. “You’ve got to make sure that your integration strategy between your on-premises and your cloud is not only secure but high-performing.” And no one technology does everything, he said. His team has around 25 security tools to keep Equinix’s cloud applications safe, including gatekeeper software called a cloud access security broker, federated identity management for ensuring users are who they say they are, and a Web application security scanner to detect weaknesses in applications. “I actually think that a set of tools layered is the best defense,” Lillie said.
Figuring out who to hire and what to pay for IT job skills has never been a cut-and-dried affair. Even when IT salaries are relatively stagnant, as they have been in recent years, demand for certain IT job skills — and therefore the premiums paid for those skills — can change in a matter of a mere three months, a phenomenon David Foote understands well. Foote Partners LLC advisory and research firm, founded in 1997, tracks pay for 835 IT skills every 90 days.
“The truth is that there are so many skills that employers find worthy of extra pay, and for these skills either certifications don’t exist or the ones that do are perceived as too easy to attain,” Foote said in the firm’s latest release on IT job skills pay from Oct. 1, 2015 to Jan. 1, 2016. “Besides, employers have always had their own ways to evaluate and accredit skills expertise. They are comfortable using their own methods to qualify the strength and value of skills and how they factor into their workers’ capabilities on the job.”
In rapidly changing business climates — as is the case in today’s massive shift to digital business — premium pay for IT jobs skills is particularly volatile, Foote explained in a phone call following up on the report. A good example is what has happened to compensation for big data skills over the past two years. For all the media buzz about the importance of advanced analytics in gaining a foothold in the digital marketplace, pay premiums for 58 big data-related skills and certifications declined an average 4.7% in the last nine months of 2014.
“Companies started going into big data, hiring people out of Google, out of big tech firms — and then found nothing was happening. ‘We’re putting money into this,’ they told us, ‘and we’re not getting any results,'” Foote said.
Big data pay on rebound
Doing big data is about data sharing and transparency and breaking down business silos, Foote said, something many hierarchal companies find difficult to do. Another reason for the pullback in big data pay? An institutional reluctance to embrace data-driven decision management. “These companies want to build a new business model to compete in a digital era — and then find that their culture just completely gets in the way of doing it,” he said.
But as companies have found their “sweet spots” in big data, discovering what they can and can’t do, compensation for big data skills has rallied, rising nearly 6% in market value overall in 2015 and predicted to increase over the next 12 to 24 months.
“Big data capabilities are just too critical for staying competitive. They’ve expanded in popularity from a few industries to nearly every industry and market,” he said. The growth of Internet of Things (with predicted compound annual growth rate of 30 % over the next five years) — and the pressure to turn IoT data into actionable business intelligence — will further spur pay for big data related skills, he said.
Here are some other findings on IT job skills from Foote Partners’ latest research:
DevOps gets “serious traction:” Acceptance of DevOps methodology is growing. The latest premium pay data for 2,745 employers tracked by Foote Partners shows a 7.12% gain in average market value for DevOps skills in the past six months.
Cloud skills demand strong, but pay eroding: Talent supply for cloud skills is catching up with demand, resulting in a modest 1% gain in average value in 2015 for 73 cloud-related certified and noncertified skills.
Security skills gap deepens: Market values for the 76 information security certifications tracked by Foote Partners have increased an average 9.7% over the past two years. The report states: “The bad news is that while cybercriminals and hacktivists are increasing in numbers and deepening their skill sets, the ‘good guys’ are struggling to keep pace. … CISOs will have to become more aggressive about getting the skill sets the organization needs, plus [they] will need to build sustainable recruiting practices and develop and retain existing talent to improve their organizations’ cyber resilience.”
Read more about Foote Partners’ latest findings in, “Digital business disruption roils the manufacturing sector.”
David Foote, whose research advisory firm, Foote Partners LLC, specializes in tracking compensation for IT skills, knew digital business disruption was real when he started getting calls from companies like Fender Musical Instruments Corp.
“Fender makes metal and wood products — musical instruments, amps. And they call me and say, ‘We’re putting together this digital group and we have no idea what to pay these people and how to reward them,'” Foote said. “‘Wait a minute,’ I said, ‘You’re a manufacturing company, what does this mean?'”
The storied guitar maker told Foote it wasn’t exactly sure, but it was looking for ways to grow its business. Guitar is a hard instrument to master. It had a couple of ideas for digital products that would make it easier for people to learn how to play — and help sell more guitars.
All corners of the manufacturing sector are seeking digital skills compensation data, Foote said, citing Lowe’s Companies Inc. and Honeywell International as two more examples. “Lowe’s is the store you walk into when you want to build a deck on the back of your house. We’re working with them and find out they’re doing stuff with NASA on all this crazy robotics stuff and 3D imaging,” he said. Honeywell, making a big push into the connected home market, now has “nine, very well-staffed digital innovation groups around the United States and Canada,” according to Foote.
“It’s not that people are doing digitization that’s so amazing. It’s that the companies calling us and asking for help now are hard-core manufacturing companies. They’re all getting into digital software, and things are getting serious,” he said.
GE picks up and moves to a digital hotspot
A marquee example of a hard core manufacturing company in the midst of business digital disruption is General Electric. Foote, who lives about five miles from what will soon be G.E.’s former headquarters in Fairfield, Conn., said the manufacturer’s move to Boston isn’t just about tax breaks. “They are going digital in a very big way and they want to put their headquarters closer to the action,” Foote said, referring to Boston’s thriving high-tech ecosystem. Indeed, CEO Jeffrey Immelt recently asserted that the industrial powerhouse would be a “top 10 software company” by 2020.
Digital skills held back by culture
As the manufacturing and other sectors come to terms with doing business in the digital era, the questions for companies and CIOs, as well as for Foote Partners, is what IT skills and roles are required to deal with digital business disruption, and what do companies need to pay these people to be competitive. But hiring the right people doesn’t necessarily put companies closer to digital transformation.
One example, said Foote, is the role of DevOps engineer. DevOps — the blending of tasks performed by a company’s application development and systems operations teams — has been around for a long time, but only recently has there been enough compensation data to follow the role of DevOps engineer.
Foote had long wondered why more companies hadn’t gone after a skill that would help them integrate their IT, operations and business strategy — and conceivably give them a competitive edge.
“Then I realized after talking to companies is that DevOps is really not a technical skill; it’s a whole mindset. And a lot of companies were really turned off by that, because they don’t adapt very well when they have to change. Change is tough.”
For more on which skills are hot, and which not, in digital business transformation, check out part two of this post, “IT job skills, digital mind-set in short supply.”
PTC Inc., a software company based in Needham, MA, is in the midst of a transformation. Known for its design software, PLM and service management products, PTC is placing big bets on the Internet of Things and augmented reality technology.
“The digital and physical worlds are converging,” Jim Heppelmann, president and CEO at PTC, said at last week’s live streaming Thing Event. “This convergence is transforming everything. It’s transforming how we design and manufacture things, how we operate and service them.”
But, added Heppelmann, one area that hasn’t converged just yet is how people interact with smart, connected things.
That’s a gap PTC believes will be filled by augmented reality (AR) technology. Unlike the artificial environment created by virtual reality technologies, AR layers contextual information over the real world in real time. Think Google Glass, which uses eyewear to, say, display a map view to the user with directions to a destination.
In addition to changing how consumers interact with the world around them and how companies market to those consumers, PTC believes AR technology will change how employees get work done within the enterprise. “The number of potential applications for AR in the enterprise is limitless,” Heppelmann said. His list includes everything from validating product designs to training new employees on how to use a product in the field.
PTC is using AR to help businesses fix and maintain complicated machines. Deere & Co, a manufacturer of agricultural, forestry and industrial engines and equipment, and KTM-Sportmotorcycle AG, a global company that designs and manufactures racing motorcycles, are two PTC customers using AR to this effect.
At KTM, for example, one of the challenges the company encounters in new growth markets is the lack of technical experience needed to service the bikes. “This can make it difficult to make repairs correctly and it can be difficult to make those repairs on time,” Jens Tuma, head of customer service at KTM, said during the webcast.
KTM is using AR as an interactive resource to guide new technicians when making repairs. Using a tablet, the technician can run a diagnostic test on KTM’s smart bikes, isolate the problem and then follow step-by-step visual instructions overlaid on the bike itself that shows how to make the repair.
“Augmented reality will help us deliver more consistent service around the globe,” Tuma said.
PTC’s IoT and AR play has been years in the making. In 2014, PTC acquired Axeda and ThingWorx, companies that specialize in building Internet of Things applications. In 2015, PTC acquired Vuforia, an AR platform for developers, and ColdLight, a predictive analytics platform.
PTC’s acquisitions total up to more than $700 million, which is a sizable investment to equip the company with connectivity, cloud and analytics technology. “PTC needed to transform our technology portfolio to align with the transformation happening in products today,” Heppelmann said.
Terry Kline is a proponent of innovation contests because he’s seen how they can change the work dynamic. “What’s made me do it everywhere I’ve ever worked is that I’ve had employees who say, ‘Hey, I’ve got this great idea, but no one will listen to me,'” Kline, senior vice president and CIO at Navistar International Co. in Lisle, Ill., said in an interview with SearchCIO. So Kline creates opportunities for employees to pursue those great ideas right in the workplace.
Innovation contests or hackathons are a way to crowdsource ideas for new products or new ways of doing things. In the last few years, as the engineering talent wars rage on and as new competitors continue to emerge from unexpected places, innovation contests have become popular in the enterprise and beyond. Kline has used the technique for years, even before taking up his IT post at Navistar, a manufacturer of industrial vehicles and engines, in 2013.
Kline hosts innovation contests at least once a quarter, but he doesn’t do so on a set schedule. Instead, he uses innovation contests as a leadership tool when he either needs to find the most efficient way to execute on an idea or he’s interested in teasing out new ideas. One critical component? He doesn’t limit innovation contests to the IT department.
Instead, with the backing of the CEO to whom he reports, he encourages cross-functional teams to work together whenever possible. “IT by itself is back office, under the covers,” he said. “So if you don’t have a business problem or a solution, [the results are] not as attractive,” he said.
Top ideas are awarded prizes. (Kline has been known to gift his spot in the executive parking area for a month. “I give things away that you can’t buy,” he said.) And the very best ideas are implemented. Over-the-air re-programming, a feature in some Navistar engines that will enable drivers and fleet owners to update engine control modules over a Wi-Fi connection rather than having to return to a service bay, came out of an innovation contest. “It started off as a 1.5-page idea that was then turned into a prototype,” Kline said. “Now it’s a real project, funded, and everyone in the company knows about it.”
Innovation contests are just another process
Innovation contests have the potential to yield great results, but to get there, CIOs should think about them in a basic way: At the core, innovation contests are just another process, according to Tim Kastelle, a teacher of innovation management at the University of Queensland Business School.
In a column he penned for the Harvard Business Review, he wrote that idea generation is the easy part. It’s all of the steps required to turn an idea into practice that’s hard. Ideas have to be sorted, employees have to be given a chance to execute on the selected ideas, cheerleaders have to keep the organization enthusiastic about the idea, and marketers are needed to “get your great new idea to spread,” he wrote.
Kastelle provided readers with a couple of tips on how to build a successful innovation practice: First, evaluate the organization’s innovation strengths and weaknesses; second, invest in improving those weaknesses, he said. “It will likely involve making genuine changes in the way things are managed,” he wrote. After six months to a year, Kastelle recommends repeating the evaluation process.
Selecting the right big data use case is on every expert’s list of big data best practices. Another? Getting the right stakeholders involved.
Before CIOs can take a big data pilot into production, they’ll need to figure out who to get involved and when. Those two questions may be tough to answer, especially for CIOs at companies that have a siloed approach to the work they do, according to Micheline Casey, former chief data officer at the Federal Reserve who is now an advisory board member for the big data analytics company ClearStory Data.
Big data projects often end up requiring input from across business functions. Getting stakeholders involved early means CIOs could tap into that input and lean on them to generate support for the larger project. But knowing when to bring people in can be tricky.
Too many cooks in the kitchen can be a big data pilot killer, and so some CIOs may decide to hold off involving the chief privacy, risk or security officer or legal counsel in an effort to give their teams room to experiment. At other organizations, doing so could ultimately backfire. “You could have a really successful pilot or a first attempt at a big data project, and then realize you totally forgot to do something vis-a-vis your security or privacy policies, and you have to go back and start from the beginning,” Casey said.
That’s especially true for highly regulated industries such as pharma, health care or insurance where a privacy, risk or security officer can ensure strict data governance policies are being met — even for a pilot project, Casey said. And she speaks from experience. When working for a health care company (“who will remain nameless,” she said), one of its first big data pilot efforts focused on customer engagement.
It was the early days of big data when businesses weren’t as scrupulous about anonymizing personally identifiable information (PII) as they are today. Casey and the team (composed of business intelligence and technology employees) kicked the pilot project up to the next senior level to vet, and that person rang the anonymization alarm bell.
“We realized we needed to have a privacy officer involved and things had to be tweaked,” she said. The discovery didn’t eat up too much time, setting Casey and the team back only about a month. Nor did it put the company at risk because the flaw was caught at an early stage. “Making sure you have a wide array of stakeholders at the table from the very beginning is really important to the long-term sustainability for these projects,” she said.
Getting a privacy, security or risk officer or legal counsel isn’t a de facto step. For a big data pilot doesn’t utilize PII, “these folks aren’t needed,” she said.
Shawn Banerji cringes when he hears someone called a “rock star CIO.”
“I can’t stand the term,” he said during a recent phone call from his offices in New York City. “The CIO job or equivalent is bigger than any one person, and it’s been going that way for a long time,” he said.
Banerji is the managing director of the technology officers practice at Russell Reynolds Associates, the executive search firm. We touch base a couple times a year to trade information on technology trends. He tells me what companies are looking for in IT executive talent.
Look behind the curtain at companies with dynamic CIOs, Banerji said — a Dana Deasy at JP Morgan Chase, formerly CIO at BP; or Eash Sundaram at Jet Blue. “What you’ll see is a team of people who work together exceptionally well, who understand their roles and goals, and have a terrific leader who’s able to ensure that people are in the right place and properly empowered — that’s how you get the best results.”
Moreover, talk to so-called rock star CIOs, he said, and most will tell you their success is not about them but about surrounding themselves with excellent people.
“Do you think Tom Brady would be half the success he is if he did not have an organization behind him — coaching staff, receivers, lineman, all those people?” Banerji said, with a nod to SearchCIO’s Boston base.
“This is a guy who succeeds no matter what the changing parts are, because they have a great system in place in Foxboro.” If something happens, the organization is able to reach down to the next level on its bench and bring up another capable person. So too, with IT organizations.
(His sports analogy, made a couple weeks before the fateful matchup at Mile High, indeed shows that a rock star is still just one member of a team.)
Corporate values vs. corporate culture
Besides a deep bench, great CIOs often have another thing going for them, Banerji said: They work for companies that live by a set of core corporate values.
Not culture, mind you — values.
“Culture is tribal. Culture is esprit de corps, the tenure of your daily interactions,” Banerji said. The same company can have many subcultures. Marketing has its culture, IT another, the New York office has a different culture from the Boston office. And that’s perfectly OK, he said.
But cultural independence shouldn’t be mistaken for core corporate values.
“Values transcend function, they transcend geographies and times zones and business lines. They are the irrefutable tenets companies put forward to define who they are,” he said. It could be the corporate philosophy revolves around integrity, or creativity, or putting the client first. “But whatever the corporate values, it doesn’t matter whether you’re in the Mumbai office in finance or in the New York office in marketing, they are the things you all have to embrace.”
At Russell Reynolds, people call it living the Lucite, he said, because the values that founder Russ Reynolds infused in the firm often show up behind plastic on a lot of people’s desks and in conference rooms. “Russ believed that if you don’t have a core set of values, you can never create a company. He was a little old school that way, but on to something, I think,” Banerji said.
Alan Waite, an analyst at Gartner, asked an audience at the market researcher’s Catalyst convention in San Diego last year whether anyone had chartered a private jet to get there. Of course, no one had. Airlines specialize in air transport and usually can do it better and cheaper than private jets.
“Well, guess what?” Waite said. “There are organizations who can do cloud probably more effectively and more efficiently than you can do it yourself, no matter what size organization you are.”
It’s a sound argument. But vendors that sell products to build private clouds often rely on a provocative thesis: that there comes a point when it’s cheaper to use a private cloud infrastructure over a public cloud provider. One vendor-sponsored report I read said when your costs reach $7,644 a month on services in Amazon Web Services — the largest public cloud vendor — it’s time to think about going private.
Who’s got it right?
“I don’t think there’s a hard-and-fast rule,” said Judith Hurwitz, president of consulting company Hurwitz & Associates and an author of many books on technology, including Cloud Computing for Dummies. “I think it depends what you’re actually doing with that cloud.”
There’s a lot to consider, she said. If a company has a commercial product in the cloud that it plans on offering to a lot more customers, cost is a huge consideration — especially if a lot of data will be moved around.
“As things scale, the costs go up,” Hurwitz said. “A public vendor is not in the business as a charity. They’re there to make as much money as they can.”
If it’s a small, contained workload and you can control the costs of managing it, then public cloud is fine. But if a company already has huge investments in data center technology, public cloud will often end up being more expensive. It may have sensitive data it wants control over no matter how much cheaper the public cloud is – or customers may demand a “significant level of accountability” – including security and compliance. In such cases, private cloud infrastructure wins out.
John Burke, an analyst at Nemertes Research, agreed that if a company has the “sunk expenses” of corporate data centers, then making use of them can be considerably less expensive than going with a public cloud provider — especially if it has “a baseline load of work that gets done and there’s not a lot of fluctuation and consumption so they don’t need to rapidly scale up or down.”
That said, Burke and other Nemertes folks are “pretty bullish” on prepackaged cloud applications, namely software as a service. In fact, that they are close to recommending SaaS before any other type of cloud product. Before they get there, Burke said, more data is needed to complete SaaS cost models, which are used to estimate how much the apps will run people.
“We’re dancing with that one right now,” he said.
If you’re about to take an analytic crack at unfiltered terabytes or even petabytes of complex, unstructured data, it can stay in a public cloud provider like Amazon Web Services, said Judith Hurwitz.
The consultant and author of numerous IT books, including several in the For Dummies instructional series, said analyzing big data in the cloud often works “because you’re still in the process of separating the wheat from the chaff,” so there’s no reason for the extra security of keeping it in-house.
“It has not become mission-critical at that point,” Hurwitz said.
But once you complete your analysis and have your unique, core data, bring it back on terra firma. Private cloud computing, especially the sort that is built in a company’s data center, is the preferred place, she said.
“Companies will be more likely to then move their data into a private environment, into the data center, into a private cloud, because those are now the crown jewels.”
John Burke, an analyst at Nemertes Research, said if you have data in several places — some in on-premises systems and some in the public cloud, “you have to look carefully at whether or not it would make more sense to either leave the data where it sits or bring it all into one of the cloud environments from others and do the analysis there.”
There are lots of variables, Burke said, from the method and cost of connectivity to the infrastructure you have on-site to how varied your big data workloads are.
“Is it something where you’re running roughly the same volume of information through your system and you’re maintaining roughly the same volume of data in storage all the time — or does it fluctuate wildly?” Burke said.
Judith Hurwitz, president of IT consulting company Hurwitz & Associates, said there is no boilerplate analysis for determining the return on investment on cloud infrastructure, public or private. It depends on lots of different metrics.
“Maybe a metric is, ‘Are you meeting the requirements of partners?'” Hurwitz said. “Maybe you’re not in a highly regulated market, but your customers are and they have certain requirements that they expect you to fulfill before they’ll do business with you.”
Questions first — ROI later
That could push you toward a private cloud model — either a cloud built on the foundation of your company’s data center or a cordoned-off corner in a cloud vendor’s data center. So could a bill from a cloud provider that balloons from one month to another.
“It really depends on taking a step back and looking at, ‘OK, what am I doing here? What’s critical to me? What’s critical to my customers?'” Hurwitz said.
Then start asking more questions, she said, but swap the word cloud with infrastructure. Does the infrastructure you have in place meet the needs of your customers?
“If the answer is no, you’ve got to change,” Hurwitz said.
The human side
John Burke, an analyst at Nemertes Research, suggested a brute-force approach for determining cloud ROI. Just calculate it.
“There’s nothing particularly mysterious about the cost structures for systems of the data center,” he said. “You’ve got infrastructure, you’ve got staff, you’ve got services — and you can assign costs to each.”
Burke said IT shops can figure out — with a good deal of precision — costs for cloud services and infrastructure like hardware and software. Where they sometimes get fuzzy is “the human side of their expense structures,” he said.
“Something that they often miss when they’re modeling a shift to [software as a service] or some other external variety of service is the ongoing staff cost of making use of that external service, which may be dramatically less than using the inside service or may not be depending on the specifics of the situation.”