At a conference session on risk management and compliance, CIO Carolyn Damon let it be known that it is not uncommon for CIOs to be spending 40% of their time conferring with legal counsel. And, no, she was not talking about CIOs at law firms, but CIOs in regulated industries.
Damon is CIO of GE Capital Americas-Capital Financial Inc. — and proof that in the risk-riddled Great Recession, the office of the CIO is extending far beyond the four walls of the data center.
Yesterday, at the Gartner conference on risk and compliance in Chicago, Damon was play-acting the role of the CIO at the fictitious WinterNuke Co., an energy conglomerate under fire from environmentalists, regulators, shareholders, ordinary citizens, you name it. The constellation of mismanaged risks behind all the bad publicity included a failed SOX audit related to a botched acquisition; plans to build a nuclear plant in a seaside resort area; and a fired overseas employee claiming the speculative trades he made that lost millions were in fact sanctioned by upper management. (The fake scenario is a compilation of problems experienced by Gartner clients this year.) As keeper of the corporate data, the make-believe CIO was at the center of the legal maelstrom. The truth is that many real-life CIOs are there, too, or soon will be, she said.
“It is an interesting fact of where we are going from an IT perspective. Understanding the regulations that are out there, understanding business language, as well as understanding technology and then marrying the three, is fast becoming the role of the IT leader in organizations out there,” Damon said.
In those fake CNN reports on WinterNuke, there was no mention of IT per se, “and yet technology touches every one of the areas” under fire, Damon said.
A critical component of the real CIO’s job is to know exactly what the IT controls are for those areas and to “feather them against the regulations” that affect those areas, she said. The other part of the job is communicating the business benefits of that model to your counterparts in the legal as well as financial departments. “The more you can communicate with your legal partner what that method does and how it manages the risks they are concerned about, the more you have a partner,” she said, adding that the same goes for the CFO, with the added data point of how many dollars can be saved by implementing the IT model. “It’s about one executive at a time.”
By the way, among the many wrinkles in the fictitious case under review is the location of the rogue trader in Europe, where the data privacy laws might stymie the company’s investigation. That would not have been a problem at GE because her company “has been proactive” and gotten preconsent from overseas employees. Knowing the countries that you’re doing business in is critical. Spend time with the attorneys, Damon said, and if they don’t know the data privacy laws, the record retention requirements or the data movement protocol in the various geographies, the CIO should be able to lay it out.
That said, it is not the CIO who owns the risk management program for the company, Damon stressed. “Somebody has to have the overall plan.”
Here’s a take on IT spending that most IT executives will be happy to hear: Companies that make IT investments in a recession will see the financial dividends for years.
“It’s double coupon days for IT investment,” Howard Rubin, MIT CISR research associate and professor emeritus at Hunter College of The City University of New York, recently told IT and business professionals at the Society for Information Management monthly Boston meeting.
If a company invests $10 million now in IT, Rubin said, then another company that waits until better economic times to make that investment will likely spend twice as much to catch up with the business that made the initial investment in a timely manner.
“Competitors won’t be able to afford to catch up,” Rubin said.
The thrust of Rubin’s talk – that IT investment still matters, even in a recession – hinged on the notion that spending on IT vastly enhances a company’s business performance, and the gap between you and the competition goes straight to your financial bottom line.
Each dollar of new IT investment between 2003 and 2004 led to a gross profit increase of $1.47 in 2006, Rubin said, while a 26% increase in cumulative absolute technology spending in the U.S. in 2006 helped drive 114% in absolute gross profit. In other words, IT pays for itself and more.
Of course, in today’s recession, technology spending is colliding with economic conditions, Rubin said. The current high fixed cost of IT in most companies is preventing change, and conventional IT cost-cutting models – outsourcing, offshoring, laying off workers, squeezing vendors, reducing portfolios — have “hit the wall” under pressures to spend less.
“You can take advantage of this time by optimizing what you’re doing,” Rubin said.
This could involve tapping into technologies such as Gmail, or shifting more costs to vendors via new supply chain management models.
But time is of the essence, because your competitors will catch up if you give them the opening. If you can make external partners understand your new scale, he said, you should see rapid IT transformation that benefits the business’ bottom line. And isn’t creating dividends – both now and down the line — what we’re all looking to accomplish, especially in a recession?
It was a virtualization-heavy week for SearchCIO.com, as we covered VMware’s new cloud operating system, virtualization management tools and SOA governance, and tested our readers’ knowledge of virtualization and the private cloud. Check it all out below
Cloud computing initiatives show wide range as VMware touts cloud OS – VMware’s new cloud operating system, vSphere, brings new capabilities, though some big cloud projects will use Microsoft’s virtualization technology.
Virtualization management tools: Ready for prime time? – Virtualization management tools help enterprise CIOs address virtual server sprawl, workload balancing and other issues. Learn about costs and options in this podcast.
SOA governance: How and why to build it into your SOA initiative – Service-oriented architecture governance prevents duplication of services and wins business buy-in. Here’s how to start or improve your governance effort.
Virtualization and the private cloud: A quiz for enterprise CIOs – What do you know about virtualization and the private cloud? Take this quiz to find out.
It seems this Great Recession is pressuring some industry sectors more than others to turn to outsourcing.
While total value of large outsourcing contracts is down dramatically in the first quarter of the year, according to industry watchers, the number of contracts awarded by telecom, media, retail and the utilities, traditionally cool to outside help, is up at least 20% year over year.
Except for utilities, the sectors showing a 20% jump share another trait: All of them underperformed the Forbes Global 2,000 in growth of revenue and earnings and in market capitalization.
The data comes from TPI, a large global outsourcing advisory firm that tracks IT and business process outsourcing deals of $25 million or greater. Results from the first three months of the year show the total value of outsourcing contracts signed declined 22% from the same period a year ago to $19 billion, the lowest since the first quarter of 2001, when the air went out of the dot-com bubble. The number of contracts slipped to 141, 1.3% down from the same time a year ago. And the bulk of the contracts — 101 — were for IT work.
The utilities industry accounted for 30 of the 141 big deals signed over the past 12 months, compared with 23 contracts between 2007 and 2008. Highly regulated and influenced by unions, this is a sector that has traditionally avoided offshoring, according to TPI. But an aging workforce disproportionately hit by layoffs during the recession has depleted expertise, causing companies to look outside their four walls. The expense of compliance is also driving companies to cut costs on labor, even in the face of high demand for their products. “The industry has got to deal with the harsh reality of continued growth and demand for electricity, while the construction of the power plants to meet these new demands face increasing regulatory hurdles,” said TPI industry sector specialist Tom Lang.
The volume in retail, which also accounted for 30 contracts in first quarter, was up 40% from a year ago, although the total value of the awards dropped to its lowest level in five years, more evidence that the trend is to enact shorter contracts focused on fixing the problem at hand.
Telecom’s 99 contracts marked an all time high for that industry.
The underperforming media industry showed an uptick in both the number and value of contracts, consistent with the trend in that sector for the past five years. Most media outsourcing activity stems from the U.S., with about 60% of the transactions signed in the Americas. These are now increasingly coming not just from the top 25 global Forbes media companies, but also from smaller players.
“Companies of all sizes are aggressively seeking new ways to reduce costs and develop new revenue streams,” Lang said. “To make the most of their assets, they are also looking to leverage content across multiple platforms, which often requires the development of new software applications and other IT-driven innovations. But there is also a fair amount of BPO, largely focused on the financial processes.”
The media market is an exception on business process outsourcing (BPO). The market for big, transformational BPO work, hot during the boom-boom years, has shriveled, especially in the Americas, and it is unlikely to come close to any of the metrics of the past five years, TPI’s Peter Allen said. “The cost savings are generally longer in coming in BPO and require broader organizational change than we see in IT outsourcing, giving ITO the priority.”
This decade has seen a lot of consolidation among both software and hardware vendors. Sun bought StorageTek, Sun bought MySQL. Oracle bought Sun, Oracle bought BEA (one of many midsized middleware companies to be acquired). EMC bought VMware and about 40 other software companies. Symantec bought Veritas. Microsoft bought Great Plains. The list goes on, and that poses some challenges for CIOs looking to ensure continuity and keep your architectures fed in this environment.
Consolidation is, of course, nothing new. Fifteen years ago, you might have been a DEC VAX/Alpha shop running RDBMS and Informix, with all sorts of now extinct middleware.
But today’s context is different. We’ve long left behind “Nobody ever got fired for buying from IBM” for a much more uncertain and free-wheeling sourcing scene. CIOs have gradually imposed order on the situation through standards committees. At some companies, standard means things like Java, XML and 10 Gb Ethernet. At other companies, it means Dell, Microsoft and Cisco. At most, I suspect, software and architecture standards are a mix of protocols, open standards and vendors.
During this period of the rise of standards committees, CIOs have also had to confront a different problem: the dreaded “too many vendors” dilemma. “One is too few, three are too many” is conventional wisdom these days. Nice for hardware, not always possible for software.
The Sun acquisition could bring hope or despair into many CIOs’ lives, depending on how it plays out. Java, Solaris, SPARC boxes — these are significant building blocks for many shops. Some CIOs may cheer the continuing expansion of Oracle into some more niches in the upper end of computing; others may cringe at the thought.
But how many CIOs, I wonder, are rethinking the whole concept of “strategic vendor” in light of this deal and the sense that more are to come as the tech industry deals with the down economy? How are you seeing this? Are you looking for comprehensive vendors that can supply it all because they’re safe or for specialized vendors that each dominate a category (think EMC)? Or are you looking to commit to standards that are widely implemented by many vendors and to buy implementations that offer a good tradeoff between standard and “enhanced” features?
Another legitimate question posed by the dissolution of such a rock of many IT architectures as Sun is whether it’s time to apply new thinking to choosing strategic vendors — techniques like risk analysis or perhaps an even newer paradigm.
Legend has it that Wild Bill Hickok always sat in the back corner of the saloon so he could observe everyone who came and went. Good advice these days, although it didn’t quite work out for Wild Bill.
It’s Boston Marathon day here in my fair city, so I hope some of you will be watching! If you need to take a break, read up on our latest content from SearchCIO.com on revised portfolio and project management standards, SOA success stories and business process management, and IT and business alignment:
Revised project and portfolio management standards get critical review – The Project Management Institute’s revised standards for project and portfolio management aren’t complete, Gartner says. Find out why PMI disagrees.
SOA success stories involve business process management – SOA and Web services work great for application integration, but the real payoff comes when you rework business processes. Still, there are challenges.
The department previously known as IT – In Business/IT Fusion: How to move beyond alignment and transform IT in your organization, author Peter Hinssen suggests it’s time for change to the way we approach IT and business alignment: It’s time for fusion. Learn more in this chapter download.
MIT’s Kirsch Auditorium was standing room only last night for a forum on cloud computing, part of the university’s Innovation Series for entrepreneurs, investors and patent attorneys. But there was a liberal sprinkling of technology types as well in the audience, including some upper-level IT folks trying to get an early read on what cloud might offer them.
The forum’s avowed purpose was to give a sense of what’s real now in the cloud and so it focused on the Amazon Web Services ecosystem. Several speakers spoke of “hundreds” of providers of value-added layers to the basic Amazon services, much in the form of middleware. When you peel back the layers of the onion, in many cases what you are renting has a high open source content. If enterprises have been slow to widely deploy free or freeish open source software internally, will they be quick to pay for it in the cloud just because someone has done the initial heavy lifting of configuration?
Other vendors have more novel models. Take Allurent, for example. They’ve distilled down many of the more desired features of e-commerce websites into a set of modules that run in the Amazon cloud. They do some design customization, but seemingly a lot of the time-and-money uncertainty inherent in the handoff from graphic design to software design that plagues so many Web projects has already been boiled out of the designs.
There’s also an accompanying content management system that your marketing department can use to manage sales, promotions, etc. The pages are hosted on Amazon but appear as part of your site and integrate with your e-commerce back end. My point isn’t to do a commercial for Allurent, but to point out that the cloud model creates some new ways of doing things that may well be an improvement over current ways.
Next week, VMware will shine a spotlight on the private and private/public hybrid cloud notions. This conference was more about the platform and application services that you will likely find coalescing in the cloud in the near future. If cloud flops, it won’t be for a lack of choices.
Welcome back from the weekend! Start your week off right by reading the latest SearchCIO.com stories on the private cloud at Marian College, how to integrate server virtualization into the private cloud, disaster recovery strategy at MetLife and best practices for managing IT and the recession.
Private cloud replaces antiquated IT infrastructure for $300K per year — For the price of a SAN, Marian College is building a private cloud to create a flexible IT architecture and help transform the liberal arts school into a university.
Disaster recovery strategy shift reduces data loss, recovery time – Under pressure to improve RTO and minimize mainframe data loss, IT veterans at MetLife devised a strategy that put tape out to pasture.
Tips for integrating server virtualization in a private cloud – Integrating server virtualization technology in a private cloud can offer benefits including flexibility, cost savings and consolidation — if implemented and managed correctly.
Best practices for managing IT and the recession – IT and the recession will be inextricably linked for the months ahead. Here’s how to adjust your IT strategy and lead your IT organization while managing budgets, risk and more.
Bonk CISO Larry Whiteside on the head, and like Jason Bourne he will wake up thinking about security in 12 different languages.
“For me, security and risk management is a mind-set. When I go into a restaurant with my wife and kids, I automatically see where the exits are,” says Whiteside. And how the waitress handles the credit card. How far the credit card machine is to another table. The location of the security cameras, the station of the guard.
“I am always thinking about the security scenario, not to take advantage of it, but to be aware,” Whiteside says.
Whiteside is chief information security officer for Visiting Nurse Service of New York (VNSNY), the country’s largest not-for-profit home health care provider. Some 130,000 patient medical records and pieces of credit card data fall under VNSNY’s watch. The organization must comply with the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard and the Sarbanes-Oxley Act (SOX).
Whiteside practices what is called a risk management approach to security compliance. I interviewed him this week for a story I’m doing on the topic. While his organization has many regulatory obligations, “the way I approach compliance is through risk. We do not focus on just ensuring we are compliant,” Whiteside says, stating the first principle of risk-based management to information security.
“When I look at new applications or systems or architectures, I am looking at the risks to our business and the risk to our information. Those are the things that are important, not does it meet a line item associated with HIPAA and SOX,” Whiteside says.
A risk management mind-set is always looking for patterns — not items on a regulatory checklist — that pose a threat to the asset one is responsible for protecting. So when somebody comes to him with a security problem, even if he knows nothing about the particular system or application, he can formulate a set of questions.
Incidentally, most CISOs live in a security mind-set, he says, whether they’re hard-core techies or recruits from the business side. “The methodology they follow by day at work is the methodology they live outside of work,” he says. At conferences, when CISOs unwind afterward with a drink, they invariably play a Where’s Waldo? version of security gaffes, competing to see who can spot the most security lapses. “It’s kind of weird if you are outside the circle.”
The mind-set can have its limitations, as in “If you are a hammer, the whole world looks like a nail,” adage.
Indeed, when he is taken by surprise, it is typically by something that happens on the business side.
“You can’t believe that business would make that decision. You have that mind-set and forget people don’t think that way,” says Whiteside, who nonetheless never forgets what needs to happen next.
“But the fact is they went down that path, and you have to make it right. CISOs are support personnel. That is the reality. We are on the same side of the business as the help desk, and that is all we are. Until it can be determined how a CISO can make the company money, we will always be there to support.”
Happy Monday! Well, not so happy in Boston – we just learned that the Red Sox season opener has been postponed due to rain! At least there’s a little NCAA men’s basketball game to watch tonight.
Until then, find some time to take a peek at the latest content from SearchCIO.com on IT outsourcing contracts, a forecasted IT spending decline, architecture mistakes in disaster recovery planning and virtualization and the private cloud:
CIOs adjust terms of IT outsourcing contracts to get lower prices – Competition is getting fiercer for your outsourcing buck. As companies with IT outsourcing contracts look to take advantage of price drops, they’re finding renegotiations may include reduced service levels. In this story, Gartner and others weigh in.
Gartner’s revised IT spending forecast: Decline exceeds that of 2001 – (This story came out last Wednesday, and if only it could have been an April Fool’s joke.) Gartner has revised its 2009 IT spending forecast downward, with hardware purchases the hardest hit. What else is on the back burner?
Avoid these architecture mistakes in your disaster recovery planning – In building out a disaster recovery strategy, many IT executives make these common mistakes. Want to save yourself some trouble? Here’s how to work around potential problems.
Virtualization and the private cloud: A guide for enterprise CIOs – Our latest guide looks at the trends, best practices and critical criteria for building a true strategy around virtualization and the private cloud.