July 15, 2010  4:08 PM

Does IT chargeback pave the way to outsourcing?

Linda Tucci Linda Tucci Profile: Linda Tucci

If your organization is talking about moving to an IT chargeback or a supply and demand model for IT, could that be its first step on the road to outsourcing?

That was an interesting sidelight raised by a story I did this week on a company that cut millions of dollars in technology spending by splitting its IT organization into a demand side and a supply side.

To back up a bit, the management experts I interviewed about this “supply demand” model agreed it can be an effective way to go. Demand-side IT works with the business on an IT roadmap and negotiates with supply-side IT on getting it done. Done right, the model recognizes that requests for IT services must come from the business, even as it imposes fiscal and strategic discipline on those requests. In turn, supply-side IT people become expert in their areas. Relieved of having to respond to a chaotic barrage of business demands, supply-side IT staff can focus on efficiency and competitive advantage — the stuff that makes internal IT departments relevant. That’s the ideal, anyway.

In practice, the model has the potential to disenfranchise the supply side of IT, a former CIO in the financial services industry told me.”I’ve been in situations where the supply side is viewed as a commodity,” said Jack Santos, who’s now a research vice president at Gartner Inc.’s Burton Group. “The thinking [from the business] was that this was the first step to outsourcing.”

Mark McDonald, Santos’ colleague at Gartner, saw it a bit differently, arguing that IT chargeback, per se, can pave the way to outsourcing IT, because the focus is strictly on price: “When I do IT chargeback, I make my pricing visible, which automatically means it will be compared to external providers,” he said. On price alone, the internal IT organization is almost guaranteed to be noncompetitive, Santos and McDonald said, especially when the IBMs and CSCs of the world typically underbid for the first couple years to get the business.

No matter, said Bruce Barnes, another former financial services CIO, who now runs a consulting practice out of Ohio. The wave of the future is that IT organizations are getting smaller not bigger, and the piece that survives is business literate, he said. Being a consultant, he naturally offered up a four-box matrix to explain. “One axis is running from simple to complex, and another from generic to highly proprietary,” he said. In the past, internal IT was in the lower left-hand quadrant — simple and generic — and the business hired consultants for the high-level stuff. The upper right-hand quadrant — complex and highly proprietary — is where internal IT people need to be. The rest can be given away if the business finds somebody good enough to take it.

July 9, 2010  2:32 PM

IT chargeback: A political hot potato is tossed up by cloud computing

4Laura Laura Smith Profile: 4Laura

A question has been nagging me since I attended Cloud Expo in New York: What metrics can IT departments use to charge back business units for cloud services? Measured service is fundamental to the National Institute of Standards and Technology definition of cloud computing, and enterprises building private clouds presumably will bill business units for their consumption of computing resources.

When I called CIOs and analysts about IT chargeback models, I didn’t expect to unearth such passionate arguments for and against chargebacks, a political hot potato at the heart of the IT-business relationship. Some say IT chargeback is not only inevitable but mandatory for achieving true efficiency; others say it sets up a charged relationship in which business units naturally second-guess IT departments’ pricing for services. With such public clouds as’s Elastic Compute Cloud, or EC2, a credit-card click away, an IT staff risks losing an opportunity to guide IT strategy.

In this economy, IT departments need to prove their investments support the strategic imperatives of the business. Therefore, IT chargeback metrics need to reflect the desired business outcomes, often in business terms. In a Software as a Service model, for example, the metrics wouldn’t refer to the disk and memory usage so much as to the number of customer requests responded to within a given period of time. For chargeback to be effective, both IT and business strategists need to collaborate on appropriate metrics; that can be challenging because they often don’t speak the same language. In fact, one source said the growing role of a CIO is that of a translator between IT managers and the business.

IT chargeback isn’t as simple as it sounds. My reporting blossomed into a series of stories on beginning this week that included IT chargeback metrics, the pros and cons of chargebacks, the contentious relationship between IT and the business on the subject, and important takeaways. I learned that chargeback isn’t the be-all and end-all, but just one part of an IT cost management structure.

Do you or don’t you charge back? Send me email at I want to hear all about it.

July 8, 2010  3:39 PM

Bumpy patch ahead for MDM software

Linda Tucci Linda Tucci Profile: Linda Tucci

Master data management software is about to enter a rough patch, according to analyst Andrew White, agenda manager for MDM and analytics at Gartner Inc. White explained to me in an email recently what the near future for MDM adoption looks like, and it is not necessarily pretty. The large software vendors, such as SAP, Oracle and IBM, are just now incorporating MDM into their product lines. They are doing this because the “early adopter” market is beginning to transition to the “fast followers.” That means that pretty soon MDM, in White’s words, will be “crossing the chasm” to become mainstream.

But White sees a big problem: Many IT shops will assume that MDM software is mature and ready for easy adoption — “and yet it is not,” he said. Because of this disconnect between the robutsness of the MDM software and the expectations of CIO adopters, “failure rates will increase,” giving MDM a black eye. Moreover, true MDM will not occur for most users, who instead will end up with just another half-baked “data integration effort.”

“As such, MDM will get a bad rap and name in the coming year — perhaps because the big vendors have invested in it,” White wrote. Or, to put it another way, because they are selling it to you before its time.

CIOs who just must have MDM now, be forewarned, White said: you will need to do a lot of the work on your own.

July 1, 2010  4:59 PM

A funny thing happened on the way to Sarbanes-Oxley Act compliance

Linda Tucci Linda Tucci Profile: Linda Tucci

This week, the U.S. Supreme Court considered a broad challenge to the Sarbanes-Oxley Act, and it chose to rule narrowly. The 5-4 opinion changed the way the members of the Public Company Accounting Oversight Board (PCAOB) can be removed from their posts. (Henceforth, the ax can fall for any reason at all, as opposed to “for cause.”) But the court did not alter the authority of this private regulatory board to oversee the U. S. accounting industry. And it steered clear of the constitutional challenge to the Sarbanes-Oxley Act raised by Free Enterprise Fund v. PCAOB. The SOX antifraud legislation that was passed in the wake of the corporate thievery at Enron and WorldCom was left intact — or as Chief Justice Roberts stated on behalf of the majority, “fully operative as a law.”

Put me in the camp of those who cheered.

And count me as one surprised by my reaction.

Sarbanes-Oxley compliance is a topic I’ve reported on practically since the day I started writing for in 2005. The stories have duly noted the soaring costs of becoming SOX compliant after the law went into effect; complaints about the notorious Section 404, which requires companies to prove the adequacy of their internal controls; the stop-and-go efforts of the U.S. Securities and Exchange Commission to make SOX compliance less excruciating for smaller companies; the contention that the Sarbanes-Oxley Act put U.S. public companies at a disadvantage on the world stage; and yes, the overzealousness of the PCAOB. In the absence of clear guidance from the PCAOB on how to comply with the law, many companies erred on the side of overkill. Critics complained that despite the SEC’s changes, the law did little to protect against fraud and had accountants laughing all the way to the bank.

Although they couldn’t have been laughing nearly as hard as the band of obscenely compensated bankers who helped propel the world into the worst economic slump in over 50 years.

But a funny thing did happen on the way to Sarbanes-Oxley compliance, at least from an IT perspective. CIOs and IT departments sweated through SOX compliance to preserve the good name of their CEOs and boards, who have to sign off on financial results as a result of the Sarbanes-Oxley Act. But many of the left-brain problem-solvers took SOX regulations as an opportunity — a starting point — for rationalizing the Hydra’s head of IT controls across the enterprise. Tommy Thompson’s journey from SOX chaos to risk-based compliance management is a good example.

Corporate greed will be always with us. Overspending on technology and resources to meet compliance requirements is still a problem. But IT — and I daresay, investors — are not less well off because of the Sarbanes-Oxley Act.

July 1, 2010  1:43 PM

Biometric fingerprints find new, mobile audience

4Laura Laura Smith Profile: 4Laura

The world has gone mobile faster than most people expected it would, resulting in security nightmares for CIOs. It is not uncommon for roaming employees to use multiple devices to gain access to sensitive information, with IT left to figure out how to federate identities.

One solution to this dilemma is identity management using biometric fingerprints and in particular, cloud-based biometric services.

Companies such as BIO-key International Inc. in Wall, N.J. are offering Identity Management as a Service, enabling enterprises to offload the verification process to the cloud. Biometric fingerprints are nothing new — BIO-key made a name in 1994 with its optical and fingerprint scanners — but 60% of personal computers now come with readers for biometric fingerprints, according to BIO-key CEO Mike DePasquale.

The next frontier is phones and personal digital assistants, according to DePasquale, who says BIO-key is working with LG Corp. and AT&T to provide authentication for such devices.

The BIO-key service downloads its software to a device and sends biometric fingerprints back to the vendor’s central server, where the fingerprint is transformed into a mathematical model.

The platform was used during Common Admission Test in India — the equivalent to the Graduate Management Admission Test in the U.S. — when 200,000 exam takers came and went over a 12-day period, checking in each time with their index fingers.

Identity management using biometric fingerprints is widely used in hospitals and by enterprises as part of their building security systems. As a service, it may well be one of the most convenient forms of user authentication for an increasingly mobile society.

June 25, 2010  2:10 PM

Cloud location: Why it’s important to know where your data resides

4Laura Laura Smith Profile: 4Laura

The Internet may be global, but cloud computing, like most politics, is local — or should be, according to experts who say a cloud location must adhere to country-based privacy and data security regulations.

Unfortunately, many organizations that have braved the public cloud don’t know where their data resides, which could set them up for cumbersome compliance problems, according to Forrester Research Inc. in Cambridge, Mass. And that’s the good news — some infractions may result in stiff fines or even jail time, say Forrester analysts James Staten and Onica King, co-authors of an Infrastructure as a Service report warning IT executives that IaaS clouds are not responsible for regulatory compliance. “These issues remain the responsibility of the customer, and ignoring them may be perilous for any multinational or non-U.S. corporation,” they wrote.

In the United States, for example, health care organizations are hamstrung by HIPAA, which prevents certain patient information from residing on servers outside the country. In Canada, a similar privacy act could prohibit companies from contracting with a cloud provider in the U.S., said Danny Terrigno, an IaaS storage expert. “Storage is a key cloud application, but in Canada, any data that is personal cannot leave the country,” he said. “So if it goes on a server in the United States, the [Canadian] government will come after you for that.”

Once again, get it in writing

Ben Schorr, a lawyer who blogs on law office technology, notes that many of his clients might be willing to try cloud computing but are very concerned about their sensitive data being located (or outsourced) to data centers in “unfriendly” countries, or countries where laws on data privacy are somewhat undefined. “Even if we conclude (as we probably should) that the fourth amendment DOES protect hosted email and other data, that still leaves open the question: ’What does the fourth amendment protect in Malaysia? Or China? Or Peru?’” he wrote. SaaS providers are going to have to provide assurances that their data is going to stay domestic if they hope to host data that is at all sensitive in nature, he said.

“There are some things companies need to watch out for,” admitted Archie Reed, distinguished technologist and chief technologist for cloud security at Hewlett-Packard Co. “There’s no liability [for cloud providers]. There’s no recourse if contracts don’t mention that the architecture may change on the back end and outsource to India, yet you’ve got something that requires your data to remain in a geographic location. Unless you’re looking at all those things and have negotiated it properly, you have no controls.”

June 24, 2010  3:54 PM

How CIOs can use ‘creative dissent’ as an IT innovation tool

Guest Author Profile: Guest Author

Francesca Sales is an editorial intern working with and She is attending Northeastern University for a dual degree in English and Linguistics.

If gurus at a recent gathering at MIT have it right, an increasing number of IT leaders are reaping benefits from applying the scientific method to IT projects. Experimentation is being used to create a culture of “creative dissent” in order to drive IT innovation. The key for CIOs is to pick a few experiments to rapidly scale and manage, then measure their failure rates — similar to what some describe as an iterative agile project practice.

Roy Rosin, vice president of innovation at software maker Intuit Inc., is a proponent of rapid experimentation. At an IT innovation panel at the recent MIT Sloan CIO Symposium, Rosin explained that unlike in years past, the essence of innovation today is to go fast.

CIOs, Rosin explained, “need to rapidly validate whether this is a good production or not, preferably before you spend all that time and money. Speed is of the essence.”

Rosin provided the example of ViewMyPaycheck as an instance of rapid creation and validation that has resulted in dividends. The payroll solution began as an idea to put secure employee data in the cloud. The self-service site lets employees check their pay stubs, adjust withholdings from their paychecks or check vacation balances. A handful of volunteer Intuit employees were given unstructured allotted time to collaborate and test the application. Within three months, the company was able to release the first version of the application.

“Overall,” Rosin said, “Intuit now has small teams rapidly validating new concepts — getting most initial releases into customer hands in a few months for meaningful learning.”

But speed cannot come at the expense of value. Experiments need to be controlled, according to Erik Brynjolfsson, the Schussel Family Professor of Management and director of the MIT Center for Digital Business and Sloan School of Management.

One of the ways this is done, he claims, is by replicating what is innovative in the business model, into enterprise software. “It’s great to have innovation, but you also need to deliver value and embed that in enterprise software, and scale it to translate innovation into value,” Brynjolfsson explained.

Rosin agrees, saying that the difference between innovation and invention is that the former captures value in new ideas. He thinks that a CIO needs to spend time with the little teams. “Are you just measuring revenue, or are you also celebrating the little things? It’s the culture of putting yourself out there and getting feedback. You measure success from the perspective of the customer and celebrate learning from fast failure,” he said. This is where creative dissent, a big culture change, factors in.

On the other side of things, many CIOs also believe that innovation can be achieved through standardization and common processes, or what Brynjolfsson refers to as the “paradox of standards.”

For example, Anne Margulies, CIO for the commonwealth of Massachusetts, used standardization to pave the way for innovation. Soon after taking the job as CIO, she embarked on a massive restructuring of 100-plus IT agencies across the commonwealth’s executive branch as part of an IT consolidation initiative issued by the governor of Massachusetts. Over a period of three months (each phase of the project is implemented in three-month chunks), she simplified the disparate agencies into a streamlined eight, an example of what she calls “restructuring complexity.” Currently, the initiative is on its last phase of implementation, with 80% consolidation completed.

Margulies believes that centralization is one of the keys to IT innovation because, unlike many other states, the commonwealth of Massachusetts is consolidating at two levels — the infrastructure at the commonwealth level, as well as at the secretariat level — in order to keep application technology close and responsive to the businesses served.

If creative dissent or agile practices are driving innovation, or reducing project complexity at your company, we’d like to hear from you. Email me at

June 21, 2010  2:52 PM

CIO weekly wrap-up: iPhone OS 4 release and PC sales on the rise

Rachel Lebeaux Rachel Lebeaux Profile: Rachel Lebeaux

The new iPhone OS 4 operating system drops today, with the release of the iPhone 4G due later in the week. Are you upgrading?

Also, several analyst firms are reporting that PC sales are rising this year after companies held off last year, with smaller tablet computers leading the charge.

While you catch up on the latest technology news, make sure to add these stories to your must-read list!

BI SaaS: Getting a fix on your business in a tight economy — SaaS solutions for the cloud are causing more commotion among enterprise and midmarket companies alike than are cloud apps for email and CRM.

Business service development: Lessons learned from the frontlines — There is no clear-cut path for IT to follow when it comes to business service development. CIOs and experts share their dos and don’ts.

BI software advances can’t address adoption issues, CIOs say — At a recent business intelligence summit, CIOs were excited over the rapid evolution of BI software — but mindful of how hard it is to make BI solutions work.

June 18, 2010  2:29 PM

Developing an IT business service requires technology — and fearlessness

Rachel Lebeaux Rachel Lebeaux Profile: Rachel Lebeaux

I’ve been doing a lot of reading lately about IT business service development, most recently News Director Christina Torode’s piece on business service development.

Why is the creation of IT business service plans taking on an increasingly important role in the CIO agenda? For starters, it can open up previously untapped marketplaces. The development of a new iPhone application for example, that proffers some aspect of your company’s product could introduce your organization to an iPhone user in, say, Alaska, who would have otherwise never even heard of your company. The app might be a free download, but a paid customer could easily follow.

So, how do you tap into prime IT business service opportunities? We’ve written recently about ideation management, and that’s a good place to start. Formal software to collect and manage ideas isn’t a necessity, but you should be providing technological platforms — even something as simple as an intranet blog or online suggestion box — to encourage creative thinking about developing an IT business service. From there, don’t be reckless but, at the same time, try to be a bit fearless. Sometimes the most effective business solutions come from underwhelming beginnings, and you’ll never know if an IT business service could have worked for your organization.

June 18, 2010  1:47 PM

Self-service technology transforms universities into ‘schools of one’

4Laura Laura Smith Profile: 4Laura

IT executives who are grappling with social media and self-service technology will sympathize with their counterparts in higher education. The technology sophistication of current university students, known as millennials, is beyond expectation, according to an expert panel at the recent Capstone Partners EdTech ’10 event in Cambridge, Mass.

Ten years ago, students expected there to be a good computer room. “Now, it’s like technology is air,” said John Gallaugher, associate professor of information systems at Boston College’s Carroll School of Management. They need it to breathe. As a result, higher education has become high tech as well as high touch — for personal quests like keeping track of credits and searching for a job. Certain things are set, such as how students can pay their bills, but everything else needs to be customized, Gallaugher said, or the students will customize things themselves.

Funny how just 10 years ago, schools were dumping grounds for computer castoffs as businesses upgraded from one chip to the next. Now, with so much technology available in the cloud, higher education rivals business in providing self-service technology.

Some educators are even talking about a “school of one” concept, where institutions of higher learning inevitably become on-demand service providers of education, to compete with other brick-and-mortar schools as well as 100% online providers such as the University of Phoenix.

The self-service technology experience is not only part of a good education, but necessary for retention, given the 47% dropout rate among first-year students, according to Craig Powell, CEO of ConnectEDU in Boston. Millenials are frustrated if technology doesn’t work on the first experience, Gallaugher said. If the college doesn’t get it right, “they’re going to walk away and go someplace else where it’s easier to use.”

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: