How Leveraging the Cloud Can Enhance Your Security Risk Profile

Cloud

It’s a given that cloud adoption is growing heavily, but I continue to hear how security is a concern or roadblock for some. Yes, the ever increasing stories of cyber attacks have ensured security remains a top priority for CIO’s, as it should be, but I’m always amazed at how security in the cloud is looked upon as a major hurdle or obstacle.  Moving your apps to the cloud does take a new way of thinking about security but it shouldn’t hold you back.  Leveraging the cloud, particularly SaaS applications, actually enhances your security risk profile.

It’s a myth that using SaaS apps or putting information in the cloud is inherently less secure than keeping everything on premise.  The data needs to be secured no matter where it lives and keeping it on-prem does not make it more secure.  What is true is that it’s different, and as long as you understand the differences, your company’s risk profile is much better off.

One great reason to use the cloud is that you’re outsourcing the development and hosting of your applications, enabling you to focus on more core, business value activities.  This also includes security, if done right. Leveraging the cloud gives you access to a great pool of resources, whether it’s with your cloud vendor or in combination with other cloud vendors.  This is because the skills and resources available with most cloud vendors are much greater than what you can muster yourself.  It’s the lifeblood of their existence and the teams and time devoted to overseeing security is far greater than what most companies can do cost effectively on their own.  This doesn’t mean that cloud vendors can’t get hacked as well.  They can.  Even though most of the highly publicized security breaches have actually been to on-premise environments, cloud vendors have been hacked. There are no guarantees but the same goes with your on-premise environment too.

However, using the cloud doesn’t mean you ignore the security concerns and just leave it to the vendors.  To fully leverage the cloud for improved security, you need to understand what truly needs to be secured, understand your vendors’ policies and procedures, implement a few tools, and ensure your users are trained and aware of how they can help prevent security attacks.  This is not an exhaustive list by any means and I just touch on a few of them below, but these items will put you in a better position going forward.

Data Classification:  First, you need to understand what information you really need to protect.  Not every piece of data your company produces is sensitive or confidential, so classifying your data as to what is truly sensitive, private or regulatory impacted is step 1.  Understanding where this data then resides (likely more than one place) is then required so you know what to focus your extra efforts on.

Implement Two Factor Authentication (TFA) . TFA is one of the best tools available to ensure outsiders aren’t accessing your applications via insecure or stolen passwords. Many of the leading Identity Management tools have this capability and there are other stand alone options available too.  End users are much more accustomed to this with their banking or other apps, and it does raise the security strength of your apps.

Internal User Training – Internal users are the biggest hole in an enterprise and ensuring the end users know the security best practices is an easy and inexpensive tool.  More companies are instituting security training as a requirement for all employees.  This is even more important with a SaaS / browser based application environment.

Understand Your Vendor Practices  Just because you’re offloading your application development and hosting to your SaaS provider doesn’t mean you absolve yourself of any oversight or due diligence up front. You still need to understand your vendors capabilities and keep ongoing oversight of your SaaS vendors.

As a buyer of SaaS applications, here are items that you should understand and investigate. Again, It’s not a exhaustive list, nor will you find consistency with the approaches or capabilities, but you still need to familiarize yourself with the following:

  • Encryption (in transit and at rest)
  • Internal Controls
  • Backups / redundant data centers
  • How quickly are your vendors patching critical vulnerabilities?
  • How does the vendor QA its product?
  • How do they test DR/Contingency?
  • Do they have best practices with continuous delivery?
  • What are their change management practices?
  • How do they handle PII or sensitive data?
  • Employee profiling/security training and programs/phishing programs
  • What is their monitoring and notification process?
  • Do they have data centers in countries that require specific data residency requirements (if applicable)
  • SSO Support
  • Dedicated CISO
  • Automated testing
  • Peer reviews on coding

These are all capabilities that any software provider should ideally have, so the more you investigate and push, the better you’ll be for it in the end.

There are also many new approaches coming out of startups, from leveraging micro services to machine learning, so you should also pay attention to emerging technologies. Keeping abreast of the new and emerging companies should be a CIO core competency, but it’s even more important today with security and the cloud.  Putting your applications and data in the cloud provides a great deal of business value, in what can be a more secure environment.  You just to need to understand the differences.

Yes – IT is Still Relevant

consmerITWe had a great discussion recently on the topic “Is IT still relevant”, where I was joined with Tim CrawfordMark Thiele and Bob Egan on a Google Hangout and Twitter chat (#CIOitk), and a few themes came out that I think are worth highlighting:

The Consumerization of IT has changed our expectations of enterprise systems, and has raised the bar on what technology should be like in the
work place.  These expectations, the speed of change in today’s business environment, and the ability for the business to obtain cloud services themselves, has turned the IT organization upside down.

The challenge for today’s IT leader is to recognize this change and adjust accordingly.  Many CIO’s have already done this, but there are still quite a few who haven’t.  There is no “model” that CIO’s can just pick up and follow, but they can follow a few simple guidelines to improve their standing with the business and ensure relevance:

  • Speak the language of the business. You can’t focus on providing business value if you aren’t talking to the other business departments and executives in their language.   See my previous blog post on this subject.
  • Get out and understand the challenges your employees are facing. IT leaders must be outward looking, fully understanding the business challenges facing the organization from within and externally.
  • Embrace shadow IT. This  means embracing how the cloud is helping bring innovation into your organization faster (and better) than you can do it yourself.  There is a need for IT to be involved, but not everything has to go through a centralized IT department.
  • Focus on customer engagement. The customer is king and this is what drives the future of your business, so understand the customer needs.  Think ahead and ensure that the IT organization is doing things that can improve customer engagement.

Culture Matters

Another point that was brought up on Twitter was about culture and how that affects IT’s perception. This is a very important point and something that can’t be overlooked.  Culture really does matter.  Yes, technology has become a big part of everyone’s business but not all organizations have completely caught up to this thinking throughout the C-suite. Without a culture of valuing and leveraging technology, IT leaders face headwinds on change. Change is hard for many organizations and for those that are slow to adopt, they’ll likely be left behind.  Just ask Blockbuster.  So, all the hard work can easily be met by cynicism and doubt, but you can’t give up.

The IT Organization and the CIO of the Future

The future of the IT organization was also discussed, and a common theme was that staffing is an issue.  Cloud adoption, embracing shadow IT, and an agile mindset change the way IT organizations operate and think and the skills are different. I went through these in a presentation last year on the Future of the CIO, but the highlights are that IT leaders need to be:

  • Consultants to the business
  • Conductors vs builders
  • Entrepreneurial
  • Social
  • Evangelists for innovation and agility
  • A business enabler, focusing on what’s core and strategic to the business

Many thanks to Tim for moderating the session, Mark and Bob for their great insight, and Amy Hermes for her drive and unparalleled PhotoShop and marketing skills.  Keep an eye out for the next CIOitk (in the know) chat session.

Why Leaders need to be on Twitter and My Experiences

I’ve meant for a while to write about my Twitter experiences, and after being named earlier this year as a Top 100 Social CIO on Twitter by The Huffington Post, it felt that now was as good a time as any. In short, all technology and business leaders should be embracing social media as a leadership voice and Twitter is a great avenue to learn, engage and promote your brand. Yes, using social media needs focus and an understanding of what you care about, but that’s an important foundation that every leader needs to discover and embrace. Twitter is a great source for news, a place to discover intelligent minds, an avenue for engaging discussions, and an opportunity to grow your professional and personal network.

I made a conscious decision about 2 years ago to dive head first into the social media world. I admit that I had been a laggard, being a very casual Twitter user and taking a stab here and there at blogging.  I had always stayed pretty active on LinkedIn, but more for general networking than collaborating and sharing.  The turning point for me was realizing that as I worked for a B-B company that didn’t embrace social media, I struggled to champion adoption and articulate the business value since I wasn’t a part of it.  I knew that embracing the social world was an important piece to driving innovation and I felt it was important to become an expert and lead by example.

I had always prided myself on being a generally social person, building relationships with professionals across many industries at various levels and roles, but I knew there was more to it.  At the same time, I knew it was time to redefine and articulate my personal brand better than I had been doing, and I realized that upping my game on the social media front was the next frontier.

I set my sights on two fronts that had been ignored; Twitter and Blogging.  With Twitter, I researched suggestions on how to get the most out of it and I quickly understood that to be successful on Twitter, you needed to focus yourself.  Twitter is a vast world with a very wide-range of topics and engagement.  As the suggestion rightly pointed out, without a distinct initial focus, I’d be lost and wouldn’t get the most out of it.

Knowing I wanted to focus on my passion for the intersection of business and technology, and the benefits of using the cloud, I started there.  Following some experts I knew who were heavy twitter users was the start and I never looked back.  I started paying more attention to who was authoring articles that I was interested in.  Almost always the writers were active on Twitter, engaging others while also using Twitter to promote their writings.  Perfect.

It quickly became apparent to me that I had been missing out on connecting with and learning from a huge number of people who were interested in many of the same things I was.

I’ve learned a lot since I started and have connected with and personally met a number of very smart people.  Being social, via Twitter, LinkedIn, blogs or any of the other mechanisms prevalent has really provided the following value, and these are the reasons why every leader should be on Twitter:

  1. Source of news – Twitter is a great source of relevant news stories that are of interest to you.  Most leaders are sponges when it comes to reading and Twitter is a great door for this.  The feed can feel a little overwhelming at times and I find myself starting the day on Feedly or Flipboard more often, but I typically find some new and interesting posts on Twitter every day.
  2. Place to engage and have meaningful conversations – Once you get past just following what people are sharing, you will find there is a large segment that use Twitter for conversations.  I’ve found this to be even more valuable and engaging than just reading posts.  Real conversations can and do happen, but it does take an effort. Not everyone uses Twitter in the same way and some are more interested in responding than others, but it’s great when a meaningful conversation happens.  It’s even better when others are included, which expands the engagement and input.
  3. Professional expansion – Twitter is a great place to connect with professionals who care about similar topics.  Creating and nurturing your network has been demonstrated to be a key factor to long term success and Twitter is a great avenue to expand your network. You can get trolled by sales people and others promoting their ware, but it can be managed if paid attention to.
  4. Personal expansion – Not all learning is professionally based, and many people on Twitter are sharing and conversing about sports, life, faith, food, and many other non-professional topics. l started off only tweeting about professional topics, but my 23 year old son made advised me (via Twitter of course) that I should be spending upwards of 15% of my Twitter time on non-business topics. It took me a bit to get into that rhythm, but the non-business related tweets ended up providing a similar experience to what I found in my professional tweets.  Following sports writers, foodies, locals and others expanded my horizon on another level.  You do need to keep it clean though if you’re using the same Twitter handle for both, so do try to hold back when your team just blew that large lead to lose the game!
  5. Research – I’ve used Twitter a few times now to do research on a specific topic.  Using TweetDeck, I can easily add columns for specific hashtags (#) if I’m looking for articles or blogs on a topic. This has helped tremendously when needed for a presentation or just for following a topic that has an ongoing interest.  There is a lot of writing out there that shows up with hashtags that you wouldn’t normally find on a Google search.

So, if you’re not on Twitter, now’s a good a time as any to get started.  Send me a note or tweet if you’re looking for any other suggestions.

The CIO as a Consultant, Evangelist and Innovator

big bangThe evolving nature of the CIO’s role is a hot topic these days as technology becomes an essential part of every business.   This evolution is required as many CIO’s had traditionally been focused on operational issues and risk avoidance, along with a smattering of growth enabling projects. While risk is still very important with an increase in cyber security and with operational issues abundant, the cloud provides plenty of services for helping manage both risk and standard operations. This frees up today’s CIO to focus on more strategic and innovative projects.  So, what does this really mean for today’s CIO, their role, and the skills required to be successful?

Last year, I gave a lecture at an Executive Development Program, where I presented on the CIO of the future.  In reality, it was really about what the CIO should be today, not in the future.  Specifically, I said that some of the skills and roles required for today’s CIO were:

  • An evangelist for innovation and agility
  • Acting as a consultant to the other business groups
  • Being a business enabler
  • A social champion
  • Having the ability to make the complex seem simple.

There were others, but these are what stand out to me as I reflect upon what is really needed today to be a successful CIO.

At the top of the list is that the CIO needs to be an evangelist for innovation and agility.  Innovation and agility are front and center and required in today’s fast moving business climate, and the CIO needs to be right there leading the charge.  This doesn’t mean that the CIO is going at this alone as that won’t be successful.  That’s where the evangelist side comes in.  Coming up with new digital business opportunities, championing new projects, leading by example, and evangelizing change are all part of what a CIO needs to be doing day in and day out.  Change doesn’t happen overnight so persistence is definitely needed.  Driving transformation within IT is critical as the IT department should  be ground zero for change and agility, but these themes need to become pervasive throughout the organization for true change to happen.  Moving the culture away from accepting the status quo needs to be pushed throughout the company.  That’s where today’s CIO can shine.

When talking about the new roles a CIO needs to play, being a consultant to the other business groups is one of the most important.  One of the biggest knocks on corporate IT in the past was the culture of saying no.  This was typically the case when everything had to come into a centralized world and the IT department had to control all software, whether internally created or externally purchased.  There was usually more demand than IT could handle, causing the word no to come out more often than it should have.  Long, drawn out projects became the norm, resulting in the rise of rogue IT where the business went off and procured software on their own.  In today’s fast moving world where enterprise class SaaS applications can be purchased with a credit card, this centralized control-center IT world is no longer necessary and an inhibitor to innovation and agility.

Today, the CIO needs to accept that there are great cloud technologies available and the business no longer needs to go through IT if they don’t see any value provided.  This is where the CIO needs to be the consultant to the other business groups.  The CIO shouldn’t be saying no, but instead be working closely with the business to consult on how an application will integrate with other systems, provide expertise on due diligence, contracts, security, and vendor capabilities, and advise on how the application can be quickly implemented without unnecessary bureaucracy or risk.

All of the above then empowers the CIO to be a business enabler.  Not only should the CIO be consulting on integrating cloud apps, they should also be looking for other innovative ways for the business to grow.  They should be speaking with customers to get a better understanding of what the customer really wants and how they might better interact with the company.  A good CIO can then use their experience to help champion new digital ways of engaging with the customer, enabling business growth.  The CIO holds a unique position in a company as they get a view into every business group and all the critical processes, both internally and externally facing.  If they really understand their business, and if they’re aware of the digital technologies available, they should have the ability to truly identify where the potentials exist to enable new business opportunities.  This digital mindset should also be internally focused, improving employee satisfaction and productivity. The CIO should be thinking about this every day.

To be truly effective though, today’s CIO needs to be social.  This means they’re creating relationships with other business leaders, while at the same time pushing a social culture within the company and with their customers.  They should be active on Twitter, LinkedIn, Vine, Google+, and other social media channels, and interacting with peers inside and outside their industry.  Championing internal social tools is important. I’ve seen firsthand how internal social adoption can be a cultural challenge, but it helps tremendously to be able to demonstrate experience using social media and how these tools can be used successfully internally to improve productivity.  You can’t champion change without being a first-hand social CIO.

Lastly, a successful CIO needs to be able to make the complex sound simple.  They need to be able to simplify the complex world of business technology and explain what’s happening to business leaders in simple terms.  Not using acronyms and speaking in the language of the business is critical (see my post on The CIO Golden Rule-Talking in the Language of the Business).  If you can’t easily explain to a CEO how the cloud enables business agility without any technical speak, as an example, then you won’t be successful nor listened to when championing new digital business ideas.

If your focus or current skill set isn’t strong in any of these areas, think about how you get there.  Success in today’s quickly evolving world demands it.

The Next Gen CIO’s are Leading Today

I had an opportunity to speak about The Next Generation CIO at the Constellation Connected Enterprise conference a few weeks back, and the topic brought to light the theme of what really makes a CIO an effective business leader both today and in the future.  In my view, the skills required for the next generation CIO aren’t much different than what’s required today.  In line with what I presented previously on the subject, one must possess business savvy, leadership, relationship building, and social skills, have the ability to act as a consultant and integrator to the business, embrace the cloud and Shadow IT, and understand the power of data and mobile.  It’s also knowing that it’s all about the business and not the technology, a crucial skill for success.  All of the skills needed in the future are already present today in those CIO’s who are on the leading edge.  Therefore, if you’re currently embracing these trends and skills, then you’re already a Next Gen Leader.

A CIO, both today and in the future, needs to be a business leader, always focusing on how IT can be leveraged in growing and improving business capabilities.  This means the CIO needs to understand the business just as well as the other executives, while always speaking the language of the business.   That’s the Golden Rule I wrote about earlier this year, and if a CIO isn’t doing this when speaking with the other executives, then they’ll just be viewed as the “IT guy” and not a business leader.  Everything IT does needs to be focused on adding business value. It should not be about the technology, and that point is what has given the CIO a bad name in the past.  Truly understanding how technology can best be leveraged for business improvement is a requirement, but the CIO of the past didn’t always get that point.  Translating technology capabilities into new business and customer engagement opportunities is what sets the “Next Gen CIO” apart from the others.

The Next Gen CIO is a consultant to the business and an integrator, and should be embracing Shadow IT.  Embracing Shadow IT means you don’t require everything to come through a central IT funnel, but CIO’s and their teams can still add tremendous business value to these decisions with contract expertise, integration direction, security oversight, and vendor partnering among other things. This is where the consultant role also comes into play.  There is a great deal of innovation happening today that addresses specific business problems, and many times those in the business are the first to discover these new tools and approaches.  They have the most knowledge on value, so letting the business champion and drive discovery is a great approach that helps IT from having to say no. What does need to happen though is that IT needs to be included in the discussion, particularly on the points mentioned above.  Without it, the risk of having insecure applications, bad and expensive contracts, and data silos increases exponentially.

Lastly, a CIO needs to understand the power of data and mobile, and leverage the cloud as much as possible.   My team has been cloud all-in for many years, and the business benefits go way beyond pure costs.  The speed in which we gain access to new product functionality, while significantly reducing our in-house development staff has been transformational.  On the infrastructure side, we’re almost out of the data center business and are relying on the mass scale and capabilities of others to meet our needs.  Unless your company is in the hardware business, moving your infrastructure to the cloud, whether pure public or hosted private, is a requirement now and in the future. In addition to the cloud, a Next Gen CIO recognizes the demands, and capabilities of mobility and data. Using data to make critical business decisions is not a new concept by any means, but the availability of new data sources  in the digital and Internet of Things world, and the amount of unstructured data being consumed has made this more critical and complex.  When talking about transformation, digital business, and new business capabilities, leveraging data and the insights it brings is even more important.  Helping the business take advantage of this data trove is a capability that will make IT critical for business success.

New skills are definitely required in the future but I believe that future is already here for many CIO’s that already have these skills.  Are you one of them?

Disruption – Overcoming Cultural Hurdles takes Patience and Persistence

As innovation and disruption continue to be leading themes in business and technology, one component that’s essential for success is that change needs to be a part of your company’s DNA. If not, patience and persistence better be some of your core traits. Today’s CIO should always be focused on building better business value through innovation, but change is hard for many companies. As the CIO for a very successful 60 year old investment firm, just getting acceptance that change is needed is a hurdle at times. However, we all know nothing good comes easy, and with patience and persistence, disruption is possible anywhere. Don’t give up.

Although not every company moves as quickly as a start-up, it doesn’t mean your company won’t come around so keep your dose of patience handy. I’m seeing firsthand how the consumerization of IT is not only changing our users requirements and expectations, but it’s also changing executive attitudes. Disruption is all around us and times are changing for every industry. Don’t also expect true disruption to come easy. If you’re championing fundamental change, keep after it.

I’ve championed change since I started at our company in 2007 and I’m currently leading some disruptive projects, but just getting to this point wasn’t easy. We recently completed an extensive cloud ERP implementation that ripped out many of our legacy apps and drastically improved our core processes. After completing the implementation last fall, we reduced our application footprint 63% and our infrastructure needs 35%. We automated and digitized our major end-end processes. Additionally, we’re now truly set up to move to a zero footprint infrastructure by the end of this year. These are huge wins that have raised our firms’ disruption quotient significantly. We’re also now full steam ahead with new major changes, moving our whole document management foundation and key related processes to Box, while also integrating our processes to electronic signatures throughout our organization, both rarities in our industry. We’re a very complicated company structurally, with significant document centric processes driving our core processes, and these newer disruptive projects would not have gotten off the ground if it wasn’t for the push to strive forward despite delays, setbacks, and resistance to change.

How was this major feat accomplished? Our company was able to make such a tremendous transformation because the foundation was laid years before. We had successfully been using a cloud first strategy for over 5 years, so we were already focusing on critical business objectives instead of managing servers and infrastructure. Moving to a predominately cloud based environment had opened the eyes of many in the company on what was possible and the business value of such a move, but the full digital impact hadn’t been fully felt yet. There was, however, an appetite for a new way of doing things if it meant getting work done more effectively. One of our biggest hurdles in overcoming change was altering the culture of unyielding perfection in everything we did.

Moving your applications to a SaaS based environment does mean giving up on “nice to have’s”, at least initially. This clash is a good thing for many businesses though, as it forces a company to focus on what is truly core to their business. With customized, in house developed apps, there is always a tendency to accommodate and build every feature asked for. With our cloud ERP move, the focus was on ensuring that the core processes were accommodated and supported day 1. This new way of thinking was very transformational for us. The lesson learned here is to ensure that you’ve worked closely with the business in focusing on what’s core to success. Get to your change event as quickly as you can so you can begin learning from it.

To disrupt a company’s “change culture”, it will be important to get buy-in at the top. There can be small wins and some change without it, but true organizational disruption needs senior executive buy-in. If there isn’t an appetite for this at the top level, then there’s automatic cover for any senior executive who is resisting change. The result is too much headwind for a successful endeavor, so persistence in leading change is critical.

Building partnership and trust with the business is also needed here. This has always been a key critical competency for a CIO, but change requires it; you can’t go it alone. Once buy-in as been established, communication continues to be critical when going through change. Just because it was endorsed by the CEO doesn’t mean every manager or employee understands what is happening, or why. Old fears are hard to break and non-productive behaviors are hard to change. Ensure there is proper top-down communication early and often. Changing a company’s culture is hard, but nothing worthwhile is easy so don’t give up if you find yourself swimming upstream sometimes. Build the relationships, demonstrate the value, and keep after it.

Digital Disruption Comes to Life

I attended a great conference recently on digital business disruption that was put on by Ray Wang and the Constellation  Research Group.   After attending the annual Gartner Symposium last month, I was starting to feel that the terms digital business and digital disruption were getting over used and over hyped.  However, at Constellation’s Connected Enterprise conference, there were many great examples of disruption presented by a wide range of forward thinking business leaders.  These were people leading this disruption along with industry thought leaders.  Though Gartner’s view of a digital business as the “merging of the digital and physical worlds” is fine, it’s the real examples that are meaningful in understanding the disruption that is happening today.  It’s about using social, data, mobility and the cloud in driving change, leveraging these forces to interact with customers in new ways and improving how employees engage and work.  I believe it’s also about the consumerization of IT and the change being brought to enterprise IT.

My takeaways from the conference on digital disruption were:

  • 2015 will be a watershed year for the Internet of Things, with wearables making a true impact for the first time.
  • Old line businesses are really coming up with innovative and different ways of using digital technologies to open up new business channels, increase customer engagement, improve how companies interact with employees, and streamline the way they deal and operate with vendors and partners.
  • Thinking digital needs to be engrained in the company culture with a top-down push.  Projects can come up from the bottom, but the headwinds against real transformation can be strong without buy-in across the executive teams.
  • Every industry is being affected by digital disruption whether they are b-c or b-b companies.  There are many opportunities in every business for this to happen.
  • Those that don’t understand what’s happening and don’t reflect on how they need to change will be left behind and will lose to the competition.
  • Companies need to promote using digital in all aspects of their business to achieve the biggest gains.
  • To truly be digitally effective and disruptive, an organization has to value the use of technology in driving change.  As we’ve heard many times recently, every business is now a technology company.
  • Personalization and process change are just as important as a new business channel in the digital world.  It’s how you use mobile, the cloud and data, and how you interact with your customers and partners that are important.

Just a few of the digital disruption themes and examples presented were:

  • Using crowd-sourcing to build quick, low-cost apps in the federal government.  This was a great example of thinking digital and the government’s use of cloud to bring agility into the ecosystem of dysfunction is growing faster than you think.  There are many innovative technology leaders now involved, so you hope they can change how the government interacts with its citizens.
  • Using personalization to create the ATM of the future.  With mobile and digital the norm, banks continue to be hugely disrupted with they way customers want to interact, and personalization is very important to customer satisfaction.
  • Leveraging gamification in the restaurant business to help increase internal employee engagement and satisfaction, while reducing turnover.
  • A future of work discussion on how age is not the critical issue on how well  employees adopt digital business themes.  A person’s general digital proficiency and desire is key, while the company culture is also a very strong factor.
  • It was noted that 20% of the workforce is retiring in the next 10 years.  That has a big impact on the future of work and what work will be like in 10 years.  The change that’s happened over the last few years will only accelerate.
  • A data analytics example was a presentation on the historical trends in social mobility, and the realization that a deeper dive into the data of cause and effect can potentially help determine how to increase social mobility.  That’s an important issue affecting not just one business, but the whole country.  Another example was using data to predict how people might react to certain notifications, while potentially helping to automate the response.
  • Termed the “Notification Society”, the impact of mobility on our personal and work life continue to drive how we work and interact with each other.  There isn’t a business today that isn’t impacted either directly, or indirectly by the changing needs of the workforce.

A related topic that was heavily discussed, and one that is getting a lot of press these day, is the concept of the Chief Digital Officer.  A lot of chatter on whether there even should be a separate role, or should the digital role be called out within other leaders in Marketing or IT. In my view, the skills that a CDO needs may already be present in the current leadership team.  If digital means thinking about the customer, and looking to see how digital technologies can change the old physical way of doing things, then these skill sets should already be present in the CIO.  It’s still about focusing on the customer and increasing revenue, so these are things the CIO should already be doing. If not, then the CIO is more of an order taking, operational leader.

At my company, we are moving quickly away from the routine physical aspects of our business, using digital to engage more with our tenants, investors, partners, vendors and employees.  We’re trying new social media campaigns at different properties knowing that the trend in our industry is just beginning.

Every business has examples of how it’s being transformed by digital technologies with much more change to come.

Cloud’s Biggest Benefit is Agility and Adding Business Value

Between the recent IT conferences and some interesting twitter chats, I continue to hear discussions on the top cloud benefits.  Cost savings in particular has come up a few times.  But, is cost savings really a top cloud benefit?

Using the cloud is really about agility and adding business value. It allows IT organizations to focus their attention on doing things that help grow revenue, increase customer engagement, and open up new product channels. IT can spend less time managing commodity infrastructure and maintaining in-house developed code for non-core programs. They can leverage other resources in monitoring and security; resources that many SMB firms just don’t have access to.  That’s critical.

Getting to specifics, my top benefits that come from using the cloud are as follows:

  • Agility – Being nimble and agile should be the mantra of all IT organizations today.  Getting away from long and drawn out development efforts and implementations is expected today and critical for businesses who are fighting to develop market share and grow their company.  Being able to quickly respond to changing business needs is a must  and that’s what the cloud provides.  Firing up new infrastructure in minutes or securing a new, focused SaaS app are fantastic business enablers and exactly what every forward-looking CIO should be focused on.
  • Scalability – Acquisitions, mergers and high business growth trajectories are forcing IT organizations to quickly grow their capabilities and reach.  Typically, you don’t have a lot of time when a merger, acquisition, or some other critical event is upon you, so setting up a quality model for quickly scaling is essential.  Even with some time, the effort involved to scale adequately is time and resource intensive.  Again, this is exactly what the cloud offers.  Additional infrastructure is the obvious and easy scenario, but cloud apps that support business services are just as important.
  • Time to market – For companies bringing out new products or rushing to gain market share, IT has unique challenges in responding.  The cloud is made for this with the ability to quickly deploy new software, configurations or the infrastructure required to be first to market.  In industries that depend on this for their survival, the cloud is a business priority.   How long would it take to develop a new application for a new product line if you weren’t leveraging the cloud in some manner?  Platform as a Service products are great for this.
  • Access to broad and deep skill sets – Particularly for SMB’s, the cloud provides unheard of access to a trove of smart and focused people who have skills that are hard and expensive to source and access on your own.  I like to use security as a good example of this benefit.  Many say the cloud is less secure than on-prem infrastructure, but I argue the opposite.  Just because you wrote it or have it in your own data-center doesn’t mean you’re doing a better job than a cloud vendor.  While it’s sure not a guarantee that a cloud company will do a better job, they typically have a much larger staff with a better focus on security than you do.  Their business depends on it and they have the resources to quickly respond to ever-changing threats.  What’s required for a CIO is to understand these differences, do the right due diligence on a new cloud vendor, and maintain an ongoing relationship with the vendor to ensure you know how they’re managing security.  It’s not something you look at once and forget, but managing vendors becomes a critical competency.  It’s still easier and more efficient than managing and finding (and keeping) a team of developers and ops guys who really know security.
  • Access to quality, pre-developed software – Developing software programs that address very little core, company specific business processes are a big mis-management of internal resources.  There are an amazing number of high quality applications that are already developed that address most of your business needs, and the number and quality is growing daily.  This isn’t just for commodity applications like email, but there are a lot of industry specific SaaS vendors that provide applications that no IT organization can match.  The platforms available are worth it alone.   A cloud product is also constantly growing with critical features and they’re more in-tune with new software designs and usability trends than you can be.  As cloud vendors continuously update their products, you’re immediately getting access to these new features and capabilities.
  • Speed of upgrades – This is one of my personal favorites.  It’s not always seamless for some of the less mature or new SaaS vendors, but the speed of upgrades and the reduced requirements on internal organizational resources is transformational in my mind.  I have seen plenty of organizations spend a countless amount of time and energy in analyzing, testing, and deploying upgrades to large on-prem applications.  The effort spent on these upgrades are a tremendous drain and they take the focus away from helping grow revenue or providing top notch customer service.

Notice that “cost” is not on my above list?  I’m not saying that long term, the cloud can’t be cheaper, or that it enables you to spend money in a different and more efficient manner (Operational vs. Capital), but those benefits don’t make my top 6.  In fact, the cloud can be more expensive on a pure license perspective in the long run, but there is a lot more to this equation than licenses.  Reductions in your ongoing IT resource needs and the savings I mentioned earlier on organizational resources, all go to the bottom line and are savings over time.  I just don’t focus on that as agility and business value is what I’m concentrating on.

The CIO Golden Rule – Talking in the Language of the Business

There have been many articles lately about different types of CIO’s, particularly one by IBM about CIO’s being split into two classes of leaders; strategic and operational.  The topic also continues to be front and center in many CIO conversations and conferences.  It’s a topic that I believe is very important, particularly as I continue to observe many examples of people who still don’t understand what the CIO’s real role is: a strategic business leader who focuses primarily on adding business value; whether it’s increased revenue, higher customer satisfaction, new business opportunities, or increased customer retention. To make this happen, a CIO really needs to always be talking the language of the business.  Conversations with other executives and business users need to focus on what they’re facing every day in their jobs. Talking to them in business terms is absolutely critical and one I call the CIO golden rule.

The relationships a CIO builds with the C-suite is critical to success and the conversations you have with them is a big factor towards building successful relationships.  Therefore, the conversations need to center on what you can do for the other business leaders, in their business terms.  How can you help them achieve their goals? What business problems are they facing, and how can you help them fix these problems?  These discussions should be completely about the business problem, not the technology.  Using technology acronyms or talking about the latest technology fad is a path to failure.

Additionally, by ensuring the technology projects have a direct business goal attached to them, the conversations about these projects will naturally center around a business context that will have meaning to the business executives and users. They will understand it and have a better appreciation for what IT is doing and the value you bring to the company.

I heard one technology executive talk recently about how she couldn’t get the CEO to understand why they need an Enterprise Service Bus. Hearing her say this sent shudders down my spine as that’s the type of conversation I would never have with a senior executive, let alone a CEO.  If your conversation is about a need, the business outcome should be front and center.  Not the technology.

To ensure you are always talking in the language of your business, it helps to do the following:

  1. Understand your business just as well as the other business leaders– As I’ve told others many times, my goal is to understand our business as well as, if not better, than the other senior executives.  This is critical.
  2. Know what the drivers are for long-term revenue – You know your business, but do you really know what drives revenue?  What are the levers that you can help move to increase revenue? Where will the company be in 1-2 years time, and what can you do to help get them there?
  3. Understand your customers – What do your customers want and what drives them to do business with you?  You can’t help increase revenue or improve customer satisfaction without really understanding your customer.  Better yet, go visit them.
  4. Know your employee base – Your internal customers are critical.  What hurdles are they facing in doing their job?  How can the applications they use be easy to use and intuitive?

The mission to speak the language of the business shouldn’t stop with you.  Getting your team to do the same is just as important.  As a leader, your team follows your examples and listens to your words.  I always hold periodic department meetings where I invite business leaders to speak about their specific area.  My staff gets excited by this and often come back to me for additional questions, so it’s an ongoing dialogue that is important to maintain.

To expand your team’s business knowledge, have them go through training conducted by the business groups.  New employees should attend training classes devoted to new business users.  Rotate them through short stints in the field if possible.  The goal here is not just understanding what the business does, but learning the language as soon as possible.

If your company is periodically mentioned in the press, make sure your employees see those clips and have the opportunity to ask questions. Highlighting press about the company and taking the time to talk to them in the hallway about these items is another reinforcement opportunity.

Everything above is done to ensure your teams don’t just feel a part of the business, but that they truly understand it and can talk in business terms.  It will make you, your team, and your company more successful.

10 Considerations for Your Cloud Contracts – CIO View

Having signed two more cloud contracts this month, it feels like a good time to share what I consider to be my top 10 considerations in negotiating a cloud vendor contract. As I was writing this, I had a hard time culling the list down to just 10. I’ve learned a lot over the years and have scars to prove it. There will be different views on this depending on whether you’re talking about SaaS, IaaS or one of the other horizontals in the space (PaaS, DRaaS,..), , but these 10 are generally applicable. So, here it goes:

1. Limit price increases – There is a lot of debate on whether or not moving to the cloud is actually cheaper than on-prem applications, and my answer is that “it depends”. There are many factors that must be considered (personnel time, upgrades, etc..), but license cost is a big one. What is a fact though, is that the longer the time horizon, the more expensive the cloud alternative can become. You’re paying a constant expense stream which can blow-up any ROI analysis over time. Other than negotiating the lowest initial price you can get, the best way to limit the cost over time is to reduce the pace and amount of future price increases. There are a few ways to approach this; the first being to go for as long a stretch as possible before the first and subsequent price increases. Most vendors will give you price breaks for longer contract terms. You might think this a risky approach as you’re committing yourself to a longer contract, but I’m assuming you’ve done your due diligence and are confident you’ve picked the right vendor. Even if things don’t work out as planned, which you absolutely need to consider, you’ll not likely be in a position to actually move off completely for 2-3 years. If negotiated right, the price increases will be tied to the contract length. The second part of this is to then ensure that each increase is as low as possible. I once negotiated a 0% first anniversary increase on a 3 year contract, basically holding my per user price flat for 6 years. I also negotiated a 5 year term with a 30 day out clause. No increase for 5 years and I can leave at any time. So my long-term contract risk is……..nothing. Try it; you never know what you can get.

2. Access to Data, Integrations and SSO – Some vendors are charging different prices depending on the availability of integration connectors or API’s, while others don’t charge extra for this capability. Even if you’re not starting out with a lot of integrations on day 1, you have to be prepared for the high likelihood of needing to get data in or out early on. Even SSO connections can sometimes cost extra to set up, or not be supported at all. If your cloud vendor is relatively new and doesn’t have published SSO connectors, make sure you include this capability in the contract at no charge. It’s in the vendor’s best interest to get this done and will help them in future contracts, so there is no reason for them not to include this. Integration and connectors are key for most successful cloud implementations, and a must for many, so it is frustrating that some vendors are charging extra for these. I get the tiered, a la carte approach that helps with revenue, but I think this is one area to focus on in your contract negotiations.

3. Flexibility on your license growth – On the software and platform side, the number of users will be a key factor in the ongoing cost. Having a good understanding upfront of your one and three-year growth scenarios will help you lock in lower prices on future growth. If you’ve hit a wall on the initial price, negotiating favorable discount tiers can help in the long run. The focus should be on having a low ceiling on your initial tier.

4. Exit strategy for data and access to data if the vendor fails – One difference in having your data in the cloud is the amount of control you have over it. So what happens if the vendor does go bankrupt? What if you do decide to move off to a competitor? A vendor failing isn’t a big concern for many of the top-tier providers, but it is something you need to think through and account for. I’m lumping this into your exit strategy for getting data out as it’s a similar issue. You need to understand how you’ll get access to the data and what your options are for getting copies. Ensure that you have some time to get your data out after your contract ends, in addition to language that ensures assistance from the vendor. Once you implement and once you get data integration up and settled, you’re already a step ahead in this process.

5. Development/Sandbox environments – If you’ll be making configuration changes to your SaaS app, or rolling out new apps or pages under a platform model, it’s important to understand the availability of sandbox or dev environments. The need is really no different than on-prem apps, but the type, freshness, availability and size of the data available are important, and can vary or be an extra price. Some vendors will apply this increase to all your licenses, so pay close attention to this and push hard to get as much included for free as possible.

6. Security – This is a very broad topic, so I’ll narrow it down to encryption and masking. Is data encrypted at rest? Is confidential data masked to those who don’t have proper access? For products that rely heavily on built-in uploading/downloading (storage and synch solutions), is the data encrypted during transmission? These are key considerations in comparing vendors, and you’ll find a wide variety of options available. Don’t assume that the biggest vendors are the most secure or encrypt your data at rest. It’s not as common as you would think. Data masking is also important for internal controls to ensure PII or confidential data is not visible. Not every vendor has this capability as standard.

7. Data Center Location – If you’re a U.S company doing business solely in the U.S., then your data center location will likely be in a region close to where you do business, if you’re dealing with one of the larger SaaS providers. For some of the smaller ones, you may not have much choice in the matter. For SaaS products, I have generally found the location to be not much of an issue within the U.S. It becomes much more complicated if you’re a non-US company or you do business or have offices in other countries as two issues then arise. First, latency in accessing your data becomes something you need to worry about so ensure you understand where your key users are for the app in question, in relation to where the vendor has its data centers. The second issue is around data residency and the various legal restrictions on where your data can be stored. This has always been something to consider, especially in the EU. However, the U.S. government data snooping scandal has changed the dialogue on this and made it a critical item to consider and deal with. It’s a topic that deserves its own write-up, so I won’t dive into the specifics here, but it needs to be on your consideration list.

8. Disaster Recovery Capabilities – Having applications in the cloud means you don’t need to deal with backups and disaster recovery yourself, but it doesn’t mean you don’t need to worry about it. Understanding your vendor’s approach and processes is important. Do they backup to facilities in other geographic locations? How long do they keep backups for? What are their RPO and RTO’s? Don’t ignore this just because you won’t be managing it on a daily basis.

9. SLA’s and Support – Up-time or issue resolution SLA’s are very important, but don’t expect a lot of flexibility in this area. The larger the company, the less likely you’ll get any movement. The top-tier vendors typically exceed their SLA’s but most will not budge from relatively low up-time percentages in the contract. Issue resolution response times vary widely, with many charging extra for quicker response. As a consumer of the service, I hate that model. They want to tell me my default is 2 business days for support unless I pay more. Really?

10. Storage and growth – The amount of storage is becoming a much smaller issue than it used to be, but it’s something you still need to understand and account for. If storage is a key part of the product, then you’ll likely be getting 1TB, or an “unlimited” amount of storage per user. However, some vendors still charge for storage. As with the growth of license counts, you need to understand your initial and future requirements so your future storage needs are accounted for up front. You’ll never have the same leverage as you do in the initial contract negotiations, so go overboard on growth requirements up front to be safe.

These are just some of the key items to consider. I know you’ll have others you feel strongly about, so feel free to chime in here or on twitter.