Few things in the world have changed more dramatically over the past 10 years than technology. But many tech leaders are still playing by old, outdated rules.
Gone are the days when IT gave orders that everyone in the enterprise was compelled to follow. But equally absent are the days when IT itself was strictly an order taker, simply trying to fulfill the demands of business executives.
The increasing pace of change means enterprises no longer have the luxury to take months (or years) to roll out big, expensive IT projects; continuous delivery and constant iteration are the new laws of the land. Nor can organizations choose between innovation or security — they need both. That puts more pressure on CIOs to deliver new initiatives in a safe and compliant way.
Today, IT leaders are helping business users pick the best of breed from an ever growing catalog of tools and services, while guiding the organization through its technology transformation. As enterprises become more dependent on data to drive decisions, tech leaders have more power and greater responsibility than ever before.
The old rules IT used to swear by are no longer relevant. Here’s what has replaced them.
Old rule: IT makes the rules (and tries to enforce them)
New rule: Users make the rules (and IT tries to keep them out of trouble)
Establishing policies, enforcing standards, whitelisting applications, and making sure everything with a flashing LED is locked down good and tight.
Remember the good old days?
Today users make the rules. Your job is to gently guide them in the right direction, to make sure they don’t stick forks in light sockets or get gum in their hair.
“The role of the CIO has shifted from enforcer to curator,” says Jonathan Stone, CTO/COO at Kelser, a tech consultancy.
Five years ago, tech leaders decided what applications the business would support and who had access to them. Now they are constantly evaluating how new technologies could benefit the business, and guiding users toward the best solutions.
“The whole team still has to be on the same page, and the CIO still decides what page that is,” says Stone. “But you no longer see them make sweeping decisions such as, ‘We don’t do anything based in the cloud.’”
Old rule: Keep the lights on
New rule: Keep the data flowing
The old day-to-day chores of IT — administering access rights, managing data quality, and generating reports — are now typically handled by business teams with little to no IT oversight, says Mark Settle, CIO of enterprise identity provider Okta. Today it’s all about the data.
“IT’s primary responsibilities have become increasingly focused on integrating data across multiple applications, managing master data at an enterprise level and enforcing cybersecurity safeguards,” says Settle. “IT makes businesses more competitive by automating processes, democratizing data, and reducing user friction.”
Of course, everybody has data; it’s how you use that data that can make or break a company. And CIOs are uniquely positioned to understand data and how to take advantage of it, says Ari Lightman, a professor of digital media and marketing for Carnegie Mellon University’s Heinz College.
“The data you use to create new service or product offerings is becoming more critical to a variety of folks across an organization,” he says. “CIOs have a very intimate knowledge of what data the organization collects, how they retain it, and how they offer it to different groups. The special sauce is how you communicate the actions the organization needs to take based on what the data is telling you.”
Old rule: Don’t release it until it’s ready
New rule: Iterate until you get it right
In the past, technology projects notoriously dragged on for months or years before being put into production. The new agile world is all about continuous delivery and iteration.
“IT used to be, ‘Oh it has to be done perfectly,'” says Heather A. Smith, a senior research associate for the Society of Information Management and co-author of Driving IT Innovation: A Roadmap for CIOs to Reinvent the Future. “Now they’re saying, ‘We’ll work with you until we get it right.’ I can’t tell you how many times I’ve heard business people say, ‘IT put this system in and just walked away, but it’s only got about 50 percent of what we need.’ Now IT is getting that they’re going to have to work to deliver this value.”
As CIOs partner with CEOs to foster a culture of innovation and transformation, IT must change the way it works, notes David Rosen, digital transformation technologist for Tibco Software.
“CIOs must promote a culture where a focus on perfection is replaced by greater emphasis on speed and the willingness to take risks and fail fast,” he says.
Old rule: Protect the perimeter
New rule: Trust no one
The explosion of cloud-based services, the widespread acceptance of BYOD and remote access, and the emergence of IoT devices have completely changed the security model for enterprises, says Hed Kovetz, CEO of multi-factor authentication firm Silverfort.
“We cannot rely on perimeter security controls to block the bad guys out of our environments,” he says. “We can no longer assume insiders can be trusted. We can’t trust anyone.”
With threats growing exponentially and major data breaches happening almost daily, enterprises can no longer treat employees and other insiders as innocent until proven guilty, says Kovetz. In a zero trust network, anyone trying to gain access to network resources must be authenticated and authorized, no matter what their position in the organization.
“In the past, when networks had clear perimeters that could be contained and controlled, network security was owned by the CISO,” says Kovetz. “But thanks to changes wrought by trends like cloud migration, BYOD, and IoT, CIOs need to become more involved in network security than ever before.”
Old rule: Lock down every device
New rule: Keep your users happy
Work no longer just happens at the office between the hours of 9 and 5. Employees are working on their own time, in their own spaces, and often on their own devices. That means IT can no longer realistically expect to control what’s on everyone’s home laptop or smartphone, says Avani Desai, president of Schellman & Co., an independent security and privacy compliance assessor.
By 2020, half of all U.S. employees will be working remotely. Even in highly regulated industries like finance or healthcare, locking out social media or limiting the apps that can live on user devices isn’t going to fly. And if you try, you risk losing your most talented employees to an organization with more flexible policies, says Desai.
More than ever, IT must balance the compliance and security needs of the organization with the wants and desires of end users. In other words, modern CIOs need to be as good at HR as they are at information security.
“The first thing the CIO needs to do is sit down with business leaders and ask, ‘What are we doing to meet our users’ needs? Are we using something they can’t use at home?'” says Desai. “That opens doors to conversations CIOs may not have been a part of in the past. Then they can suggest ways to mitigate the risks of data going out or coming in.”
Old rule: Pick one partner, stick with them for life
New rule: Play the field, keep your options open
Once upon a time, CIOs simplified their portfolios by committing to one major vendor to supply most of their technology. But delivery failures, onerous licensing fees, inflexibility, and vendor lock-in soured many of those relationships.
These days, enterprises can do much better by playing the field, seeking out more agile tech partners who can satisfy their needs without protracted contract re-negotiations or penalties, says Mike Meikle, CEO of secureHIM, a healthcare security consultancy.
“It’s all about cost savings and flexibility,” says Meikle. “Enterprises now want best of breed ‘vendor partners’ whose SLAs are more flexible, allowing them to respond more nimbly to a fast changing marketplace.”
Still, flexibility and freedom come at a cost.
“More vendors and solutions means more complexity,” he adds. “And many enterprises make the mistake of thinking that using third-party providers or SaaS will allow them to reduce headcount, so they end up losing valuable institutional knowledge.”
Successfully juggling multiple service providers also requires having a vendor management program in place to ensure that SLAs are met and contracts upheld.
“Having a mature governance program will also go a long way toward keeping C-suite expectations in line with reality,” he adds.
Old rule: Try to avoid software vendor lock-in
New rule: Try to avoid cloud vendor lock-in
Sometimes, the more things change in IT, the more they stay the same.
Many enterprises, once trapped by technology partners who made it as difficult as possible to migrate to a new platform, have moved to cloud providers who make it equally difficult to leave.
“Amazon, Google, and Microsoft are doing their best to lock you 100 percent into their environments,” says Dave Friend, CEO of cloud storage provider Wasabi. “They have these nasty egress charges, so that any time you want to take your data out of their environment you’ve got to pay. They lock you in with proprietary protocols and pricing schemes that penalize you for trying to talk outside their walled gardens.”
But just as many monolithic software vendors have been forced by disruptive competitors to become more flexible, cloud giants are being challenged by startups that will eventually force them to tear down those walls.
“There are dozens of companies innovating in all the major areas Amazon is serving,” says Friend. “If I’m a developer building some little prototype application, it’s fine to use one of these closed wall products like Amazon’s because you have everything under one roof. But if I’m going to production and spending millions of dollars a year, I’d take a hard look at building it mostly outside of Amazon, because it’s not hard to do these days and there are lots of people doing it.”
Old rule: If it ain’t broke, don’t fix it
New rule: If it ain’t broke, break it
A decade ago, IT’s job was to keep availability high and costs low, to minimize outages and avoid breaches. Today, CIO really stands for Chief Innovation Officer. Moving fast and breaking things is the new mandate.
“CIOs are now responsible for product and service innovations that grow revenues, increase loyalty, and take out the competition,” says Bhanu Singh, vice president of product development and cloud operations at OpsRamp, an AI-based operations management platform. “Above all they must encourage calculated risk taking, especially around technology and disruptive ecosystems, to keep the business and organization one step ahead of competitors.”
All companies should be rethinking their processes on a continuous basis, says CMU’s Lightman. Large, risk-averse corporations should be looking to IT to assess the challenges of innovation and how to manage them.
“There might be a lot of disruption within the marketplace telling companies that they need to take on more risk than they might be comfortable with,” he says. “IT leadership can help by assessing and understanding all the risks and how to mitigate them. The CIO and the IT group are incredibly well equipped to do innovation and ideation, because they’re looking at data constantly.”
Old rule: The CIO’s place is in the data center
New rule: The CIO’s place is in the boardroom
For years, CIOs were relegated to the dusty warrens of the server room, where their job was to keep the lights on and the servers humming. The age of digital transformation has changed that forever.
“In an era where the average company spends more of its capital budget on IT than on any other category, and where the company is out of business if the technology isn’t working, IT needs to be on the executive team,” says Oli Thordarson, CEO of IT services provider Alvaka Networks. “A true CIO should be sitting in executive management meetings and reporting to the CEO.”
For many enterprises the transition has been slow and steady. According to a 2017 report by Windstream and Forrester Research, 36 percent of business leaders consider IT a strategic partner within the C-suite. About a third of enterprises say IT is in the process of transforming into a key innovation leader, while the rest still treat technology staff primarily as order takers.
But if tech leaders want to be taken seriously at a strategic level, they need to speak the language of business, adds Thordarson. CIOs won’t persuade anyone to make capital investments in new technology by talking about speeds and feeds; they need to demonstrate how much time or money the technology will save, or how it will enable the business to offer additional services and expand into new markets.
“When CIOs communicate in that fashion with executive management they become valued assets, not an untrusted expense,” he says.