IT’s Third Epoch…and Running IT at Google

If there’s anyone who understands the impact of consumer technology on the enterprise, it’s Google CIO Douglas Merrill. He believes we’re not only entering a new business epoch; it’s one in which IT leaders with real technical skills will be more in demand than ever.

Merrill doesn’t look like the standard model information executive. If you were to walk into a CIO gathering and find Merrill there, you might take him for a hip entrepreneur or a musician come to perform. He has earrings. More than a few. And long, unruly hair. He wears bright tee shirts and jeans.

You also wouldn’t think CIO if you were introduced to Merrill through his CV. His degrees are in social and political organization (undergrad) and psychology (masters and doctorate from Princeton). He’s worked as an information scientist for the RAND Corporation (leveraging his training in cognitive and social science); he led a security practice at Pricewaterhouse; and at Charles Schwab, in addition to the more traditional IT responsibilities of information security and infrastructure, he was responsible for HR strategy and operations. He’s credited with engineering Google’s 2004 IPO.

But when you talk to Merrill about technology and its role in business and life, when you start to understand the way he thinks, after a while you start to think, well, that’s exactly the way a CIO in 2007 should think.

Merrill views technology primarily as a tool to enhance peoples’ creativity and productivity, and one that can help them solve their problems. His guiding principle in IT management is “choice not control.” Despite having grown up professionally in the era of highly structured enterprise systems, he runs a highly reliable and secure enterprise on a pretty unstructured, heterogeneous, much more organic model.

Four years ago, Merrill joined Google as senior director of information systems, responsible for internal engineering and worldwide support. CIO Editor in Chief Abbie Lundberg recently spoke with him on the Google campus about current trends in information technology and the impact they are having on the way organizations think about and manage IT.

CIO: How is your approach to running IT at Google different from the traditional model?

Douglas Merrill: Some of the side effects of the era we grew up in, when enterprise technology was highly siloed, highly focused on heavy business process design (“You vill do vat this software tells you”), that model of the world yielded incredible economic returns. The downside was you had to be relatively controlling as a CIO. [You told people,] “You’re going to use this kind of infrastructure; you’re going to use these kinds of servers; the end points are going to look like this.”

Then we applied that thinking to security threats and we said the best way to manage security is to have everything look the same—and hey, look, it also has this other side effect: It tends to have lower costs; you get this really nice cycle yielding perfect uniformity.

But if you look at natural organisms, few develop naturally to complete uniformity. Very few birds look the same. The consumerization trend exposes the organization to additional diversity—diversity of the end point.

We’ve changed the way we think about IT here. We don’t have to drive for uniformity. Our systems, which basically are consumer systems, have to run on the end points. The side effect of that is I can let a particular employee work on a Mac because it makes him 10 percent more productive. That productivity advantage outweighs the minor cost advantage I get from uniformity.

Google information systems believes in choice, not control. The goal of choice is to let your talent express their talent in the most effective way they can.

Many years of team dynamics studies show that diverse teams tend to do more complete searches of the problem space and yield better, more creative answers. It seems strange to recognize that you need diversity of talent to solve these problems, then try to force that diversity into a funnel of uniformity.

CIO: What impact are consumer applications having on the enterprise?

Merrill: The most interesting developments in IT are being done in consumer applications, not business applications. The best engineers are going there. And consumer requirements are so high now in terms of stability, quality and reliability, that consumer applications are just as good as most business applications. In fact, sometimes better. Google’s uptime is many, many, many nines, and we’re a consumer application. Most of the manufacturing and trading applications I’ve been associated with in my career have a lower uptime than Google.com. So something has changed. This idea that consumer requirements are the equal of business requirements changes the way that we CIOs consume and build software for the future. The benefit (if I can figure out a way to use it) is that there’s lots of great consumer software lying around. All the reasons I couldn’t use it before no longer apply.

So what’s the problem?

Merrill: The consumerization of IT changes the way people like me do our jobs in many ways. Suddenly, all the rules have changed. Software developers don’t exactly know who to listen to; CIOs don’t exactly know who to buy from, and VCs and board members don’t exactly understand how to value the companies we’re getting involved with. Everything’s in flux. If your job is to limit risk, that’s a horrible world to live in because it’s all risky. Of course, there’s risk in a good sense, because without risk there can be no return. The problem is, I don’t know how to model it. We understand the monetization models used by enterprise software; we don’t yet understand the models for this.

There’s this interesting inflection point going on. It’s very difficult for classic CIOs and classic IT organizations to understand how to respond in the best way to this consumerization of IT. Something might be good for their employees but bad for their cost structure. It might be great for their cost structure but bad for their risk management structure. It might be really good to get good engineers but very hard to find ways to do certifications or provide traditional controls. The world looks very different across a variety of fields that view what they do as risk management.

How will this change IT and business leadership?

Merrill: During the next 10 to 15 years, you’ll find increased technical focus at the tops of IT organizations and at the tops of companies, because the nature of risk management is changing from clean cost-flow across technology to clean talent-flow into technology, which is a very different thing to manage.

In the first [mainframe-based] wave of IT, the technology person reported to the CFO; the CFO probably didn’t have e-mail; [managing IT] was purely a numbers exercise. In the second wave of enterprise software, the CIO probably came up through the tech function, increasingly reported to the CEO, and most of the C-suite folks had e-mail. Networks tended to be closed; business relationships were not usually technically facilitated. Fundamentally, if you will, companies had really big fences around their technology and nobody went through the fence except at Checkpoint Charlie and everybody had guns and it sort of felt like East Berlin—very scary. That’s the tech world we grew up in.Increasingly, part of these interesting consumer apps are these strange melanges or mash-ups of lots of services provided by lots of different organizations. Suddenly it isn’t clear where your business starts and another business ends, and so that affects your contracting functions, and that affects your finance functions, and that affects your legal and risk management functions. So the technical relationships between organizations are embodied in the product. Consequently, I think you’ll see a much higher degree of technical focus in the CIO and a higher understanding of technology in business across the C-suite.

The distinction we’ve all grown up with and that we’re all so comfortable with—that there’s technology and there’s business—that distinction is going to vanish. That’s very scary. For those of us in the business now, how do we build our skills to get ready for that?

As a CIO, is there one consumer app that you’d ban?

Merrill: Wow. I’m sure the answer to that must be yes, but off the top of my head I just can’t think of any. We really believe in choice, not control, so the number of things employees can’t do is pretty small. And then the infrastructure is pretty smart and pretty self-healing. Our machines come already imaged with security controls. People can install their own software if they want to. We have lots of remote access options, and we assume people will work from cafés and other things, so we do lots to make that possible. We have a whole suite of different kinds of communication methodologies that people use. For example, in the office next to me today is one of our directors from London. He has a young son he misses intensely. Just a few minutes ago, he made a quick voice-over IP call to his wife with a video screen using a freeware product on his computer.

And you’re OK with that?

Merrill: Yes! Because it got him what he needed—a family connection. It didn’t expose me to security risk. It’s not a licensing issue—we take care of licensing issues and things like that through a variety of mechanisms. It recharged him. I think that’s more than worth it.

How dependent is all this on getting the security piece right?

Merrill: It’s very big. My ability to do choice not control is profoundly affected by some of the changes in the security model. Until very recently, the average security model was, “thou shalt not talk to anyone,” so your machines are wired, you can’t carry them anywhere, you can’t access your stuff from home or cafés, the end points are very tightly locked down; if you want to install a piece of software, you have to ask someone else to do it for you—all because our only way of providing really rich security was to protect the end point at all costs. The problem was that all this didn’t actually protect us. Over time we figured out that the only way to get really ubiquitous protection is to protect the infrastructure itself. It’s a bit like the human body: the skin is a really important part of preventing infection but the skin’s not impervious so you have a bunch of other mechanisms to try to provide defense in depth. I get to provide choice, not control, for my users because I have a very big focus on defense at depth—lots and lots of different things in the infrastructure and the applications that protect themselves.

Your background isn’t the traditional one for an IT leader. How do you think that’s shaped the ways you think about and manage IT?

Merrill: I have a PhD in psychology and undergraduate degrees in economics and sociology. I think less about technology than I do about problems. My psychology was a study of cognition—how humans make decisions. My interest was figuring that out and then building technological models that would help them make better decisions. I always start thinking about problems and people and go from there to the tool. I don’t start by thinking about tools and coming back to problems and people.

What excites you about the future?

Merrill: There are so many cool things out there. I really love some of the interesting mash-ups. We’re in this interesting world of content aggregation. I’m so excited about this innovation space.

Imagine that people could ask questions of the world around them and get back answers that don’t entirely match their perspective. How terrific would it be if it were possible for all of us to read what the Arabic newspapers were saying about our operations in the Middle East. How good would it be for the world if the democratization of information got to the place where consumers could see their own perspectives, the perspectives of those they trust and the perspectives of people who disagree with them all together and compare them.

What’s the greatest limitation for CIOs today?

Merrill: To steal a quote from Eric Schmidt, “Never bet against Moore’s Law.” There have been so many times in my career when I’ve thought, “That tool would be really cool,” or, “If I could find a way to help do X, that would be really neat,” but [then I think] it’s too hard computationally, we don’t have enough storage, we’ll never get the bandwidth. There were always a thousand reasons why it wouldn’t work. But those reasons are rarely right. I think it’s very important for us as technologists, as we step into this new era where we are really leading the business, to throw off the shackles of today’s perspective and build the world that we want to live in. A world where copyright law protects content owners and gives them the right to get money for their content—and also allows people to easily find and absorb that content. A world in which you can ask questions not just in English but in any language you want. A world in which you can explore an incredible amount of data without having to be a data visualization expert or a mathematician or John Tukey. Wouldn’t it be great for us as we’re driving the next however-many-years of business, to recognize that Moore’s Law will make many things possible? And the only real question is, which things do we want to have happen?